This article will help you setup and manage your SSO integration
Key information
How the integration works
Once setup, our SSO integration requires all Members to log into Legatics through your existing identity provider (IdP), such as Entra ID (formerly Azure Active Directory).
Once the integration is enabled, you can use your IdP to manage access to Legatics. Depending on the functionality provided by your IdP, this could include:
Limiting the users that have access to Legatics
Implementing your own sign on practices
Restricting login by IP address, geographical location or other factor
Blocking users from Legatics when they leave your company
Requirements
Your IdP must make use of the SAML 2.0 protocol
Limitations
One IdP | Currently, Legatics only supports a connection to one IdP
So if you have multiple IdPs (eg one for users with 1 email domain, and another for users with another email domain), you can only use SSO for one email domain. |
User provisioning | You can't automatically setup Legatics users using your IdP, or control set their permission profile from your IdP. |
User attributes | We don't currently support syncing of user attributes (eg job title or name) |
One click log in | We don't have a "Log in with SSO button". Users enter their email, and if SSO is enabled, then your IdP takes over. |
Instance you're stored on | Legatics has multiple instances, each with their own unique URL. Your IdP will only work on the instance you are stored on. If your users are accessing another customer's matters on other instances, they will need to log in using username/password. |
Connecting your SSO system
It's a two step process to connect with your IdP:
Adding Legatics as an application in your IdP
Connecting Legatics with your IdP
Step 1: Adding Legatics as an application in your IdP
This process will depend on your IdP. Your IT team should know how to add applications to your IdP.
Once the application is created in your IdP, you can populate the details needed to finalise it by:
Exporting an XML file from Legatics and uploading it in your IdP
Manually adding details in your IdP
Export and upload XML file from Legatics
If your IdP supports this, this is the fastest way to get setup. Our XML file contains all of the information your IdP needs.
To obtain the XML file, log into the Admin System, go to "Integrations" from the sidebar, then go to the "Single Sign-On" page, press "Connect SSO", then "Export our XML file" from the pop-up that appears.
Manually adding details
If you can't use the XML file, then input the following details into the application you created in your IdP
Entity ID | https:// |
Single Sign On URL | https://api.
This is also known as Recipient, Destination, or Consumer URL |
Single Logout URL (optional) | https://api. |
legatics_URL
is the URL of the Legatics instance you are on. You can find this in the Accounts page (⚠️ make sure you exclude https://)
customer_ID
is your unique client number. You can find this in the top of the sidebar in the admin system or the Accounts page (clicking on the ID will copy it to your clipboard).
Step 2: Connecting Legatics with your IdP
You will need to get the following information from the app set up in your IdP
Most IdP allow you to export this information as an XML file. If you can do this, it will make the setup process in Legatics much simpler.
Entity ID | This is also known as:
⚠️ This is different to the Entity ID from Step 1 |
Login URL | This is also known as the Identify Provider Single Sign-On URL |
X.509 certificate | When copying the X.509 certificate, don't include:
-----BEGIN CERTIFICATE-------- -----END CERTIFICATE----------
Only include the text between these two values |
Once you have this information, go to "Integrations" from the sidebar, then:
Go to the "Single Sign-On" page
Press "Connect SSO"
You can then either:
Import your XML file (this will populate the fields automatically)
Manually add the information from the table above
Check the details, then press "Add SSO"
Enable the integration
After you press "Add SSO", your integration won't be automatically enabled. This is to give you a chance to review the settings and apply additional configurations.
When you're ready to go, press the "Enable" button to turn the integration on
You may want to restrict the integration to specific Members first, to check it's working before enabling for everyone.
Configuring your integration
Once your idP is connected, you can configure it in a number of ways. The section below sets out the configurations available.
✋ Restrict to specific Members
Your integration is only available to your Members (across the entire instance). You can further restrict what Members can use the SSO integration.
If you restrict to specific Members, then all other Member must log in using username/password
We only recommend using this feature when you're testing that the integration is working as expected.
To restrict a server to specific members
Go to the "Single Sign-On" page and toggle Restrict to specific users
Search for the Member(s) who want to restrict the integration to (you can search by user name or email) and press on the Member. You can then repeat this for any additional Members. Press Save to apply your changes.
🛑 Disable
There may be times when you need to disable your SSO integration
When you disable the integration, your users will be required to reset their password and then will need to log in using username/password.
To disable the integration, press the "Enable" toggle
🎗️ Updating your certificate
If your certificate is expiring, you'll need to generate a new one in your IdP. Once you've got that certificate, you can either:
Upload the XML file from your SSO system (with the new certificate)
Manually add the new certificate
In this situation, your XML file is likely to have multiple X.509 certificates (it will include expired certificates). If you upload from the XML file, we only take the latest certificate. So check that the certificate extracted is the one you need to use.