Implementing Single Sign-On (SSO) with Legatics allows your Members to access the platform using existing credentials managed by your Identity Provider (IdP), such as Microsoft Entra ID. This integration enhances security and simplifies the login process. This guide provides a step-by-step approach to setting up and configuring SSO within Legatics.
Overview
When turned on
Once setup, our SSO integration requires all Members to log into Legatics through your existing identity provider (IdP), such as Entra ID. Once the integration is enabled, you can use your IdP to manage access to Legatics. Depending on the functionality provided by your IdP, this could include:
Limiting the users that have access to Legatics
Implementing your own sign on practices
Restricting login by IP address, geographical location or other factor
Blocking users from Legatics when they leave your company
Requirements
Your IdP must make use of the SAML 2.0 protocol
Limitations
Single connection: Currently, Legatics only supports a connection to one IdP. So if you have multiple IdPs (eg one for users with 1 email domain, and another for users with another email domain), you can only use SSO for one email domain.
User provisioning: You can't automatically setup Legatics users using your IdP, or control set their permission profile from your IdP.
User attribute mapping: We don't currently support syncing of user attributes (eg job title or name)
One click log in: We don't have a "Log in with SSO button". Users enter their email, and if SSO is enabled, then your IdP takes over.
Connecting to your SSO system
Step 1: Add Legatics as an application in your IdP
This process will depend on your IdP. Your IT team should know how to add applications to your IdP. But you need some information from us to set this up. The information you need is set out below.
Export and upload XML file from Legatics
If your IdP supports this, this is the fastest way to get setup. Our XML file contains all of the information your IdP needs.
To obtain the XML file, log into the Admin System and go to Integrations > Single-Sign-On and press the Connect SSO button. In the pop-up that appears , then "Export our XML file" from the pop-up that appears.
Manually add details
If you can't use the XML file, then you'll need to get some information from the Admin System, add it to the details below, and then add those details into the application you created in your IdP.
Get this information from the Admin System
legatics_URL | The URL of the Legatics instance you are on. You can find this in the accounts page. Don't include https://. |
customer_ID | Your unique client number. You can find this in the top of the sidebar in the admin system or the accounts page |
Add these details to your IdP
Entity ID | https:// |
Single Sign On URL | https://api.
This is also known as Recipient, Destination, or Consumer URL |
Single Logout URL (optional) | https://api. |
Step 2: Add your IdP to Legatics
In the Admin System, go to Integrations > Single Sign On and press Connect SSO
In the pop-up that appears either:
manually populate the details below
upload an XML file from your IdP system with configuration details
Press Add SSO
Tip: IdP allow you to export configuration information as an XML file. If you can do this, it will make the setup process in Legatics much simpler.
Entity ID | This is also known as the Identity provider issuer or the Microsoft Entra ID identifier
This is different to the Entity ID from Step 1. |
Login URL | This is also known as the Identify Provider Single Sign-On URL |
X.509 certificate | When copying the X.509 certificate, don't include:
-----BEGIN CERTIFICATE-------- -----END CERTIFICATE----------
Only include the text between these two values |
Your SSO is now connected, but isn't available to users. At this point you may want to make configurations (see below).
Configuring your SSO setup
Once your IdP is connected, you can configure it in a number of ways. The section below sets out the configurations available.
Editing details
You can edit the entity ID, login URL and x.509 certificate at any time. Simply go to the SSO page, make your changes and press save.
Restricting access to specific Members
You can restrict what Members can use SSO to sign in. To do this:
Go to the SSO page and toggle Restrict to specific members
Search for the Members you want to restrict SSO to (you can search by user name or email) and press on the Member.
Repeat this for any additional Members
Press Save to apply your changes
Warning: Only users in this list will log in using SSO. Everyone else will log in with username and password. We only recommend using this feature when testing if SSO is working.
Enabling SSO
Once you're happy with how SSO set up, you need to make it available to users. To do this press the toggle at the top right of the SSO screen.
This will require all your Members to log into Legatics using SSO (or only Members the feature is restricted to)
Disabling SSO
To disable the integration, press the Enable toggle in the top right of the SSO screen.
Note: When you disable the integration, your users will be required to reset their password and then will need to log in using username/password.
Updating your certificate details
If your certificate is expiring, you'll need to generate a new one in your IdP. Once you've got that certificate, you can either:
upload the XML file from your SSO system (with the new certificate) into Legatics using the button update from XML; or
manually add the new certificate
Caution: XML files often have multiple X.509 certificates (they include expired certificates). If you upload from the XML file, we only take the latest certificate. So check that the certificate extracted is the one you need to use.