Okta
Configure SAML authentication with Okta
Last updated
Configure SAML authentication with Okta
Last updated
Polarity SAML authentication should work with any identity provider (IdP) given the application is set up correctly within the identity provider's account. This guide walks through configuring Polarity SAML Authentication with Okta SAML 2.0.
The first step to setting up SAML authentication is to create a new Polarity Application within Okta. To do this, navigate to "Applications" and click on "Create App Integration"
Select the "SAML 2.0" option and click "Next". Fill in the settings as follows:
Polarity
You can download and upload the Polarity logo from this link:
Click "Next" to go the next page of options
leave blank
username
Unspecified
user.login
Unspecified
user.email
fullname
Unspecified
user.firstName
leave blank
Click "Next" and finish the Application setup
Navigate to the "Polarity" application in Okta and click on the "Sign On" tab at the top of the page.
On the right hand side find the button that says "View SAML setup instructions"
This page provides all the settings required when configuring SAML via the Polarity Sever Configuration page.
Now that the Polarity Okta Application has been setup we can configure SAML within Polarity using the SAML configuration values provided by Okta in the step above. To get to the SAML configuration page within Polarity navigate to "Advanced Settings" -> "Server Configuration" -> "Client Authentication" and then pick "SAML" from the drop down menu:
Fill in the SAML options on the right as follows.
From the Okta configuration page, copy the "Identity Provider Single Sign-On URL" value
and paste it into the Polarity SAML configuration page as the "SAML Endpoint URL" option value:
From the Okta configuration page, copy the "X.509 Certificate" option value and paste it into the "SAML Certificate" option value within Polarity.
You can modify the SAML sign in button label here with your preferred text. The default value is "Sign in with SAML".
Email attribute
This is the the attribute in the SAML assertion which specifies which groups the user belongs to (optional). If this field is left empty then no authorization checks will be made and all authenticated SAML users will be able to access Polarity. If an invalid attribute is provided no users will be authorized.
If this attribute is provided and you would like Polarity to enforce authorization you should also fill out the Authorized groups regular expression option.
If you are controlling access to Polarity via Okta Assignments leave this option blank and assign users to the Polarity Application via Okta.
If provided, each group the user belongs to as specified by the Group attribute option will be matched against the provided regular expression. If any group matches, the user will be authorized to login to Polarity. The provided regular expression should not include leading or trailing forward slashes. In addition, the regular expression will be wrapped in ^(?: )$ to default to exact matches.
In the top right of the Polarity web interface, click on the "Apply Changes" button to save your new SAML configuration.
The Polarity sign in page will now have an additional "Sign in with SAML" button (possibly renamed if you modified the Sign in button label option). When a user clicks on this button they will be redirected to Okta to authenticate. If the user has been assigned access to the Polarity application in Okta, a new local account will automatically be created for that user and they will be logged into Polarity.
Users that sign in via SAML cannot login with the local account as the account will be marked as "remote" within Polarity. All password management for the account is done via Okta.
