Skip to main content
SSO integration

Learn how to connect and configure our SSO integration

Ryan Turner avatar
Written by Ryan Turner
Updated over a week ago

This article will help you setup and manage your SSO integration


Key information


How the integration works


Once setup, our SSO integration requires all Members to log into Legatics through your existing identity provider (IdP), such as Entra ID (formerly Azure Active Directory).

Once the integration is enabled, you can use your IdP to manage access to Legatics. Depending on the functionality provided by your IdP, this could include:

  • Limiting the users that have access to Legatics

  • Implementing your own sign on practices

  • Restricting login by IP address, geographical location or other factor

  • Blocking users from Legatics when they leave your company


Requirements


Your IdP must make use of the SAML 2.0 protocol


Limitations


One IdP

Currently, Legatics only supports a connection to one IdP

So if you have multiple IdPs (eg one for users with 1 email domain, and another for users with another email domain), you can only use SSO for one email domain.

User provisioning

You can't automatically setup Legatics users using your IdP, or control set their permission profile from your IdP.

User attributes

We don't currently support syncing of user attributes (eg job title or name)

One click log in

We don't have a "Log in with SSO button". Users enter their email, and if SSO is enabled, then your IdP takes over.

Instance you're stored on

Legatics has multiple instances, each with their own unique URL. Your IdP will only work on the instance you are stored on. If your users are accessing another customer's matters on other instances, they will need to log in using username/password.


Connecting your SSO system


It's a two step process to connect with your IdP:

  1. Adding Legatics as an application in your IdP

  2. Connecting Legatics with your IdP



Step 1: Adding Legatics as an application in your IdP


This process will depend on your IdP. Your IT team should know how to add applications to your IdP.

Once the application is created in your IdP, you can populate the details needed to finalise it by:

  1. Exporting an XML file from Legatics and uploading it in your IdP

  2. Manually adding details in your IdP

Export and upload XML file from Legatics

If your IdP supports this, this is the fastest way to get setup. Our XML file contains all of the information your IdP needs.

To obtain the XML file, log into the Admin System, go to "Integrations" from the sidebar, then go to the "Single Sign-On" page, press "Connect SSO", then "Export our XML file" from the pop-up that appears.

Manually adding details

If you can't use the XML file, then input the following details into the application you created in your IdP

Entity ID

https://legatics_URL/customer_ID

Single Sign On URL

https://api.legatics_URL/auth/v0/saml/customer_ID/callback

This is also known as Recipient, Destination, or Consumer URL

Single Logout URL (optional)

https://api.legatics_URL/auth/v0/saml/customer_ID/logout

legatics_URL is the URL of the Legatics instance you are on. You can find this in the Accounts page (⚠️ make sure you exclude https://)

customer_ID is your unique client number. You can find this in the top of the sidebar in the admin system or the Accounts page (clicking on the ID will copy it to your clipboard).


Step 2: Connecting Legatics with your IdP


You will need to get the following information from the app set up in your IdP

Most IdP allow you to export this information as an XML file. If you can do this, it will make the setup process in Legatics much simpler.

Entity ID

This is also known as:

  1. Identity provider issuer

  2. Microsoft Entra ID identifier

⚠️ This is different to the Entity ID from Step 1

Login URL

This is also known as the Identify Provider Single Sign-On URL

X.509 certificate

When copying the X.509 certificate, don't include:

-----BEGIN CERTIFICATE--------

-----END CERTIFICATE----------

Only include the text between these two values

Once you have this information, go to "Integrations" from the sidebar, then:

  • Go to the "Single Sign-On" page

  • Press "Connect SSO"

You can then either:

  • Import your XML file (this will populate the fields automatically)

  • Manually add the information from the table above

Check the details, then press "Add SSO"

Enable the integration

After you press "Add SSO", your integration won't be automatically enabled. This is to give you a chance to review the settings and apply additional configurations.

When you're ready to go, press the "Enable" button to turn the integration on

You may want to restrict the integration to specific Members first, to check it's working before enabling for everyone.


Configuring your integration


Once your idP is connected, you can configure it in a number of ways. The section below sets out the configurations available.


✋ Restrict to specific Members


Your integration is only available to your Members (across the entire instance). You can further restrict what Members can use the SSO integration.

If you restrict to specific Members, then all other Member must log in using username/password

We only recommend using this feature when you're testing that the integration is working as expected.

To restrict a server to specific members

  1. Go to the "Single Sign-On" page and toggle Restrict to specific users

  2. Search for the Member(s) who want to restrict the integration to (you can search by user name or email) and press on the Member. You can then repeat this for any additional Members. Press Save to apply your changes.


🛑 Disable


There may be times when you need to disable your SSO integration

When you disable the integration, your users will be required to reset their password and then will need to log in using username/password.

To disable the integration, press the "Enable" toggle


🎗️ Updating your certificate


If your certificate is expiring, you'll need to generate a new one in your IdP. Once you've got that certificate, you can either:

  1. Upload the XML file from your SSO system (with the new certificate)

  2. Manually add the new certificate

In this situation, your XML file is likely to have multiple X.509 certificates (it will include expired certificates). If you upload from the XML file, we only take the latest certificate. So check that the certificate extracted is the one you need to use.

Did this answer your question?