SAML Troubleshooting

SAML FAQ & Troubleshooting

If SAML is enabled can local user accounts still login?

Yes, if SAML is enabled you can still login with a local account using your local password. Instead of clicking on the Login with SAML button to be redirected to your IdP, login using your normal username and password from the signin page.

How can I prevent local logins for an account that should authenticate via SAML?

To disable local logins for an account, update the specific account in Polarity to be a remote account instead of local. Accounts that are marked as remote can only be authenticated to via SAML.

If a user authenticates via SAML and already has a local account can the user login?

Yes, if a user authenticates via SAML and already has a local account (based on matching email addresses) the user can still login.

How is a user’s SAML identity tied to their local account?

Local accounts are tied to the user’s SAML identity via their email address in SAML and in Polarity.

If a user’s Polarity account is disabled can a user still login via SAML?

No, if a user’s Polarity account is disabled (from within the Polarity interface) the user will not be able to login via SAML.

“Problem encountered while verifying user profile”

If you see this error in the server logs when trying to authenticate via SAML it can mean that the user is trying to login with with an account that has a duplicated email address in Polarity. The emails are compared in a case insensitive manner which means you cannot have two accounts with the same email but with different casing (e.g., ed@polarity.io and ED@polarity.io)

{
  "message":"Problem encountered while verifying user profile",
  "name":"DataIntegrityError",
  "stack":"DataIntegrityError: Query returns an unexpected result.\n    at Object.one (/app/polarity-server/node_modules/slonik/dist/src/connectionMethods/one.js:26:15)\n    at runMicrotasks (<anonymous>)\n    at processTicksAndRejections (internal/process/task_queues.js:97:5)\n    at async Object.createConnection (/app/polarity-server/node_modules/slonik/dist/src/factories/createConnection.js:96:18)\n    at async findOrCreateUser (/app/polarity-server/lib/auth/saml/verify-profile.js:81:35)\n    at async MultiSamlStrategy.verifyProfile [as _verify] (/app/polarity-server/lib/auth/saml/verify-profile.js:102:18)",
  "level":"error",
  "timestamp":"2021-12-14T00:34:27.919Z"
  }

To resolve this issue, log into Polarity as an admin and navigate to the Team page. From there, find the accounts with the conflicting emails and choose one account to be the primary SAML account. Ensure this account has an email address that matches the email address from the User’s SAML account and then edit the email of the other Polarity account so that it no longer conflicts.

IdP Initiated Logins are giving the error "There was an application error"

The following error can occur when attempting an IdP initiated login (e.g., when clicking on the Polarity application icon from Okta) if the `Unique Id` option in the Polarity SAML settings is checked:

{"error":"There was an application error"}

If you see this error, navigate to the Server Configuration -> Client Authentication page and find the option Match SAML response to unique ID option and uncheck it.  Click on the "Apply Changes" button in the top right to save the change and then retry your IdP initiated login.