Single sign-on with SAML

Upsolver supports SSO through SAML using an identity broker such as Microsoft Azure, Okta, or onelogin to allow for a secured single sign-on to Upsolver without transmitting any actual authentication credentials from your site.

This procedure describes how to set up the SAML-based sign-on in general terms. Specific identity broker procedures follow below.

Set up SAML-based sign-on

1. In your SAML-based sign-on identity provider, create a SAML application.

2. In Upsolver, click More > SAML.

3. Copy the Upsolver Single Sign On URL and Audience URI field values into the matching fields in your identity provider.

4. Configure the following SAML attributes:

• email (mandatory)

• firstName

• lastName

• groups (mandatory)

5. Ensure that the required users and groups are assigned to the SAML application.

6. In Upsolver, click More > SAML.

7. Click Edit Integration and copy the information from your identity provider into the following fields:

• Single Sign On URL

• Identity Provider Issuer

• X 509 CERTIFICATE

8. From your identity provider, log in to Upsolver. The SSO group and users are automatically provisioned in Upsolver.

9. In Upsolver, click More > IAM.

10. Select the Groups tab. The SAML Provisioned Group should appear. This appears as a group name if you are using Active Directory, otherwise this appears as a group ID.

12. (Optional) To lock down Upsolver to only allow SAML sign on, click More > SAML and select Allow Only SAML Sign On.

SAML deny policy

You may want to apply the policy that denies access to updating or deleting the SAML configuration.

[
  {
    "effect": "Deny",
    "actions": [
      "organization:edit:update-saml-configuration",
      "organization:edit:delete-saml-configuration"
    ],
    "resources": [
      "*"
    ],
    "conditions": []
  }
]