Azure ADFS
Configure SAML authentication with Microsoft Azure ADFS
Last updated
Configure SAML authentication with Microsoft Azure ADFS
Last updated
Polarity SAML authentication should work with any identity provider (IdP) given the application is set up correctly within the identity provider's account. This guide walks through configuring Polarity SAML Authentication with Azure ADFS.
The following link provides steps on how to setup SSO in Azure ADFS:
Polarity specific setup instructions can be found below.
Navigate to the Azure Active Directory Admin Center
From the left navigation menu select "Applications" -> "Enterprise applications" -> "New Application" -> "Create your own application".
Name your app (e.g., "Polarity") and select the radio button for "Integrate any other application you don't find in the gallery (Non-gallery)".
Once the application is created select the option to "Set up single sign on". You may also find this option in the left navigation menu.
Select the "SAML" single sign-on method.
In the "Basic SAML Configuration" block, click on the "Edit" icon
On the Basic SAML Configuration page fill in the Identifier and Reply URL as specified below.
Optional but can be set to:
This is not needed
Once you have filled in the "Identifier" and "Reply URL" click on the "Save" button.
Next click on the "Edit" button in the "Attributes & Claims block.
The page will show two columns. A "Claim name" column and a "Value" column. You will need to identify three required values when configuring SAML on the Polarity Server:
An email value
A username value
A full name value
In most cases there will already be an email address (user.mail) and username (user.userprincipalname) claim.
For the full name value we suggest creating a new claim by clicking on the "Add new claim" and filling in the following values:
Name: displayname
Source: Attribute
Source attribute: user.displayname
Click on "Save" when done.
You will now want to save the "Claim name" for the user.mail, user.displayname, and user.userprincipalname values. The Claim name for each of these values will be used when configuring SAML on the Polarity Server.
From the "SAML Certificates" block, download the "Federation Metadata XML" file. We will use the content of this file in the next steps when we
We recommend controlling access to Polarity by granting access to the Polarity application in Azure via the Users and groups settings within the app.
Login to the Polarity Server as an admin via your browser and navigate to "Server Configuration" in the left navigation panel.
Click on the "Client Authentication" tab at the top of the page.
From the "Authentication Method" drop down select "SAML".
Once the SAML authentication method is selected you will need to fill in the following configuration details using information from the Azure app created in the previous steps.
Polarity Server Fully Qualified Domain Name (FQDN)
Fill in the FQDN of your Polarity Server to include the scheme (https://).
Paste in the content of the full Federation Metadata XML file that was exported from Azure.
You can customize the label on the SAML sign-in button by entering text here.
The username value should must be a unique value for every user on the system. In most cases you will want to use the user.userprincipalname value which will have the "Claim name":
You can also use an email address for the username in which in most cases will be the "Claim name":
When setting the Username attribute in the Polarity SAML configuration you will only provide the last segment of the claim name.
As an example, if you wanted to use the claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name you would only enter the valuenameinto Polarity.
Be sure to only use the last segment of the "Claim name" when configuring attributes within Polarity
The email must be a unique and valid email for each user in Polarity. The Email Attribute will typically use the user.mail value from ADFS.
In most cases, the Email Attribute in Polarity use the following "Claim name":
As we only use the last segment of the "Claim Name", you would set the Email attribute in Polarity to emailaddress.
The full name attribute contains the user's given and surname.
In most cases you will want to use the value user.displayname. There is usually no default "Claim name" for the user.displayname attribute. If you added this claim when configuring SAML within Azure then the "Claim name" would be displayname.
If you did not add a displayname claim when configuring SAML in Azure, you can pick either the user.givenname or user.surname values which are available by default in most cases.
As an example, if you wanted to use the surname claim the Full name attribute would be set to surname.
You can optionally set a "Group attribute" which is used to identify which groups the user belongs to. You can then authorize specific groups using the "Authorized groups regular expression" option.
If you leave this blank, all authenticated SAML users will be able authorized to login to the Polarity Server.
Provide one or more groups separated by a pipe (|). More complex group matches can be accomplished with a custom regular expression. The provided regex will be run against the provided "Group attribute" of the user. If the regex passes, the user will be granted access to the Polarity Server.
After entering the required options in Polarity, click on "Apply Changes" in the top right. When you navigate to the Polarity login screen you should now see the option to login via your SAML Identity Provider.
