Single Sign On

  • 7 minute(s) read
Prev Next

Overview

What is single sign-on?

Single Sign-On (SSO) allows client administrators to manage access to Catchpoint via a SSO provider, rather than individually adding Contacts to the portal and setting up their System/Division access. Catchpoint's implementation of SSO uses the SAML protocol.

In this version of SSO, the client level controls system access for all Divisions. What is enabled for the client is applied to all Divisions underneath.

SSO Contact Types

  • Users who have a contact in Catchpoint but are also managed by IDP
    These contacts can log in with
    1. Email address & password
    2. Namespace (unique identifier SSO contacts will use to login with their email address).

These contacts can belong to multiple Divisions within an account/namespace. Anything that is set by IdP assertion supersedes the Contact Properties (including User Roles, Division Access, and Status).

  • Contacts created via an IdP assertion
    These users log in with namespace. Catchpoint does not have any password for these users, and they may only belong to one Division at a time.

Note: IdP provisioned contacts log in with their email address and namespace. These contacts have limited Contact Properties, and DO NOT have a status in Catchpoint. Once provisioned/authenticated by the IdP, a Contact record is created in Catchpoint, these Contacts will always be displayed in the Catchpoint portal.

Login Screen

Catchpoint's login page has two options

  • Log in with Catchpoint Credentials
  • Log in with Company Credentials (SSO)

image.png

Configuring Single Sign-On In Your Identity Provider

Root/Redirect URL: To configure your provider, use the following redirect/post URL to direct users to the login page: https://portal.catchpoint.com/ui/Entry/SingleSignOn.aspx

Single Logout URL: In your IdP's SAML Integration settings, assign the following URL for logout: https://portal.catchpoint.com/ui/Entry/SingleSignOn.aspx

Service Provider Issuer ( SPIssuer): In your IdP's SAML settings please set the SPIssuer to: https://portal.catchpoint.com/SAML2

Single Sign-On Properties

Note: Single Sign-On is a Client-level setting. A Catchpoint Client must have SSO enabled in order to see the Single Sign-On Properties page.

Permissions: Only Contacts with "Manage Settings" permissions can edit this page.

Fields (those marked with * are required):

  • Namespace*: Identifies your SSO provider. To enable Identity Provider (IdP) initiated login, this value must be included as a return parameter configured in your IdP. This value is unique across all Catchpoint clients.

Note: Namespace is not a default attribute in your SSO application (Okta, OneLogin, etc.). You will need to create a custom attribute called "namespace" to pass along to Catchpoint. The help center for your chosen SSO provider should contain documentation on how to accomplish this. If you are unable to locate this documentation, please contact Catchpoint support.

  • Identity Provider Issuer*: The issuer ID is set in the IdP configuration. The values must match exactly.

  • Alternate Issuer 1 & 2: You can optionally configure up to two additional IDP Issuers. This is helpful in cases where one issuer's certificate is about to expire and needs to be replaced. Simply configure an additional Issuer, upload the new certificate in the "Additional Certificates" section, and Catchpoint will accept SAML Responses with signatures from either certificate. You can then switch your systems to use the new certificate, and SSO with Catchpoint will continue to function seamlessly.

  • Single Sign-On URL*: The URL for your IdP login.

  • Single Sign-Out URL*: The URL for your IdP logout. If left blank, when your users log out of the Catchpoint portal, they will only be logged out of Catchpoint, not the IdP.

  • Sign SAML Request: By checking the box, this allows Catchpoint to talk to your IdP in a more secure manner. In order to complete this configuration, you will need to download Catchpoint's certificate and upload it to your IdP.
    image.png

  • Enforce Issuer Match: If checked, Catchpoint will verify that the issuer on the SAML Response matches the configured Identity Provider Issuer or an Alternate Issuer (if configured). Catchpoint will also attempt to verify the signature of the SAML Response with the primary certificate and any additional certificates.

  • Certificate*: The base 64 encoded value for an X509 certificate used to identify your IdP.

  • Additional Certificates: Optional additional certificates. (To be configured in conjunction with Alternate Issuers, as described above.)

image.png

Autoprovisioning

This allows for a SAML assertion to automatically create new users in the Catchpoint portal the first time they log in. In this implementation, the autoprovisioning will dictate both:

  • User permissions (user access)
  • Division

The contacts created will be provisioned automatically by the IdP assertions. Remember, Contacts provisioned in the Catchpoint portal will use the properties assigned to them within the portal and not IDP assertions. The Direct Assertion Mapping setting allows the IDP to create and set user permissions based off key value pairs.

  • Assertions: Key-value attribute pairs in the assertion from the IdP that Catchpoint will look to match to create and set user permissions.
  • Priority: The rules set their priority from top to bottom. If an assertion from the IdP can match to many assertion rules, it will default match to the top or first most match.
  • Default: If Catchpoint cannot match the content of the assertion or one is not set, it will use the default one.
  • The 'Use Regex' option also acts as a logical operator for assertion rules:
    • If checked, it acts as an OR operator
    • e.g., the contact must have the group_Id=123 or email=example@catchpoint.com
    • If left unchecked, it acts as an AND operator
    • e.g., the contact must match both ID and email

image.png

Single Sign-On: Encrypted SAML Assertions

Catchpoint now supports encrypted SAML assertions which is enabled on the IDP. Encrypted assertions add an extra layer of security to ensure user information remains secure from IdP to Catchpoint regardless of any intermediate network node. Here's how it works:

  • The IDP encrypts the SAML assertion with a unique RSA-SHA 256 key, which in turn is encrypted with Catchpoint's public key.
  • Catchpoint uses its private key for decryption, which is then used to decrypt the SAML assertion. This standard method ensures that only Catchpoint can decrypt the SAML assertion.

Note: Catchpoint supports only RSA-SHA 256 encryption.

Append Namespace

Users can now append the namespace to the Service Provider URL to generate a unique SPI by checking Append Namespace feature on the SSO settings page and pass it within the URL to login.

image.png

Improved error handling

UI now displays an error when regex in assertions is invalid or contains duplicate values and doesn't allow this assertion to be saved. Please note that this feature works for assertions with only Use Regex checked.

image.png

image.png

Setting up Parent/Child clients

This feature allows you to setup parent/child for SSO. Children will inherit the following from parent client which cannot be edited:

  • Identity Provider Issuer
  • Single Sign On URL
  • Logout URL
  • Sign SAML Request
  • Certificate

Whereas, namespace and assertions are not inherited from the parent client.
Please reach out to your CSM to enable this feature for your account.

Assertion Consumer Service URL and Single Logout Service

AssertionConsumerServiceURL(also known as post back) and SingleLogoutService have been added to SAML request metadata which is sent from Catchpoint to your IdP. AssertionConsumerServiceURL: If a user has a proxy, it might cause them to lose their state but providing the ACS URL which is an endpoint on the service provider in the saml request, identity provider will exactly know where to redirect to with its authentication response. SingleLogoutService: When the user logs out from their IdP, it will trigger a log out request to SP (Catchpoint) thus triggering a gradual signout of the current Catchpoint session.

mceclip3.png

Match All Assertions

This will create a contact if all the assertions that are listed get matched. Choosing this option will create one or more contacts. (i.e if the same person's contact is needed in Division A and Division B)

Match First Assertion

This will create a contact for the very first assertion that matches. Choosing this option creates only one contact in the Division/Client which ever is given in the Assertion Settings.

Direct Assertion Mapping

This will only create one contact and specifies that the assertion will match a predefined user role name or id exactly.

Access Scope

This will create a contact using all assertions that match, and apply the roles and access types (product, test, or RUM site) defined in each matched scope. You can define different roles for each system level (e.g., client, division), but all matched assertions at the same system level must use the same access type (either product or test). This option is ideal for managing complex access needs across multiple levels.