Upsolver
Search…
Single sign-on with SAML
This article provides a guide on how to set up SAML-based sign-on in Upsolver.
Upsolver supports SSO through SAML using an identity broker such as Microsoft Azure, Okta, or onelogin to allow for a secured single sign-on to Upsolver without transmitting any actual authentication credentials from your site.
This procedure describes how to set up the SAML-based sign-on in general terms. Specific identity broker procedures follow below.

Prerequisites:

An admin user on Upsolver.

Set up SAML-based sign-on

Note: For more details, see the specific identity provider below.
1. In your SAML-based sign-on identity provider, create a SAML application.
2. In Upsolver, click More > SAML.
3. Copy the Upsolver Single Sign On URL and Audience URI field values into the matching fields in your identity provider.
4. Configure the following SAML attributes:
  • email (mandatory)
  • firstName
  • lastName
  • groups (mandatory)
5. Ensure that the required users and groups are assigned to the SAML application.
6. In Upsolver, click More > SAML.
7. Click Edit Integration and copy the information from your identity provider into the following fields:
  • Single Sign On URL
  • Identity Provider Issuer
  • X 509 CERTIFICATE
Note: At this stage, leave the Allow Only SAML Sign On unchecked. Only change this once you have tested your SAML-based sign-on!
8. From your identity provider, log in to Upsolver. The SSO group and users are automatically provisioned in Upsolver.
There are no default policies for SAML provisioned groups, so users only have permissions to sign on to Upsolver.
9. In Upsolver, click More > IAM.
10. Select the Groups tab. The SAML Provisioned Group should appear. This appears as a group name if you are using Active Directory, otherwise this appears as a group ID.
11. Click the pencil icon
to edit the group, and click Add Policy to add any required Upsolver policies. See: Identity and access management
12. (Optional) To lock down Upsolver to only allow SAML sign on, click More > SAML and select Allow Only SAML Sign On.

SAML deny policy

You may want to apply the policy that denies access to updating or deleting the SAML configuration.
1
[
2
{
3
"effect": "Deny",
4
"actions": [
5
"organization:edit:update-saml-configuration",
6
"organization:edit:delete-saml-configuration"
7
],
8
"resources": [
9
"*"
10
],
11
"conditions": []
12
}
13
]
Copied!