---
title: "Configure Azure ADFS as SAML Provider – Polarity Server v5"
slug: "polarity-configure-azure-adfs"
description: "Set up Azure ADFS as a SAML identity provider for Polarity Server v5 single sign-on (SSO). Step-by-step configuration guide for enterprise authentication and user access control."
updated: 2025-11-11T20:43:38Z
published: 2025-11-11T20:43:38Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Azure ADFS as SAML Provider

*Configure SAML authentication with Microsoft Azure ADFS*

REFERENCE

The following link provides steps on how to setup SSO in Azure ADFS:

[https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso)

Polarity-specific setup instructions can be found below.

## Configure Azure ADFS for Polarity

### Create a “Polarity App”

1. Navigate to the Azure Active Directory Admin Center
  1. `https://aad.portal.azure.com`
2. From the left navigation menu select "**Applications**" -> "**Enterprise applications**" -> "**New Application**" -> "**Create your own application**".
3. Name your app (e.g., "Polarity").
4. Select the radio button for "**Integrate any other application you don't find in the gallery (Non-gallery)**".

### Single Sign On

1. Once the application is created, select the option to "**Set up single sign on**". You may also find this option in the left navigation menu. ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure_1_Azure_ADFS.png)
2. Select the "**SAML**" single sign-on method.

### Basic SAML Configuration

1. In the "**Basic SAML Configuration**" block, click on the "**Edit**" icon ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure_2_Azure_ADFS.png)
2. On the “**Basic SAML Configuration**” page, fill in the fields as specified below:
  1. **Identifier (Entity ID)**
    1. `https://&lt;your-polarity-server-fqdn&gt;`
  2. **Reply URL (Assertion Consumer Service URL)**
    1. `https://&lt;your-polarity-server-fqdn&gt;/sso/sp/consume/saml`
  3. **Sign on URL *(Optional)***
    1. **Optional**but can be set to:
      1. `https://&lt;your-polarity-server-fqdn&gt;`
      2. *Replace*`&lt;your-polarity-server-fqdn&gt;`*with the fully-qualified domain name of your Polarity server.*
  4. **Default Relay State**
    1. `https://&lt;your-polarity-server-fqdn&gt;/auth-success`
  5. **Logout URL *(Optional)***
    1. *Not needed*
3. Once you have filled in the "**Identifier**" and "**Reply URL**" click on the "**Save**" button.

#### Attributes & Claims

1. Click on the "**Edit**" button in the "**Attributes & Claims**” block. ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure_3_Azure_ADFS.png)
2. The page will show two columns. A "**Claim name**" column and a "**Value**" column. You will need to identify three required values when configuring SAML on the Polarity Server:
  1. **An email value**
  2. **A username value**
  3. **A full name value**
3. In most cases there will already be an email address `user.mail`) and username `user.userprincipalname`) claim.
4. For the full name value we suggest creating a new claim by clicking on the "**Add new claim**" and filling in the following values:
  1. **Name**: `displayname`
  2. **Source**: `Attribute`
  3. **Source attribute**: `user.displayname`
5. Click on "**Save**" when done.
6. Note the "**Claim name**" for the `user.mail`, `user.displayname`, and `user.userprincipalname` values. The “**Claim name**” for each of these values will be used when configuring SAML on the Polarity Server.

#### SAML Certificates

From the "**SAML Certificates**" block, download the "**Federation Metadata XML**" file. We will use the content of this file when we configure the Polarity Server to use SAML Authentication.

#### Users and Groups

We recommend controlling access to Polarity by granting access to the Polarity application in Azure via the “Users and groups” settings within the app, as opposed to forcing a Group attribute.

---

## Configure Polarity for Azure ADFS

1. Login to the Polarity Server as a local administrator (browser recommended for this process).
2. Navigate to "**Server Configuration**" in the left navigation panel.
3. Click on the "**Client Authentication**" tab at the top of the page.
4. From the "**Authentication Method**" drop down select "**SAML**". ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure_4_Azure_ADFS.png)
5. Fill in the following configuration details using information from the Azure app created in the previous steps:
  1. **Polarity Server Fully Qualified Domain Name (FQDN)**
    1. Fill in the FQDN of your Polarity Server to include the scheme (https://).
  2. **SAML Identity Provider (IdP) XML Metadata**
    1. Paste in the content of the **full Federation Metadata XML** file that was exported from Azure.
  3. **Sign in button label**
    1. You can customize the label on the SAML sign-in button by entering text here.
  4. **Username Attribute** ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure_5_Azure_ADFS.png)
    1. The **username attribute value**must be a unique value for every user on the system. In most cases you will want to use the `user.userprincipalname` value which will have the "Claim name":
      1. `user.userprincipalname`
      2. `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
    2. You can also use an **email address** for the **username attribute**in which in most cases will be the "Claim name":
      1. `user.mail`
      2. `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
    3. When setting the username attribute in the Polarity SAML configuration you will only provide the last segment of the claim name.
      1. *As an example*, if you wanted to use the claim `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` you would only enter the value name into Polarity.

IMPORTANT!

Be sure to only use the last segment of the "Claim name" when configuring attributes within Polarity.
  5. **Email Attribute** ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure_6_Azure_ADFS.png)
    1. The **email attribute** must be a unique and valid email for each user in Polarity.
    2. The Email Attribute will typically use the `user.mail` value from ADFS.
    3. In most cases, the Email Attribute in Polarity use the following "Claim name":
      1. `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`
    4. *As we only use the last segment of the "Claim Name"*, you would set the Email attribute in Polarity to `emailaddress`.
  6. **Full name attribute** ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure_7_Azure_ADFS.png)
    1. The **full name attribute** contains the user's given and surname.
    2. In most cases you will want to use the value `user.displayname`.
      1. There is usually no default "Claim name" for the `user.displayname` attribute.
      2. If you added this claim when configuring SAML within Azure then the "Claim name" would be `displayname`.
    3. If you did not add a `displayname` claim when configuring SAML in Azure, you can pick either the `user.givenname` or `user.surname` values, which are available by default in most cases.
      1. `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname` or
      2. `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`
    4. *As an example,* if you wanted to use the `surname` claim, the **Full name attribute** would be set to `surname`.
  7. **Group attribute**
    1. You can optionally set a "**Group attribute**" which is used to identify which Azure ADFS group(s) an authorized user may belong to. You can then authorize specific groups using the "Authorized groups regular expression" option.
    2. *If you leave this blank, all authenticated SAML users will be able authorized to login to the Polarity Server.*

NOTE

We ***highly***recommend leveraging the "Users and Groups" permissions within Azure ADFS to control which users and groups have access to the Polarity application, rather than controlling access from the Polarity Server.
  8. **Authorized groups regular expression**
    1. Provide one or more groups separated by a pipe (`|`).
    2. More complex group matches can be accomplished with a custom regular expression.
    3. The provided regex will be run against the provided "**Group attribute**" of the user.
    4. If the regex passes, the user will be granted access to the Polarity Server.
6. After entering the required options in Polarity, click on "**Apply Changes**" in the top right.

When you navigate to the Polarity login screen, you should now see the option to login via your SAML Identity Provider.