SAML SSO for Solve

  • Updated on Aug 20, 2025
  • Published on Sep 27, 2021
  • 11 minute(s) read
Prev Next

When accessing Solve via a direct URL, you can configure SAML to enable Single Sign-On (SSO) authentication. Use the settings in Solve to set up a trust relationship between Solve and your company's Identity Provider (IdP) so users can access Solve securely.

To open SAML settings in Solve, go to Settings > SAML Single Sign On. You need to have the Manage Solve permission to access these settings.

Settings page with SAML Single Sign On section

LDAP and SAML

We recommend not to enable both SAML and LDAP. If both are enabled, Solve uses SAML authentication.

Create Solve Users from Your IdP

If you enable the option Create Solve user automatically and add the additional attributes listed in the attribute table below, then a user account is created the first time a new user signs in to Solve using SAML. This means that a new user can access Solve without having to register their account in the Real-Time DX console. If you don't enable this option, each user must first register in the Real-Time DX console, or be added to ControlUp using a script.
SAML single sig on section with Create Solve user automatically selected

With this option enabled, a Solve user account is created the first time a new user signs in to Solve with SAML. The new user does not necessarily have permission to access Solve, unless the user already belongs to an Active Directory group that has permission to access Solve. After the user account has been created, a ControlUp admin can give the user permission to Use Solve or Manage Solve in the Real-Time DX console security policy.

Use Case Examples

If your IdP is listed, follow the instructions under your IdP. If not, follow the steps below to set up SAML with any IdP.

3rd party Identity Provider applications

We have provided these use case examples for your benefit but do not take responsibility for the screenshots, content, and functionality of these 3rd party applications.

Active Directory Federated Services

Read here to get the basic details of how to configure secure SAML authentication if your Identity Provider (IdP) is ADFS.

  1. Open your ADFS interface.

  2. Under the Service folder, click Certificates. Copy the Token-signing certificate and upload it to in the IdP Signing Certificate field on the Solve settings page.
     Certificates folder shwoing SAML-ADFS-Signing Certificate

  3. In the ADFS interface, select Relying Party Trusts. Right-click to open the Properties dialog.
     Relying Party Trusts with Properties dialog showing endpoints tab selected

  4. In the Properties dialog, select the Endpoints tab and click Add SAML... The Edit Endpoint dialog opens.

  5. In the Trusted URL field, enter the Endpoint/Assertion URL from the Solve settings page.
     Edit Endpoint dialog box
    Ensure that:
    Endpoint type is SAML Assertion Consumer
    Binding is POST

  6. Click OK and this Endpoint is added.
     Endpoint Added in endpoints tab

  7. In the same Properties dialog, select the Signature tab, click Add and upload the Solve Signing Certificate that you can download from the Solve settings page.
     ADFS Signature added in Signature tab

  8. In the same Properties dialog, select the Identifiers tab, and under the Relying party identifier: field, enter the Relying Party Trust Identifier value from the Solve settings page. Click Add next to the field and you'll see the URN added to the list of Relying party identifiers in the dialog.
     ADFS Identifiers in Identifiers tab

  9. Click the Relying Party Trusts folder, right-click the claim rule, and select Edit Claim Issuance Policy...

    Relying Party Trusts folder with Edit Claim Issuance Policy... selected

  10. In the Edit Claim Issuance Policy wizard, click Add Rule...

    Edit Claim Issuance Policy wizard with Add Rule button selected

  11. In the Choose Rule Type wizard, select Send LDAP Attributes as Claims as the claim rule template and click Next.
    Choose Rule Type wizard with Send LDAP Attributes as Claims selected as the claim rule template

  12. On the Configure Rule screen, enter a Claim rule name, and select Active Directory from the Attribute store dropdown menu.

    Configure Rule screen with a Claim rule name entered and Active Directory selected from the Attribute store

  13. Under Mapping of LDAP attributes to outgoing claim types, add the required user attributes. The required attributes depend on if you are using SAML to create Solve users.

    • If you are not using SAML to create Solve users, add the following attribute:

      AD Claim List Without User Creation

    • If you are using SAML to create Solve users, add the following attributes:

      AD Claim List For User Creation

  14.  After you have added the LDAP attributes, click Finish.

  15. Confirm the new rule by clicking OK.
    Edit claim rules for test adfs dialog box

    Your Solve users should now be able to authenticate through your ADFS identity provider.

Azure Active Directory

Prerequisites:

  • Must have an Azure Enterprise account.

  • Azure Active Directory (AD) must be configured.

  • Must have the necessary permissions to create the application.

Setup in Azure AD

  1. In Azure AD, go to Enterprise Applications > New application.

    Azure AD screen showing Enterprise Applications with New application

  2. Select Create your own application.

    browse azure ad gallery page with Create your own application selected

  3. Enter a name for the application, select Integrate any other application you don't find in the gallery, and click Create.

    create your own application page with Integrate any other application you don't find in the gallery selected

  4. After your application is created, click Set up single sign on.

    getting started section with Set up single sign on selected

  5. Select SAML as the single sign on method.

    select a single sign-on method section with SAML selected

  6. Next, you'll need to share several values between Solve and Azure AD. Open your Solve SAML settings next to Azure AD, and use the following side-by-side comparison to see which values need to go where. The arrows indicate where the value comes from and where you need to put it in the other application. For more information about these fields mean, read Configure IdP settings and Configure Solve settings above.
    set up single sign-on with SAML page showing side comparisons

  7. If you have enabled Create Solve user automatically, then you need to add additional attributes in the Attributes & Claims section. Make sure that all users accessing Solve via SAML have the relevant attributes contained in their Azure AD user properties. If you are not using SAML to automatically create ControlUp user accounts, then the default attributes in Azure AD are sufficient for existing user accounts to sign in to Solve with SAML because the Unique User Identifier (NameID) is the UPN. For details about automatic user account creation with SAML, see Create Solve Users from Your IdP.

    1. In the Attributes & Claims section, click Edit.

      Attributes & Claims section

    2. Click Add new claim.

      add a new claim panel

    3. Add the claim sAMAccountName from the attribute user.onpremisessamaccountname and click Save.

      sAMAccountName added

    4. Add another claim distinguishedName from the attribute user.onpremisesdistinguishedname and click Save

      distinguishedName added

    5. After you add the additional claims required for automatic user creation, your Attributes & Claims section should look like this:

      Attributes & Claims section after claims added

  8. Set which Azure Active Directory users are allowed to access Solve using SAML. You can either:

    • Go to Users and groups and click Add user/group to add users to the application.

      controlup solve SAML Users and groups section

    • Go to Properties and set Assignment required? to No if you want all users in your Active Directory to be able to access Solve using SAML.

      controlup solve SAML properties section

DUO

Prerequisites:

  • You have a DUO account with the necessary permissions to Protect an Application.

  • You have set up DUO to use Active Directory as an authentication source for single sign-on.

Set up the SAML application in DUO

  1. Go to Applications > Protect an application.

    Applications Protect an application section

  2. Search for Generic SAML Service Provider and click Protect.

    Generic SAML Service in search bar with Protect button selected

  3. Under the Metadata section, copy the following values and paste them into the fields in the Solve SAML settings page:

    1. Copy the Entity ID and paste it into the Entity/Issuer ID field in Solve.

    2. Copy the Single Sign-On URL and paste it into the IdP Login URL field in Solve.

    3. Copy the Single Log-Out URL and paste it into the IdP Logout URL field in Solve.

      Generic SAML Service provider with metadata displayed

  4. Under the Downloads section, click Download certificate and upload the certificate into the IdP Signing Certificate field in Solve.

    Downloads section with Download certificate button selected

  5. Copy the following values from the Solve SAML settings page and paste them into the fields in DUO under the Service Provider section:

    1. Copy the Relying Party Trust Identifier from Solve and paste it into the Entity ID field in DUO.

    2. Copy the Endpoint/Assertion Login URL from Solve and paste it into the Assertion Consumer Service (ACS) URL field in DUO.

    3. Copy the Assertion Logout URL from Solve and paste it into the Single Logout URL field in DUO.

      Service Provider section

  6. Under the SAML Response section:

    1. Set the NameID format to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

    2. In the NameID attribute field, enter UserPrincipalName.

      SAML Response section

  7. If you are using SAML for automatic user account creation, you must add the following attributes in the Map attributes section exactly as they appear in the image below. The attribute mapping pulls the required IdP attributes from your Active Directory and sends them to ControlUp with the correct attribute names. This step is not required if your users accessing Solve with SAML have already created a ControlUp account using another method.

    Map attributes section

  8. Scroll to the bottom of the page and click Save.

OKTA

Prerequisite for Automatic Solve User Creation

Note

This section is required only if you are using SAML to provision new ControlUp accounts. You can skip this section if the users accessing Solve with SAML have already created a ControlUp account using another method.

If you are using SAML to Create Solve Users from Your IdP, then you must configure Okta to send the attributes listed in the attribute table above. Not all of these attributes are added to your Okta user profiles by default when you setup the Active Directory integration with Okta.  

If the required attributes are not already in your Okta user profiles, then you need to map the Active Directory attributes to your Okta user profiles.

To map the required Active Directory attributes to your Okta user profile:

  1.  In Okta, go to Profile Editor and select the Okta User (default) user profile. 

    Okta Profile Editor with Okta User selected

  2. Click Add Attribute.

    Attributes section with Add Attribute selected

  3. Add three new attributes:

    1. Display name = "Distinguished Name", Variable name = "dn".

    2. Display name = "SAM Account Name", Variable name = "samAccountName".

    3. Display name = "User Principal Name", Variable name = "userName". Note that you might not have to add this attribute to the Okta user profile if you selected to use the UPN as the Okta username when setting up the Active Directory integration.add attribute section

  4. After saving the attributes, go back to your profiles and select your Active Directory.

    users section with Active Directory selected

  5. Click Mappings.

    Attributes section with mappings selected

  6. Map the following Active Directory attributes to the new Okta user profile attributes you just created, and click Save Mappings.

    Okta user profile attributes you just created with Save Mappings button selected

Set up the SAML Application in Okta

  1. Sign in to the Okta admin dashboard with a user who has the Create App Integration and go to Applications.okta dashboard with applications selected

  2. Click Create App Integration.

    applications section with Create App Integration selected

  3. Select SAML 2.0 as the sign-in method and click Next.

    create a new app integration section with SAML 2.0 Selected

  4. Enter an App name of your choosing and click Next.

    create SAML integration section with an App name Entered

  5. Under SAML Settings, fill out the following fields using values from your Solve SAML settings page.

    1. In the Single sign-on URL field, add the value Endpoint/Assertion Login URL from Solve.

    2. In the Audience URI field, add the value Relying Party Trust Identifier from Solve

      create SAML section

  6. If you are using SAML for automatic user account creation, you must add the following attributes under Attribute Statements (optional). This step is not required if your users accessing Solve with SAML have already created a ControlUp account using another method. Note that the following attribute statements are based on the Active Directory attribute mappings described in the prerequisite section above. Your attribute mappings might be set up differently, so ensure that the Values in the attribute statements refer to the correct attributes in your Okta user profiles.

    Name

    Name format

    Value

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

    Unspecified

    user.email

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    Unspecified

    user.firstName

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    Unspecified

    user.lastName

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

    Unspecified

    user.userName

    sAMAccountName

    Unspecified

    user.samAccountName

    distinguishedName

    Unspecified

    user.dn


    After you are finished adding the user attributes, your Attribute Statements should look like this:

    Attribute Statements list

  7. At the bottom of the page, click Next.

    SAML assertion with next button selected

  8. Select I'm an Okta customer adding an internal app and click Finish.

    I'm an Okta customer adding an internal app option Selected

  9. Under the Sign On tab, click View SAML setup instructions.

    Sign On tab with View SAML setup instructions selected

  10. This page shows three values that you must copy or download and add to your Solve SAML settings page.

    three values displayed

    1. Copy the value Identity Provider Single Sign-On URL and paste it into the field IdP Login URL in Solve.

    2. Copy the value Identity Provider Issuer and paste it into the field Entity/Issuer ID in Solve.

    3. Click Download certificate and upload the certificate under the field IdP Signing Certificate in Solve.

  11. To assign Okta users or groups to the new ControlUp application so that those users are allowed to access Solve using SAML:

    1. Go back to Applications and select the new application you created.

      applications section

    2. Go to the Assignments tab, click Assign and select to either assign the application to people or groups.

      Assignments tab with Assign dropdown selected

    3. Select the users or groups that will access Solve and assign them to the application. Those users are now able to sign in to your Solve URL using SAML.

Troubleshooting

If SAML isn't working correctly after following the procedure above, it's possible that the SAML assertion isn't sending the correct information. To preview the SAML assertion, edit the application and go back to the page where you added the attribute statement, and click Preview the SAML Assertion. Note that your Okta user must be assigned to the application to preview the assertion.good attribute statements with Preview the SAML Assertion selected

Compare the generated SAML assertion against the attribute table above and make sure that:

  • The Attribute Name of each attribute is written exactly as it appears in the attribute table.

  • The AttributeValue of each attribute contains the correct information about the user.

Configure SAML SSO with Solve and Your IdP

This section describes how to set up SAML SSO with Solve with any IdP. See the Use Case Examples above for more details about selected IdPs.

Step 1 - Configure IdP Settings

This table lists the fields that are already filled out in your Solve SAML settings. You need to take the information from these fields and add it in your IdP.

Field in Solve SAML settings

Required

Notes

Relying Party Trust Identifier

Yes

Copy this value from Solve SAML settings and paste it into your IdP settings.
Your IdP might call this:

  • Identifier

  • Entity ID

  • Relying Party Identifier

  • Audience URI

Endpoint/Assertion Login URL

Yes

Copy this value from Solve SAML settings and paste it into your IdP settings.
Your IdP might call this:

  • Reply URL

  • Assertion Consumer Service (ACS) URL

  • Trusted URL

  • Single sign on URL

Assertion Logout URL

No

If you want to use single log out (SLO), copy the logout URL from your IdP and paste it here. SLO is not supported on all IdPs.
Your IdP might call this:

  • Logout URL

  • Single log out URL


Solve Signing Certificate

For some IdPs

If your IdP requires it, download the X.509 certificate from Solve and upload it to your IdP.

Azure AD, for example, does not require that you upload this certificate.

Step 2 - Configure Solve Settings

This table lists the fields that you need to fill out in your Solve SAML settings.

Field in Solve SAML settings

Required

Notes

Create Solve user automatically

No

Enable this option if you want to automatically create a ControlUp user account when a new user signs into Solve using SAML. To use this option, you need to configure your IdP to send the additional attributes described in Step 2. For more details, see Automatically Create ControlUp Users from Your IdP.

This feature is supported only if you use Azure AD, ADFS, Okta, or Ping as your IdP.

IdP Login URL

Yes

Copy the login URL from your IdP and paste it here.
Your IdP might call this:

  • Login URL

  • Single sign on URL

IdP Logout URL

No

If you want to use single log out (SLO), copy the logout URL from your IdP and paste it here. SLO is not supported on all IdPs.
Your IdP might call this:

  • Logout URL

  • Single log out URL

IdP Signing Certificate

Yes

Download the X.509 signing certificate from your IdP and upload it here.

Entity/Issuer ID

Yes

Copy the entity/issuer ID from your IdP and paste it here.
Your IdP might call this:

  • Entity ID

  • Issuer ID

  • Issuer URL

  • Azure AD Identifier

Step 3 - Configure User Attributes in Your IdP

Configure your IdP to send the following attributes:

Attribute

Required

Description

NameID

Yes (see note below)

User's UPN. This must match a user in your ControlUp organization.

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Only to create Solve users from your IdP

User's email address

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Only to create Solve users from your IdP

User's first name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Only to create Solve users from your IdP

User's last name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn, OR
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Only to create Solve users from your IdP

User's UPN

sAMAccountName

Only to create Solve users from your IdP

User's sAMAccountName

distinguishedName

Only to create Solve users from your IdP

User's distinguished name

Note

If you can't configure your IdP to send the UPN in the NameID, then you can send the attrbutes http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn AND http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress instead. If both of these attributes are sent, then users are able to sign in to an existing account.