Azure ADFS
Configure SAML authentication with Microsoft Azure ADFS
Last updated
Configure SAML authentication with Microsoft Azure ADFS
Last updated
Polarity SAML authentication should work with any identity provider (IdP) given the application is set up correctly within the identity provider's account. This guide walks through configuring Polarity SAML Authentication with Azure ADFS.
The following link provides steps on how to setup SSO in Azure ADFS:
Polarity specific setup instructions can be found below.
Navigate to the Azure Active Directory Admin Center
From the left navigation menu select "Enterprise applications" -> "New Application" -> "Create your own application".
Name your app (e.g., "Polarity") and select the radio button for "Integrate any other application you don't find in the gallery (Non-gallery)".
Once the application is created select the option to "Set up single sign on". You may also find this option in the left navigation menu.
Select the "SAML" single sign-on method.
In the "Basic SAML Configuration" block, click on the "Edit" icon
On the Basic SAML Configuration page fill in the Identifier and Reply URL as specified below.
Optional but can be set to:
This is not needed
This is not needed
Once you have filled in the "Identifier" and "Reply URL" click on the "Save" button.
Next click on the "Edit" button in the "Attributes & Claims block.
The page will show two columns. A "Claim name" column and a "Value" column. You will need to identify three required values when configuring SAML on the Polarity Server:
An email value
A username value
A full name value
In most cases there will already be an email address (user.mail) and username (user.userprincipalname) claim.
For the full name value we suggest creating a new claim by clicking on the "Add new claim" and filling in the following values:
Name: displayname
Source: Attribute
Source attribute: user.displayname
Click on "Save" when done.
You will now want to save the "Claim name" for the user.mail, user.displayname, and user.userprincipalname values. The Claim name for each of these values will be used when configuring SAML on the Polarity Server.
From the "SAML Certificates" block, download the "Certificate (Base64)" file. We will use this file in the next steps when we configure SAML on the Polarity Server.
Copy the "Login URL" from the 4th block. You will use this URL as the "SAML endpoint URL" when configuring the SAML on the Polarity Server.
We recommend controlling access to Polarity by granting access to the Polarity application in Azure via the Users and groups settings within the app.
Login to the Polarity Server as an admin via your browser and navigate to "Server Configuration" in the left navigation panel.
Click on the "Client Authentication" tab at the top of the page.
From the "Authentication Method" drop down select "SAML".
Once the SAML authentication method is selected you will need to fill in the following configuration details using information from the Azure app created in the previous steps.
Enter the "Login URL" which you copied from the "SAML Certificates" block in Azure.
Open the base64 encoded certificate you downloaded from the "SAML Certificates" block in Azure and paste the contents that falls between "BEGIN CERTIFICATE" and "END CERTIFICATE" into the SAML certificate text area. The content of the certificate should look similar to this:
Only copy the text between the lines -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- when pasting the certificate into the SAML configuration.
You can customize the label on the SAML sign-in button by entering text here.
The username value should must be a unique value for every user on the system. In most cases s you will want to use the user.userprincipalname value which will have the "Claim name":
You can also use an email address for the username in which in most cases will be the "Claim name":
The email must be a unique and valid email for each user in Polarity. The Email Attribute will typically use the user.mail value from ADFS.
In most cases, the Email Attribute in Polarity should be set to the following "Claim name":
The full name attribute contains the user's given and surname.
In most cases you will want to use the value user.displayname. There is usually no default "Claim name" for the user.displayname attribute. If you added this claim when configuring SAML within Azure then the "Claim name" would be displayname.
If you did not add a displayname claim when configuring SAML in Azure, you can pick either the user.givenname or user.surname values which are available by default in most cases.
You can optionally set a "Group attribute" which is used to identify which groups the user belongs to. You can then authorize specific groups using the "Authorized groups regular expression" option.
If you leave this blank, all authenticated SAML users will be able authorized to login to the Polarity Server.
Provide one or more groups separated by a pipe (|). More complex group matches can be accomplished with a custom regular expression. The provided regex will be run against the provided "Group attribute" of the user. If the regex passes, the user will be granted access to the Polarity Server.
After entering the required options in Polarity, click on "Apply Changes" in the top right. When you navigate to the Polarity login screen you should now see the option to login via your SAML Identity Provider.
