SAML SSO for Solve
    • Dark
    • PDF

    SAML SSO for Solve

    • Dark
    • PDF

    Article Summary

    When accessing Solve via a direct URL, you can configure SAML to enable Single Sign-On (SSO) authentication. The settings in Solve enable you to set up a trust relationship between the URL hosting Solve and your company's Identity Provider (IdP) so users can access Solve securely.

    Process Overview

    Here is an overview of what you have to do to configure SAML in Solve. See below for detailed steps and use case examples with specific Identity Providers.

    • Enter the required URLs from your IdP into the Solve settings page.
    • Upload a trust certificate from your IdP into the Solve settings page.
    • Download the trust certificate from the Solve page and add it into your IdP.
    • Retrieve the necessary fields from the Solve settings page and enter them into your IdP.

    Configure SAML in the Solve Interface

    These are the steps you have to perform regardless of which IdP you use. Select a use case example below to see details about specific Identity Providers.

    1. In your chosen IdP, locate the trust certificate to use for Solve and copy it to a location accessible to the local computer from where you are accessing Solve.
    2. Open the ControlUp Real-Time Console.
    3. Access Solve from the Solve menu on the top ribbon of the Real-Time Console. The Solve interface opens in a browser window.
    4. In the Solve home page, click the settings link on the bottom of the menu on the left side of the window.
    5. In the Solve Settings page, select Enable SAML (SSO) Authentication.
      It is recommended not to enable both SAML and LDAP. If both are enabled, Solve uses SAML authentication.
    6. By default, Create Solve User Automatically is enabled, which creates a ControlUp account for a user when they sign in to Solve with SAML. Note that this feature requires specific user attributes in your IdP. If you don't want to automatically create the ControlUp account, you can disable this option. For more details, visit Automatically Create ControlUp Users From Your IdP below.
    1. Enter the following URLs from your IdP:- IdP Login URL. The URL used for logging into your IdP.
      • IdP Logout URL. This is an optional field to use for signing out of the IdP. For example, if ADFS is the IdP, the URLs could look like this with your company's domain:
    2. Click IdP Signing Certificate and locate the certificate from your IdP that you copied in Step1.
    3. Enter the Entity/Issuer ID. The virtual server as configured in the IdP connection certificate.
      For example, the URL could look like this with your company's domain:
    4. The Solve settings page provides you with the following values:
      • Relying Party Trust Identifier. The unique uniform resource name that is a persistent identifier.
      • Endpoint/Assertion Login URL. The endpoint that your IdP will use to redirect during the authentication process.
      • Assertion Logout URL. Optional value for
        Here's an example of what these values could look like:
        Copy these values and enter them into the appropriate locations in your IdP.
    5. Under Solve Signing Certificate, click the certificate link to download the trust certificate for Solve and save it in a location that your IdP can access.
      Now you can return to your chosen IdP and create an endpoint for Solve using the values provided and the downloaded certificate.
    UPN assertion
    Note that for any IdP, we assert the UPN and must match what the IdP presents, so we require the NameID attribute with the UPN value of the user. For example:
    <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">The user created</NameID>

    Use Case Example - Active Directory Federated Services

    Read here to get the basic details of how to configure secure SAML authentication if your Identity Provider (IdP) is ADFS.

    1. Open your ADFS interface.
    2. Under the Service folder, click Certificates. Copy one of the certificates to a location accessible to the user configuring the SAML settings for Solve.
      This is step 1 from the generic steps above, and you upload this certificate in step 7 above.
    3. In the ADFS interface, select Relying Party Trusts . Right-click to open the Properties dialog.
      ADFS Properties Dialog
    4. In the Properties dialog, select the Endpoints tab and click Add SAML... The Edit Endpoint dialog opens.
    5. Under the Trusted URL field, copy the Assertion URL you retrieved from the Solve Settings page in step 9 of the procedure above.
      ADFS Edit Endpoint Dialog
      Ensure that:
      Endpoint type is SAML Assertion Consumer
      Binding is POST
    6. Click OK and this Endpoint is added.
      ADFS - Endpoint Added
    7. In the same Properties dialog, select the Signature tab, click Add and upload the Solve certificate you downloaded in step 10 of the procedure above.
      ADFS - Add Signature
    8. In the same Properties dialog, select the Identifiers tab, and under the Relying party identifier: field, enter the Relying Party Trust Identifier value you retrieved from the Solve Settings page in step 9 of the above procedure. Click Add next to the field and you'll see the URN added to the list of Relying party identifiers in the dialog.
    9. Click the Relying Party Trusts folder, right-click the claim rule, and select Edit Claim Issuance Policy...
    10. In the Edit Claim Issuance Policy wizard, click Add Rule...
    11. In the Choose Rule Type wizard, select Send LDAP Attributes as Claims as the claim rule template and click Next.
    12. On the Configure Claim Rule screen, provide a Claim rule nameChoose Active Directory from the Attribute store dropdown menu. Under Mapping of LDAP attributes to outgoing claim types, select User-Principal-Name as an LDAP attribute and UPN for the outgoing claim type. Click Finish to save the rule.
    13. Confirm the new rule by clicking OK.

    Your Solve users should now be able to authenticate through your ADFS identity provider.

    Use Case Example - Azure Active Directory


    • Must have an Azure Enterprise account.
    • Azure Active Directory (AD) must be configured.
    • Must have the necessary permissions to create the application.

    Preparation on Azure AD

    1. In the Browse Azure AD Gallery, select Create your own application .
      Azure AD - App Creation Screenshot
    2. In the Create your own application page, enter a name of your choosing and select Integrate any other application you don't find in the gallery.
    3. Click Create.
    4. Review the app you’ve just created.
      Azure AD - All Applications Menu

    Assignment Option

    Assign Users and GroupsIn the properties Management tab, set User Assignment required? to NO.

    Before completing the configuration:

    • Check that the claim attributes in the Enterprise Application have corresponding values for all users. An account without a value for each attribute will fail Solve SSO.
    • If you enabled Create Solve User Automatically in your Solve settings, then you need to ensure that you add the required user attributes. Visit Automatically Create ControlUp Users From Your IdP below for details.

    Side-by-side with comments (Azure console and Solve settings)

    Here is a side-by-side comparison of the values from Azure AD that must be entered into the Solve SAML settings and vice versa. The arrows indicate from where you can obtain the applicable string and to where it goes in the other application.
    Azure AD Console                                                                     Solve SAML Settings

    Use Case Example - DUO


    • Must have a DUO account with the necessary permissions to Protect an Application.

    What to do in DUO

    1. In DUO, select Applications > Protect an application.
    2. Search for Generic Service Provider.
    3. Click Protect.
    4. In the Generic Service Provider - Single Sign-On page, enter the parameters from the Solve page as detailed in the procedure above and described in the illustration below.
    5. In the Solve page detailed in the procedure above, enter the parameters as described in this illustration below.

    Side-by-side with comments (DUO and Solve settings)


    Use Case Example - OKTA


    • Must have an Okta account with the necessary permissions to  Create App Integration.


    1.  Open Okta. Select Application and click Create App Integration.
    2.  In the Create a new app integration dialog, select SAML 2.0. Click Next.
    3. In the Create SAML Integration > 1 General Settings step, enter the App name field. Here we called the app Solve. The logo field is optional as are the App visibility options. Click Next.
    4.   In the Create SAML Integration > 2 Configure SAML step:
      1. Enter the Single sign on URL. You can find this value in the Solve Settings page. It is the Endpoint Assertion URL.
      2. Enter the Audience URI (SP Entity ID). This value is taken from the Solve Settings page. It is the Relying Party Trust Identifier. 
        These values are provided by the Solve application to enter in your identity provider software. (See step 9 in the SAML procedure above.)
      3. Under the Single sign on URL value, select the Use this for Recipient URL and Destination URL option.
    5. In the Create SAML Integration > 3 Feedback step, select I'm an Okta customer adding an internal app.
    6.  Go to the Sign on tab for the new application you just created, and click the View Setup Instructions link. This enables you to access the x.509 certificate and other values from Okta that you must enter into the Solve Settings page.
    7.  In How to Configure SAML 2.0 for Solve Application: 
      1. Copy each of the values to enter into Solve settings as follows:
        Value from OktaCopy into Solve Settings
        Identity Provider Single Sign-On URLIdP Login URL
        Identity Provider IssuerEntity/Issuer ID 
      2.  Click Download certificate. Save it to a location accessible to when you open Solve settings so you can upload it there.
    8.  Open Solve and go to the Settings page to access the SAML configuration. Enter these values for Okta into Solve. 
    3rd Party Identity Provider Applications
    We have provided these use case examples for your benefit but do not take responsibility for the screenshots, content and functionality for any of these 3rd party applications.

    Automatically Create ControlUp Users from Your IdP

    Note for DEX users
    If you access ControlUp using the DEX web application (, then this feature is not currently available. For details, click here.

    If you enable the option Create Solve user automatically, a ControlUp user is created the first time a new user signs in to Solve via SAML. If you don't enable this option, each user must first register in the Real-Time Console, or be added to ControlUp using a script.

    This feature is supported only if you use Azure AD, ADFS, Okta, or Ping as your IdP.

    To create new ControlUp users from SAML:

    1. Enable Create Solve user automatically in Solve SAML settings. Only users with Manage Solve permission can enable this option.
    2. Map your IdP user attributes to the attributes required by ControlUp. ControlUp expects to receive the following attributes. If these are missing, we can't create the ControlUp user:
      • upn
      • givenname
      • surname
      • emailaddress 
      • sAMAccountName
      • distinguishedName

        Click these links to learn how to set up user attribute mapping in Azure AD, ADFS, Okta, and Ping.
        Note for Azure AD
        If you use Azure AD as your IdP, some of these attributes are configured by default. You need to:

        1. Add the claim sAMAccountName from the value user.onpremisessamaccountname.
        2. Add the claim distinguishedName from the value user.onpremisesdistinguishedname.
        3. Add the claim emailaddress from the value user.mail

        Once your Azure AD SAML settings for Solve have the following Attributes & Claims, you are all set up.

    3. The first time a user with the attributes above signs in to Solve via SAML, their ControlUp user is created, but they do not have permission to access Solve. A ControlUp administrator must give the user permission to Use Solve or Manage Solve in the Real-Time Console security policy.

    4. After the user has been given permission to access Solve, they can sign in to Solve via SAML and access your environment.

    Was this article helpful?