Skip to main content

Azure AD Authentication Using SAML

Configure Azure AD authentication for Catalog using SAML. In this guide you'll create an Azure AD app, configure claims, and add the certificate to Catalog.

Before You Begin

You'll need to be an Entra admin.

Create the Entra ID App for Catalog

You'll register an enterprise application that acts as the SAML identity provider for Catalog.

  1. Go to the Microsoft Entra admin portal.

  2. Go to Enterprise applications > All applications.

    Microsoft Entra ID Enterprise applications with All applications selected in the navigation menu

  3. Click New Application.

  4. Click Create your own application.

    Microsoft Entra ID All applications list showing New application and Create your own application options

  5. Choose Integrate any other application you don't find in the gallery.

  6. Name your app.

    Microsoft Entra Create your own application dialog with non-gallery integration selected and app name field

  7. On the Overview page, select 2. Set up single sign on.

    Microsoft Entra enterprise application Overview with Get started single sign-on and SAML option highlighted

  8. Then select SAML.

  9. On the Set up Single Sign-On with SAML page, open Basic SAML Configuration. Set Identifier to production-castorSAML. This value is the SAML entity ID.

  10. Set Reply URL based on your account region:

    • For accounts using app.castordoc.com, use https://api.castordoc.com/auth/saml/callback.
    • For accounts using app.us.castordoc.com, use https://api.us.castordoc.com/auth/saml/callback.
    Microsoft Entra SAML Basic Configuration showing Identifier and Reply URL fields

  11. Open Attributes & Claims and map the following optional claims:

    • user.givenname maps to firstName
    • user.surname maps to lastName
    • user.mail maps to email
    • You can delete user.userprincipalname.
    • Make sure to delete the Namespace.
    Microsoft Entra SAML Attributes and Claims list showing optional claims mapped to firstName, lastName, and email
    Claim configuration
    • Keep the Namespace empty for each claim.
    • Claim names are case sensitive.

  12. Download the Certificate (Base64).

  13. Make note of the Login URL.

Microsoft Entra SAML Signing Certificate section with Base64 certificate download link and Login URL field

Allow Users To Connect To The Catalog App

Make sure to add the users and groups in Microsoft Entra admin center who need to connect to Catalog.

Multiple Authentication Options

Catalog can keep both SAML and email with password strategies active.

Add URL and Certificate to Catalog

Paste the signing certificate and login URL from Microsoft Entra into Catalog so SAML sign-in can complete.

  1. In Catalog, go to Settings > Authentication.
  2. Copy and paste the certificate and URL, making sure to format them correctly.
{
  "entrypoint": "https://...",
  "certificate": "..."
}
Catalog Settings, Authentication tab: Configure SAML modal with empty SAML JSON field and validation error that configuration cannot be empty