Enterprise SSO Setup Guide for Cast Designer

Overview

This guide will walk you through setting up SAML Single Sign-On (SSO) for your Cast Designer organization. SSO allows your team to login using your company’s Identity Provider (Okta, Microsoft Azure AD, Google Workspace, etc.) instead of managing separate passwords.

Time Required: 15-20 minutes Prerequisites: Admin access to both Cast Designer and your Identity Provider

What You’ll Accomplish

  1. Configure a SAML application in your Identity Provider
  2. Download metadata XML file (easiest method!)
  3. Upload it to Cast Designer - done!
  4. Test SSO login with a user
  5. (Optional) Enforce SSO for your entire organization

💡 Pro Tip: We recommend using the Metadata XML download/upload method - it’s the easiest and most reliable way to configure SSO!

Quick Start: Choose Your Identity Provider

Okta Setup Guide

Step 1: Create SAML Application in Okta

  1. Login to Okta Admin Console

    • Go to your Okta admin dashboard (e.g., https://your-company.okta.com/admin)
    • Navigate to Applications → Applications in the left sidebar

  2. Create New App Integration

    • Click Create App Integration button
    • Select SAML 2.0 as the sign-in method
    • Click Next

  3. Configure General Settings

    • App name: Cast Designer (or your preferred name)
    • App logo: (Optional) Upload Cast logo
    • App visibility: Check “Do not display application icon to users” if you want (optional)
    • Click Next

  4. Configure SAML Settings

    You’ll need your organization slug from Cast Designer. Find it in your Cast Designer URL:

    https://cast.app/designer/YOUR-ORG-SLUG
                               ^^^^^^^^^^^^^^^^

    Enter these values:

    Single sign-on URL:

    https://cast.app/designer/YOUR-ORG-SLUG/saml/acs
    • ✅ Check: “Use this for Recipient URL and Destination URL”

    Audience URI (SP Entity ID):

    https://cast.app/designer/YOUR-ORG-SLUG/saml/metadata

    Default RelayState: (leave blank)

    Name ID format: Select EmailAddress

    Application username: Select Email

    Update application username on: Select Create and update

  5. Attribute Statements (Optional but Recommended)

    Add the following attribute:

    • Name: email
    • Name format: Unspecified
    • Value: user.email

  6. Complete Setup

    • Click Next
    • Select I’m an Okta customer adding an internal app
    • Click Finish

Step 2: Download Okta Metadata (Recommended - Easiest!)

  1. View Setup Instructions

    • After creating the app, you’ll see the app details page
    • Click on the Sign On tab
    • Scroll down to SAML Setup section

  2. Download Metadata XML File

    • Find Identity Provider metadata link
    • Right-click and select Save Link As
 (or just click to view)
    • Save as okta-metadata.xml on your computer
    • If it opens in browser, copy all the XML content

    💡 Tip: This is the easiest method - just download and upload!

Step 3: Configure SSO in Cast Designer

  1. Navigate to SSO Settings

    • Login to Cast Designer as an admin
    • Go to Team → SSO Settings tab

  2. Choose Metadata XML Method (Recommended)

    • Select the Metadata XML radio button
    • Click Choose File and select the XML file you downloaded
    • OR paste the XML content if you copied it

  3. Configure SAML

    • Click Configure SAML button
    • Wait for validation (should take 2-3 seconds)
    • You should see: ✅ “SAML SSO configured successfully”

  4. Verify Configuration

    • You should now see your SAML configuration:
      • Status: SSO Enabled
      • Entity ID: Your Okta entity ID
      • SSO URL: Your Okta SSO URL
      • Certificate: Configured ✓

Step 4: Assign Users in Okta

  1. Go to Assignments Tab

    • In Okta, go back to your Cast Designer app
    • Click on the Assignments tab

  2. Assign People

    • Click Assign → Assign to People
    • Search for users you want to give access
    • Click Assign next to each user
    • Click Done

    Important: These users must also be invited in Cast Designer first!

Step 5: Test SSO Login

  1. Invite Test User in Cast Designer

    • Go to Team → Users
    • Click Invite User
    • Enter name and email (must match Okta email)
    • User receives invitation email

  2. Test Login

    • Have the test user click the invitation link
    • They can choose “Login with SSO”
    • Should redirect to Okta login
    • After authenticating, should redirect back to Cast Designer
    • ✅ Success! User is logged in

  3. Test Subsequent Logins

    • Logout from Cast Designer
    • Go to Cast Designer login page
    • Enter your email
    • “Continue with SSO” button should appear
    • Click it → authenticate at Okta → logged in!

Step 6 (Optional): Enable SSO Enforcement

When to Enable:

  • All team members have Okta accounts
  • You want to disable password login
  • Company security policy requires SSO

How to Enable:

  1. Go to Team → SSO Settings
  2. Scroll to SSO Enforcement section
  3. Check: ☑ “Require SSO for all users”
  4. Read the warning dialog carefully
  5. Click Enable Enforcement

Result:

  • Users can no longer login with passwords
  • Login page only shows “Continue with SSO” button
  • New invited users must use SSO

Microsoft Azure AD Setup Guide

Step 1: Create Enterprise Application in Azure AD

  1. Login to Azure Portal

  2. Create New Enterprise Application

    • Click Enterprise applications in left sidebar
    • Click + New application
    • Click + Create your own application

  3. Configure Application

    • Name: Cast Designer
    • Select: Integrate any other application you don’t find in the gallery (Non-gallery)
    • Click Create
    • Wait for application to be created

Step 2: Configure Single Sign-On

  1. Enable SSO

    • In your Cast Designer app, click Single sign-on in left sidebar
    • Select SAML as the single sign-on method

  2. Basic SAML Configuration

    • Click Edit on section 1: Basic SAML Configuration

    Find your organization slug in Cast Designer URL:

    https://cast.app/designer/YOUR-ORG-SLUG

    Enter these values:

    Identifier (Entity ID):

    https://cast.app/designer/YOUR-ORG-SLUG/saml/metadata

    Reply URL (Assertion Consumer Service URL):

    https://cast.app/designer/YOUR-ORG-SLUG/saml/acs

    Sign on URL: (Optional)

    https://cast.app/designer/YOUR-ORG-SLUG

    Relay State: (leave blank)

    Logout URL: (leave blank)

    • Click Save

  3. Attributes & Claims

    • Section 2 should already have the required claim
    • Verify that Unique User Identifier (Name ID) is set to user.mail
    • If not, click Edit and set:
      • Name identifier format: Email address
      • Source attribute: user.mail

  4. Download Metadata (Easiest Method!)

    • Go to section 3: SAML Certificates
    • Find Federation Metadata XML
    • Click Download to save the XML file to your computer
    • Keep this file - you’ll upload it to Cast Designer next

    💡 Tip: Save as azure-metadata.xml for easy identification

Step 3: Configure SSO in Cast Designer

  1. Navigate to SSO Settings

    • Login to Cast Designer as an admin
    • Go to Team → SSO Settings tab

  2. Choose Metadata XML Method (Recommended)

    • Select the Metadata XML radio button

  3. Upload Metadata File

    • Click Choose File button
    • Select the Federation Metadata XML file you downloaded from Azure AD
    • OR open the file, copy all XML content, and paste it in the text area

  4. Configure SAML

    • Click Configure SAML button
    • Wait for validation
    • You should see: ✅ “SAML SSO configured successfully”

  5. Verify Configuration

    • Confirm you see:
      • Status: SSO Enabled
      • Entity ID: Your Azure AD entity ID
      • SSO URL: Your Azure AD SSO URL
      • Certificate: Configured ✓

Step 4: Assign Users in Azure AD

  1. Go to Users and Groups

    • In Azure AD, go back to your Cast Designer enterprise app
    • Click Users and groups in left sidebar

  2. Add Users

    • Click + Add user/group
    • Click None Selected under Users
    • Search and select users who need access
    • Click Select
    • Click Assign

    Important: These users must also be invited in Cast Designer!

Step 5: Test SSO Login

  1. Invite Test User in Cast Designer

    • Go to Team → Users
    • Click Invite User
    • Enter name and email (must match Azure AD email)
    • User receives invitation email

  2. Test Login Flow

    • Have test user click invitation link
    • Choose “Login with SSO”
    • Should redirect to Microsoft login page
    • After authenticating with Microsoft credentials
    • Should redirect back to Cast Designer
    • ✅ User is logged in!

  3. Test Regular Login

    • Logout from Cast Designer
    • Go to login page: https://cast.app/login
    • Enter email address
    • “Continue with SSO” button appears
    • Click it → Microsoft login → back to Cast Designer → Success!

Step 6 (Optional): Enable SSO Enforcement

Follow the same steps as in the Okta guide above.

Google Workspace Setup Guide

Step 1: Create Custom SAML App

  1. Login to Google Admin Console

  2. Add Custom SAML App

    • Click Add App → Add custom SAML app

  3. App Details

    • App name: Cast Designer
    • Description: (Optional) “Cast Designer SSO”
    • App icon: (Optional) Upload Cast logo
    • Click Continue

  4. Google Identity Provider Details (Download Metadata!)

    • Google shows you the IdP information
    • Click Download Metadata to save the XML file to your computer
    • Save as google-metadata.xml for easy identification
    • Keep this file - you’ll upload it to Cast Designer
    • Click Continue

    💡 Tip: This XML file has everything Cast Designer needs!

  5. Service Provider Details

    Find your organization slug:

    https://cast.app/designer/YOUR-ORG-SLUG

    Enter these values:

    ACS URL:

    https://cast.app/designer/YOUR-ORG-SLUG/saml/acs

    Entity ID:

    https://cast.app/designer/YOUR-ORG-SLUG/saml/metadata

    Start URL: (Optional)

    https://cast.app/designer/YOUR-ORG-SLUG

    Name ID format: Select EMAIL

    Name ID: Select Basic Information > Primary email

    • Click Continue

  6. Attribute Mapping

    • Click Add Mapping
    • Google Directory attributes: Primary email
    • App attributes: email
    • Click Finish

Step 2: Turn On the App

  1. Access Settings

    • You’ll see your Cast Designer app in the apps list
    • Click on it

  2. User Access

    • Click User access on the left
    • Select ON for everyone or ON for some organizational units
    • If selecting specific OUs, choose which ones need access
    • Click Save

Step 3: Configure SSO in Cast Designer (Super Easy!)

  1. Navigate to SSO Settings

    • Login to Cast Designer as an admin
    • Go to Team → SSO Settings

  2. Upload Google Metadata (Recommended Method)

    • Select Metadata XML option
    • Click Choose File and select the metadata file you downloaded from Google
    • OR open the file, copy all the XML content, and paste it in the text area

  3. Configure SAML

    • Click Configure SAML
    • Wait for validation
    • You should see: ✅ “SAML SSO configured successfully”

    That’s it! The XML file contains all the configuration automatically.

Step 4: Test SSO Login

Follow the same testing steps as in the Okta guide above.

Generic SAML Provider Setup

If your Identity Provider isn’t listed above, you can still set up SSO!

Look for these options in your IdP:

  • “Download Metadata”
  • “Download Federation Metadata XML”
  • “Export SAML Metadata”
  • “SAML 2.0 Metadata”

Once you download the XML file, just upload it to Cast Designer - that’s it!

Alternative: Manual Configuration

If your IdP doesn’t provide metadata XML download, you’ll need these details:

  1. Entity ID - Unique identifier for your IdP
  2. SSO URL - Where Cast Designer sends authentication requests
  3. X.509 Certificate - Public certificate for validating SAML assertions
  4. Single Logout URL (Optional) - For logout functionality

Information to Provide to Your IdP

Replace YOUR-ORG-SLUG with your actual organization slug:

  • Entity ID / Audience:

    https://cast.app/designer/YOUR-ORG-SLUG/saml/metadata

  • ACS URL / Reply URL / Callback URL:

    https://cast.app/designer/YOUR-ORG-SLUG/saml/acs

  • Name ID Format: EmailAddress

  • Required Attribute: email (user’s email address)

Configuration in Cast Designer

Method 1: Metadata XML (Easiest!) ⭐

  1. Go to Team → SSO Settings
  2. Select Metadata XML option
  3. Click Choose File and upload the XML file
  4. Click Configure SAML
  5. Done!

Method 2: Manual Configuration (If no XML available)

  1. Go to Team → SSO Settings
  2. Select Manual Configuration option
  3. Enter the information from your IdP:
    • Entity ID
    • SSO URL
    • X.509 Certificate (paste the full certificate)
    • Single Logout URL (optional)
  4. Click Configure SAML
  5. Test the setup

Troubleshooting

“Login with SSO” Button Not Appearing

Problem: Button doesn’t show up when entering email on login page.

Solutions:

  1. Wait 1-2 seconds after entering email (there’s a debounce)
  2. Make sure you entered the full email address with @
  3. Verify SSO is enabled in Cast Designer settings
  4. Check that the email domain matches your organization
  5. Try refreshing the page
  6. Check browser console for errors (F12)

“User not found” Error After SSO Login

Problem: Successfully authenticate at IdP but get error in Cast Designer.

Solutions:

  1. User must be invited first - Invite the user in Cast Designer before they try SSO
  2. Email must match exactly - Email in IdP must match invited email
  3. User not disabled - Check user is not disabled in Cast Designer
  4. Organization mismatch - Verify user is invited to correct organization

SAML Configuration Fails

Problem: Can’t save SAML configuration in Cast Designer.

Solutions:

  1. Check metadata format - Ensure XML is valid and complete
  2. URL accessibility - If using metadata URL, ensure it’s publicly accessible
  3. Certificate format - Certificate should include BEGIN/END lines
  4. Required fields - Entity ID, SSO URL, and certificate are all required

Error: “Invalid SAML Response”

Problem: Authentication fails with invalid SAML response error.

Solutions:

  1. Clock sync - Ensure IdP and server times are synchronized (within 5 minutes)
  2. Certificate mismatch - Re-download and re-upload IdP certificate
  3. ACS URL mismatch - Verify ACS URL in IdP exactly matches Cast Designer org slug
  4. Expired assertion - SAML assertions have short validity; try again immediately

Users Can’t Login After Enabling Enforcement

Problem: Enabled enforcement but users getting errors.

Solutions:

  1. Verify users have IdP accounts - All users must exist in your IdP
  2. Check IdP assignments - Users must be assigned to Cast Designer app in IdP
  3. Test with admin first - Ensure at least one admin can login via SSO
  4. Temporarily disable enforcement - If needed, uncheck enforcement to allow password login
  5. Contact support - Email support@cast.app if issue persists

Need to Disable SSO

Problem: Need to turn off SSO and go back to password login.

Solutions:

  1. Disable Enforcement First:

    • Go to Team → SSO Settings
    • Uncheck “Require SSO for all users”
    • Users can now use passwords again

  2. Completely Disable SSO:

    • Go to Team → SSO Settings
    • Click Disable SAML button
    • SSO will be turned off entirely
    • Configuration is saved and can be re-enabled later

Lost Admin Access

Problem: Admin can’t login after enabling enforcement.

Prevention:

  • Always test SSO login BEFORE enabling enforcement
  • Ensure your admin account exists in IdP
  • Have multiple admins for backup

Recovery:

  • Contact Cast support at support@cast.app
  • Support can disable enforcement from backend
  • Alternative: Have another admin disable enforcement

Best Practices

Before Enabling SSO

  • Test SSO with your own admin account first
  • Invite a test user and verify they can login via SSO
  • Ensure all team members have accounts in your IdP
  • Communicate the change to your team in advance
  • Start with enforcement OFF (default)
  • Give users option to use password OR SSO
  • Monitor adoption over 1-2 weeks
  • Resolve any access issues

Before Enabling Enforcement

  • Verify all active users have IdP accounts
  • Confirm all users have successfully logged in via SSO at least once
  • Announce enforcement will be enabled (give 1 week notice)
  • Have a backup admin who can disable enforcement if needed

Security Recommendations

  • Use strong password policy in your IdP
  • Enable MFA (Multi-Factor Authentication) in your IdP
  • Regularly review IdP user assignments
  • Monitor failed login attempts
  • Set up IdP session timeout
  • Regularly update certificates before expiration

Maintenance

  • Check certificate expiration dates (set reminder for 30 days before)
  • Review user access quarterly
  • Test SSO login periodically
  • Keep IdP metadata up to date
  • Document any custom configurations

Understanding SSO Enforcement

What Happens When Enforcement is OFF (Default)

Login Page Shows:

  • Email field
  • Password field
  • “Login” button
  • “Continue with SSO” button (if SSO available)
  • “Continue with Google” button

Users Can:

  • Login with email + password
  • Login with SSO
  • Login with Google OAuth
  • Choose their preferred method each time

What Happens When Enforcement is ON

Login Page Shows:

  • Email field
  • “SSO Required” message box
  • “Continue with SSO” button ONLY

Login Page Hides:

  • Password field
  • Regular login button
  • Google OAuth button

Users Must:

  • Login via SSO only
  • Authenticate with your IdP
  • Cannot use passwords anymore

Invitation Page:

  • New invited users see SSO option only
  • Cannot set a password
  • Must authenticate via IdP to activate account

Reversibility

Good News:

  • Enforcement can be turned off anytime
  • No data is lost
  • Passwords remain in database
  • If you disable enforcement, password login works again

FAQ

Q: Do we need to invite users before they can use SSO?

A: Yes! Cast Designer requires pre-invite provisioning. Users must be invited to the organization before they can login via SSO. This is a security feature to control who has access.

Steps:

  1. Invite user in Cast Designer
  2. Assign user to Cast Designer app in your IdP
  3. User can then login via SSO

Q: Can some users have passwords while others use SSO?

A: Yes, if enforcement is OFF. Users can choose their preferred authentication method. If enforcement is ON, everyone must use SSO.

Q: What if our IdP goes down?

A: If enforcement is ON and IdP is down, users cannot login. Options:

  • Prevention: Test IdP reliability before enabling enforcement
  • Backup: Keep enforcement OFF for critical scenarios
  • Recovery: Contact Cast support to disable enforcement from backend

Q: Can we use SSO with multiple email domains?

A: Yes, as long as all domains are managed by the same IdP. The SAML configuration is per-organization, not per-domain.

Q: How do we remove SSO?

A:

  1. Disable enforcement first (if enabled)
  2. Go to SSO Settings
  3. Click “Disable SAML”
  4. Configuration is saved but inactive
  5. Can re-enable later without reconfiguring

Q: Will existing user passwords be deleted when we enable SSO?

A: No! Passwords remain in the database. If enforcement is OFF, users can still use them. If enforcement is ON, passwords exist but can’t be used for login.

Q: Can admins bypass SSO enforcement?

A: No, admins must use SSO when enforcement is enabled. This ensures consistent security. We recommend having multiple admins for redundancy.

Q: How do we add a new user after enabling enforcement?

A:

  1. Add user to your IdP first
  2. Assign them to Cast Designer app in IdP
  3. Invite them in Cast Designer
  4. They use SSO to activate their account

Q: Does Cast Designer support Just-In-Time (JIT) provisioning?

A: Not currently. Users must be pre-invited. This gives admins control over who can access the organization.

Q: Can we map SAML attributes to user roles?

A: Not currently. All invited users get standard permissions. Admins must manually assign admin roles if needed. Contact support@cast.app if you need this feature.

Getting Help

Support Resources

Email Support:

  • Email: support@cast.app
  • Response time: Within 24 hours (business days)
  • Include: Organization name, IdP type, error messages

What to Include in Support Request:

  1. Organization name and slug
  2. Identity Provider (Okta, Azure AD, Google, etc.)
  3. Description of issue
  4. Screenshots (if relevant)
  5. Error messages (from browser console if available)
  6. Steps you’ve already tried

Browser Console Logs

If experiencing issues, check browser console:

  1. Open browser developer tools (F12)
  2. Go to Console tab
  3. Look for red error messages
  4. Include these in support request

Testing Tools

Test SAML Login:

  • Use a test user account first
  • Try from different browser/incognito mode
  • Check that email is invited in Cast Designer
  • Verify user is assigned in IdP

Verify Configuration:

  • Check SAML metadata URL is accessible
  • Ensure ACS URL matches exactly (including org slug)
  • Confirm certificate is valid and not expired

Quick Reference

URLs You’ll Need

Replace YOUR-ORG-SLUG with your actual slug:

Service Provider Metadata:

https://cast.app/designer/YOUR-ORG-SLUG/saml/metadata

Assertion Consumer Service (ACS):

https://cast.app/designer/YOUR-ORG-SLUG/saml/acs

SSO Initiation:

https://cast.app/designer/YOUR-ORG-SLUG/saml/login

Configuration Checklist

In Your IdP:

  • SAML 2.0 application created
  • Entity ID / Audience configured
  • ACS / Reply URL configured
  • Name ID format set to Email
  • Email attribute mapped
  • Users assigned to app

In Cast Designer:

  • SAML metadata uploaded
  • Configuration validated
  • Test user invited
  • SSO login tested
  • Enforcement enabled (if desired)

Document Version: 1.0 Last Updated: November 19, 2025 Contact: support@cast.app