SAML
Last updated
Last updated
Polarity supports SAML based authentication for authenticating and authorizing users to the platform. When a user first successfully logs-in via SAML, Polarity will automatically generate a new, local Polarity account for that user. To configure SAML navigate to the "Server Configuration" page, then "Client Authentication". In the "Authentication Method" drop down select "SAML".
SAML configuration requires that you configure both Polarity, the Service Provider or SP, and your Identity Provider or IdP). Common Identity Providers would include Okta, Ping, and Azure ADFS.
When setting up SAML in Polarity you will need to provide the following information which is obtained from your IdP.
The SAML endpoint URL is the URL that Polarity should redirect users to when they need to login via SAML. This field is also referred to within the IdP as the "Identity Provider Single Sign-On URL", or "SSO Login URL", or "Sign on URL".
This is an encrypted string containing the public key of the X509 certificate of the Identity Provider. The value for this field should include the header -----BEGIN CERTIFICATE----- and footer -----END CERTIFICATE-----
When pasting the certificate content into the SAML certificate option field you can include or exclude the BEGIN and END certificate headers.
Within your IdP the SAML certificate is also referred to as the "X.509 Certificate" or "Signing Certificate".
Provide the text on the button that users will click on within Polarity to sign in with SAML
The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "username" field of the Polarity user logging in.
The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "email" field of the Polarity user logging in. This attribute must be a valid email address.
The name of the SAML attribute returned as part of your IdP's SAML assertions that should be mapped to the "Full name" field of the Polarity user logging in.
The name of the SAML attribute returned as part of your IdP's SAML assertions that should be used by the "Authorized groups regular expression" to determine if the user is authorized to access Polarity.
In general we recommend leaving this field blank and leveraging your IdP for authorization.
Provide one or more groups separated by a pipe (|) that are authorized to access Polarity. The regular expression provided here will be run against the "Group Attribute" in the returned SAML assertion to determine whether or not the user is authorized to access Polarity. More complex group matches can be accomplished with a custom regular expression.
In general we recommend leaving this field blank and leveraging your IdP for authorization
If checked, Polarity will Match the SAML response to the provided Unique ID when authenticating via SP initiated login. You may need to disable this to support IdP initiated authentication flows.
When configuring your IdP you will need to provide the following
The callback or assertion consumer service URL, sometimes referred to as the "Single sign-on URL" should be set to the following:
You should replace <your domain name>with the domain of your server. For example, if your server is https://my-polarity-server.localthen you would set the Callback URl in your IdP to:
The Entity ID, also known as the Audience URI, should be set to the FQDN of your server. For example,
If you are setting up SAML using Okta or Azure ADFS as your IdP please see the following IdP specific guides:
