SAML

Enabling SAML

Polarity supports SAML based authentication for authenticating and authorizing users to the platform. When a user first successfully logs-in via SAML, Polarity will automatically generate a new, local Polarity account for that user. To configure SAML navigate to the "Server Configuration" page, then "Client Authentication". In the "Authentication Method" drop down select "SAML".

Configuring SAML

SAML configuration requires that you configure both Polarity, the Service Provider or SP, and your Identity Provider or IdP). Common Identity Providers would include Okta, Ping, and Azure ADFS.

Configuring Polarity

When setting up SAML in Polarity you will need to provide the following information which is obtained from your IdP.

SAML endpoint URL

The SAML endpoint URL is the URL that Polarity should redirect users to when they need to login via SAML. This field is also referred to within the IdP as the "Identity Provider Single Sign-On URL", or "SSO Login URL", or "Sign on URL".

SAML certificate

This is an encrypted string containing the public key of the X509 certificate of the Identity Provider. The value for this field should include the header -----BEGIN CERTIFICATE----- and footer -----END CERTIFICATE-----

When pasting the certificate content into the SAML certificate option field you can include or exclude the BEGIN and END certificate headers.

Within your IdP the SAML certificate is also referred to as the "X.509 Certificate" or "Signing Certificate".

Sign in button label

Provide the text on the button that users will click on within Polarity to sign in with SAML

Username attribute

The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "username" field of the Polarity user logging in.

Email attribute

The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "email" field of the Polarity user logging in. This attribute must be a valid email address.

Full name attribute

The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "Full name" field of the Polarity user logging in.

Group Attribute

The name of the SAML attribute returned as part of your IdP's SAML assertions that should be used by the "Authorized groups regular expression" to determine if the user is authorized to access Polarity.

Authorized groups regular expression

Provide one or more groups separated by a pipe (|) that are authorized to access Polarity. The regular expression provided here will be run against the "Group Attribute" in the returned SAML assertion to determine whether or not the user is authorized to access Polarity. More complex group matches can be accomplished with a custom regular expression.

Unique ID

If checked, Polarity will Match the SAML response to the provided Unique ID when authenticating via SP initiated login. You may need to disable this to support IdP initiated authentication flows.

Configuring your IdP

When configuring your IdP you will need to provide the following

Callback or Assertion Consumer Service URL

The callback or assertion consumer service URL, sometimes referred to as the "Single sign-on URL" should be set to the following:

https://<your domain name>/v2/saml/assertion

You should replace <your domain name>with the domain of your server. For example, if your server is https://my-polarity-server.localthen you would set the Callback URl in your IdP to:

https://my-polarity-server.local/v2/saml/assertion

Entity ID

The Entity ID, also known as the Audience URI, should be set to the FQDN of your server. For example,

https://<my-polarity-server>.internal

IdP Specific Guides

If you are setting up SAML using Okta or Azure ADFS as your IdP please see the following IdP specific guides: