Edit

Tutorial: Microsoft Entra single sign-on integration with Catchpoint

  • Article

In this tutorial, you learn how to integrate Catchpoint with Microsoft Entra ID. When you integrate Catchpoint with Microsoft Entra ID, you can:

  • Control user access to Catchpoint from Microsoft Entra ID.
  • Enable automatic Catchpoint sign-in for users with Microsoft Entra accounts.
  • Manage your accounts in one central location: the Azure portal.

Prerequisites

To get started, you need the following items:

  • A Microsoft Entra subscription. If you don't have a subscription, you can get a free account.
  • A Catchpoint subscription with single sign-on (SSO) enabled.

Scenario description

In this tutorial, you configure and test Microsoft Entra SSO in a test environment.

  • Catchpoint supports SP-initiated and IDP-initiated SSO.
  • Catchpoint supports just-in-time (JIT) user provisioning.

To configure the integration of Catchpoint into Microsoft Entra ID, add Catchpoint to your list of managed SaaS apps.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > Enterprise applications > New application.
  3. In the Add from the gallery section, type Catchpoint in the search box.
  4. Select Catchpoint from the results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Alternatively, you can also use the Enterprise App Configuration Wizard. In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. Learn more about Microsoft 365 wizards.

Configure and test Microsoft Entra SSO for Catchpoint

For SSO to work, you need to link a Microsoft Entra user with a user in Catchpoint. For this tutorial, we'll configure a test user called B.Simon.

Complete the following sections:

  1. Configure Microsoft Entra SSO, to enable this feature for your users.
  2. Configure Catchpoint SSO, to configure the single sign-on settings on the application side.
  3. Test SSO, to verify that the configuration works.

Configure Microsoft Entra SSO

Follow these steps in the Azure portal to enable Microsoft Entra SSO:

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.

  2. Browse to Identity > Applications > Enterprise applications > Catchpoint > Single sign-on.

  3. On the Select a single sign-on method page, select SAML.

  4. On the Set Up Single Sign-On with SAML page, select the pencil icon to edit the Basic SAML Configuration settings.

    Edit Basic SAML Configuration

  5. Configure the initiated mode for Catchpoint:

    • For IDP-initiated mode, enter the values for the following fields:
      • For Identifier: https://portal.catchpoint.com/SAML2
      • For Reply URL: https://portal.catchpoint.com/ui/Entry/SingleSignOn.aspx
    • For SP-initiated mode, select Set additional URLs and enter the following value:
      • For Sign-on URL: https://portal.catchpoint.com/ui/Entry/SingleSignOn.aspx

  6. The Catchpoint application expects the SAML assertions in a specific format. Add custom attribute mappings to your configuration of SAML token attributes. The following table contains the list of default attributes:

    Name Source attribute
    Givenname user.givenneame
    Surname user.surname
    Emailaddress user.mail
    Name user.userprincipalname
    Unique User Identifier user.userprincipalname

    User Attributes & Claims list screenshot

  7. Also, the Catchpoint application expects another attribute to be passed in a SAML response. See the following table. This attribute is also pre-populated, but you can review and update it to fit your requirements.

    Name Source attribute
    namespace user.assignedrole

    Note

    The namespace claim needs to be mapped with the account name. This account name should be set up with a role in Microsoft Entra ID to be passed back in SAML response. For more information about roles in Microsoft Entra ID, see Configure the role claim issued in the SAML token for enterprise applications.

  8. Go to the Set Up Single Sign-On with SAML page. In the SAML Signing Certificate section, find Certificate (Base64). Select Download to save the certificate to your computer.

    The certificate download link

  9. In the Set up Catchpoint section, copy the URLs that you need in a later step.

    Copy configuration URLs

Create a Microsoft Entra test user

In this section, you use the Azure portal to create a Microsoft Entra test user called B.Simon.

  1. Sign in to the Microsoft Entra admin center as at least a User Administrator.
  2. Browse to Identity > Users > All users.
  3. Select New user > Create new user, at the top of the screen.
  4. In the User properties, follow these steps:
    1. In the Display name field, enter B.Simon.
    2. In the User principal name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
    3. Select the Show password check box, and then write down the value that's displayed in the Password box.
    4. Select Review + create.
  5. Select Create.

Assign the Microsoft Entra test user

In this section, you enable B.Simon to use Azure single sign-on by granting access to Catchpoint.

  1. Browse to Identity > Applications > Enterprise applications.
  2. In the applications list, select Catchpoint.
  3. In the app's overview page, find the Manage section and select Users and groups.
  4. Select Add user, and then select Users and groups in the Add Assignment dialog box.
  5. In the Users and groups dialog box, select B.Simon from the list of users. Click Select at the bottom of the screen.
  6. If you have setup the roles as explained in the above, you can select it from the Select a role dropdown.
  7. In the Add Assignment dialog box, select Assign.

Configure Catchpoint SSO

  1. In a different web browser window, sign in to the Catchpoint application as an administrator.

  2. Select the Settings icon and then SSO Identity Provider.

    Catchpoint settings screenshot with SSO Identity Provider selected

  3. On the Single Sign On page, enter the following fields:

    Catchpoint Single Sign On page screenshot

    Field Value
    Namespace A valid namespace value.
    Identity Provider Issuer The Azure AD Identifier value.
    Single Sign On Url The Login URL value.
    Certificate The contents of the downloaded Certificate (Base64) file. Use Notepad to view and copy.

    You might also upload the Federation Metadata XML by selecting the Upload Metadata option.

  4. Select Save.

Create a Catchpoint test user

Catchpoint supports just-in-time user provisioning, which is enabled by default. You have no action items in this section. If B.Simon doesn't already exist as a user in Catchpoint, it's created after authentication.

Test SSO

In this section, you test your Microsoft Entra single sign-on configuration with following options.

SP initiated:

  • Click on Test this application, this will redirect to Catchpoint Sign on URL where you can initiate the login flow.

  • Go to Catchpoint Sign-on URL directly and initiate the login flow from there.

IDP initiated:

  • Click on Test this application, and you should be automatically signed in to the Catchpoint for which you set up the SSO

You can also use Microsoft My Apps to test the application in any mode. When you click the Catchpoint tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Catchpoint for which you set up the SSO. For more information about the My Apps, see Introduction to the My Apps.

Note

When you're signed in to the Catchpoint application through the login page, after providing Catchpoint Credentials, enter the valid Namespace value in the Company Credentials(SSO) field and select Login.

Catchpoint configuration

Next steps

After you configure Catchpoint, you can enforce session control. This precaution protects against exfiltration and infiltration of your organization's sensitive data in real time. Session control is an extension of Conditional Access. Learn how to enforce session control with Microsoft Defender for Cloud Apps.