SAML
Enabling SAML
Polarity supports SAML based authentication for authenticating and authorizing users to the platform. When a user first successfully logs-in via SAML, Polarity will automatically generate a new, local Polarity account for that user. To configure SAML navigate to the "Server Configuration" page, then "Client Authentication". In the "Authentication Method" drop down select "SAML".

Configuring SAML
SAML configuration requires that you configure both Polarity, the Service Provider or SP, and your Identity Provider or IdP). Common Identity Providers would include Okta, Ping, and Azure ADFS.
Configuring Polarity
When setting up SAML in Polarity you will need to provide the following information which is obtained from your IdP.
SAML endpoint URL
The SAML endpoint URL is the URL that Polarity should redirect users to when they need to login via SAML. This field is also referred to within the IdP as the "Identity Provider Single Sign-On URL", or "SSO Login URL", or "Sign on URL".
SAML certificate
This is an encrypted string containing the public key of the X509 certificate of the Identity Provider. The value for this field should include the header -----BEGIN CERTIFICATE-----
and footer -----END CERTIFICATE-----
When pasting the certificate content into the SAML certificate option field you can include or exclude the BEGIN
and END
certificate headers.
Within your IdP the SAML certificate is also referred to as the "X.509 Certificate" or "Signing Certificate".
Sign in button label
Provide the text on the button that users will click on within Polarity to sign in with SAML
Username attribute
The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "username" field of the Polarity user logging in.
Email attribute
The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "email" field of the Polarity user logging in. This attribute must be a valid email address.
Full name attribute
The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "Full name" field of the Polarity user logging in.
Group Attribute
The name of the SAML attribute returned as part of your IdP's SAML assertions that should be used by the "Authorized groups regular expression" to determine if the user is authorized to access Polarity.
In general we recommend leaving this field blank and leveraging your IdP for authorization.
Authorized groups regular expression
Provide one or more groups separated by a pipe (|) that are authorized to access Polarity. The regular expression provided here will be run against the "Group Attribute" in the returned SAML assertion to determine whether or not the user is authorized to access Polarity. More complex group matches can be accomplished with a custom regular expression.
In general we recommend leaving this field blank and leveraging your IdP for authorization
Unique ID
If checked, Polarity will Match the SAML response to the provided Unique ID when authenticating via SP initiated login. You may need to disable this to support IdP initiated authentication flows.
Configuring your IdP
When configuring your IdP you will need to provide the following
Callback or Assertion Consumer Service URL
The callback or assertion consumer service URL, sometimes referred to as the "Single sign-on URL" should be set to the following:
https://<your domain name>/v2/saml/assertion
You should replace <your domain name>
with the domain of your server. For example, if your server is https://my-polarity-server.local
then you would set the Callback URl in your IdP to:
https://my-polarity-server.local/v2/saml/assertion
Entity ID
The Entity ID, also known as the Audience URI, should be set to the FQDN of your server. For example,
https://<my-polarity-server>.internal
IdP Specific Guides
If you are setting up SAML using Okta or Azure ADFS as your IdP please see the following IdP specific guides:
OktaAzure ADFSLast updated