Setting up Single Sign-On

Overview

Single sign-on allows users to use one set of credentials (username and password) to sign in to multiple programs or systems. For example, a user can sign in to Cascade using their google email and password. Cascade supports most of the popular single sign-on solutions:

  • Microsoft Active Directory / ADFS
  • Google Apps
  • OAuth
  • OpenID

Single sign-on is a paid addon for Cascade, so you will need to purchase the addon before configuring the settings below. If the settings look a little daunting, don’t worry we can guide you every step of the way – just reach out to support@executestrategy.net.

Setting up Single Sign-On with Google

Cascade uses SAML 2.0 to securely authenticate and allow users to log in using Google credentials.

Assumptions

The setup guide assumes the user’s username in Cascade and in Google are the same. Please contact support if this is not the case.

Setup

  • From Google’s admin console (admin.google.com), Click “Apps” > “SAML Apps”.
  • Select the “Add a service/App to your domain” link or click the plus (+) icon in the bottom corner.
  • Click “Setup my own custom SAML App”, The Google IDP Information window opens and the Single Sign-On URL and the Entity ID URL fields automatically populate.
  • From “Option 2” Click the “DOWNLOAD” button next to “IDP metadata”, send the file as an attachment to support@executestrategy.net with the title “{instance_name} – Single Sign-On”. Replace {instance_name} with your instance name.
  • Click “Next”
  • For “Application Name”: Cascade
  • “Upload Logo”: You can use the logo Cascade Logo
  • Click “Next”

Selection_010

Selection_011

  • Click “Finish”

Setting up Single Sign-On with Okta

Cascade uses SAML 2.0 to securely authenticate and allow users to log in using Okta.

Assumptions

The setup guide assumes the user’s username in Cascade and in Okta are the same. Please contact support if this is not the case.

Setup

  • From the admin dashboard, click on “Add Applications” from the “Shortcuts” menu on the right.
  • Click on “Create New App” button.
  • A popup should appear with two options, choose the second option “SAML 2.0” and click “Create”

Selection_001

  • “App name”: Cascade
  • “App logo”: You can use the logo Cascade Logo
  • “App visibility”: Configure it as you see fit.
  • Click on “Next”

Selection_002-1

 

 

Selection_004

  • Fill the feedback page as you see fit and click “Finish”
  • Okta will then take you to a Sign On page, click on “View Setup Instructions” and copy the configuration options and send them to us in a support ticket through Cascade with the title: “Single Sign on Setup {instance name}”
  • The configuration options are:
    • Identity Provider Single Sign-On URL
    • Identity Provider Issuer
    • X.509 Certificate

Setting up Single Sign-On with Azure

Assumptions

The setup guide assumes the user’s username in Cascade and in Azure are the same. Please contact support if this is not the case.

Setup

  • Click on the “ADD” Icon at the bottom of the screen
  • From your main directory, go to the tab “APPLICATIONS”

Selection_005

  • Choose “Add an application my organization is developing”

Selection_006

  • For ‘Name’: “Cascade” or something similar
  • Choose “WEB APPLICATION AND/OR WEB API” for type.
  • Click next

Selection_007

Selection_008

  • Click on the “VIEW ENDPOINTS” icon at the bottom.
  • Copy the links:
    • ‘FEDERATION METADATA DOCUMENT’
    • ‘SAML-P SIGN-ON ENDPOINT’
    • ‘SAML-P SIGN-OUT ENDPOINT’
  • Send the links in a support ticket through Cascade with the title: “Single Sign on Setup {instance name}”

 

Setting up Single Sign-On with ADFS

Assumptions

  • Username in Cascade are the user’s emails in ADFS. Please contact support if this is not the case.
  • IDP Entry was created in Cascade based on a provided federation metadata file

Requirements

  • An Active Directory instance where all users have an email address attribute.
  • A server running Microsoft Server 2012 or 2008. This guide uses screenshots from Server 2012R2, but similar steps should be possible on other versions.

Setup

Create a Relying party trust

  •  Click on “Add Relying Party Trust”

  • Download your Cascade instance’s metadata and upload it into highlighted field. Metadata location is usually at: https://{instance}.executestrategy.net/api/v2/identity_providers/1/metadata. You must be logged in.
  • Continue through the Wizard until the Relying Party Trust has been added

  • Select the Cascade Relying Party Trust and click on “Edit Claim Rules…” on panel on the right hand side and click on “Add Rule…” on the “Issuance Transform Rules” Tab.
  • Select the “Send LDAP Attributes as Claims” rule template and populate it as follows:

 

  • Add anther Claim Rule but now select the “Transform an Incoming Claim” rule template
  • Setup the rule as follows

 

You should now be able to access Cascade through the ADFS login page.