Single sign-on with SAML
This article provides a guide on how to set up SAML-based sign-on in Upsolver.
Upsolver supports SSO through SAML using an identity broker such as Microsoft Azure, Okta, or onelogin to allow for a secured single sign-on to Upsolver without transmitting any actual authentication credentials from your site.
This procedure describes how to set up the SAML-based sign-on in general terms. Specific identity broker procedures follow below.
Set up SAML-based sign-on
1. In your SAML-based sign-on identity provider, create a SAML application.
2. In Upsolver, click More > SAML.
3. Copy the Upsolver Single Sign On URL and Audience URI field values into the matching fields in your identity provider.
4. Configure the following SAML attributes:
email (mandatory)
firstName
lastName
groups (mandatory)
5. Ensure that the required users and groups are assigned to the SAML application.
6. In Upsolver, click More > SAML.
7. Click Edit Integration and copy the information from your identity provider into the following fields:
Single Sign On URL
Identity Provider Issuer
X 509 CERTIFICATE
Note: At this stage, leave the Allow Only SAML Sign On unchecked. Only change this once you have tested your SAML-based sign-on!
8. From your identity provider, log in to Upsolver. The SSO group and users are automatically provisioned in Upsolver.
9. In Upsolver, click More > IAM.
10. Select the Groups tab. The SAML Provisioned Group should appear. This appears as a group name if you are using Active Directory, otherwise this appears as a group ID.
12. (Optional) To lock down Upsolver to only allow SAML sign on, click More > SAML and select Allow Only SAML Sign On.
SAML deny policy
You may want to apply the policy that denies access to updating or deleting the SAML configuration.
[
{
"effect": "Deny",
"actions": [
"organization:edit:update-saml-configuration",
"organization:edit:delete-saml-configuration"
],
"resources": [
"*"
],
"conditions": []
}
]
Last updated
Was this helpful?