Skip to main content
Integrate with your SSO system

Learn how to connect and configure your Identity Provider (IdP) to enable seamless single sign-on (SSO) access for your organization

Updated over a week ago

Implementing Single Sign-On (SSO) with Legatics allows your Members to access the platform using existing credentials managed by your Identity Provider (IdP), such as Microsoft Entra ID. This integration enhances security and simplifies the login process. This guide provides a step-by-step approach to setting up and configuring SSO within Legatics.


Overview

When turned on

Once setup, our SSO integration requires all Members to log into Legatics through your existing identity provider (IdP), such as Entra ID. Once the integration is enabled, you can use your IdP to manage access to Legatics. Depending on the functionality provided by your IdP, this could include:

  • Limiting the users that have access to Legatics

  • Implementing your own sign on practices

  • Restricting login by IP address, geographical location or other factor

  • Blocking users from Legatics when they leave your company

Requirements

Your IdP must make use of the SAML 2.0 protocol

Limitations

  • Single connection: Currently, Legatics only supports a connection to one IdP. So if you have multiple IdPs (eg one for users with 1 email domain, and another for users with another email domain), you can only use SSO for one email domain.

  • User provisioning: You can't automatically setup Legatics users using your IdP, or control set their permission profile from your IdP.

  • User attribute mapping: We don't currently support syncing of user attributes (eg job title or name)

  • One click log in: We don't have a "Log in with SSO button". Users enter their email, and if SSO is enabled, then your IdP takes over.


Connecting to your SSO system

Step 1: Add Legatics as an application in your IdP

This process will depend on your IdP. Your IT team should know how to add applications to your IdP. But you need some information from us to set this up. The information you need is set out below.

Export and upload XML file from Legatics

If your IdP supports this, this is the fastest way to get setup. Our XML file contains all of the information your IdP needs.

To obtain the XML file, log into the Admin System and go to Integrations > Single-Sign-On and press the Connect SSO button. In the pop-up that appears , then "Export our XML file" from the pop-up that appears.

Manually add details

If you can't use the XML file, then you'll need to get some information from the Admin System, add it to the details below, and then add those details into the application you created in your IdP.

Get this information from the Admin System

legatics_URL

The URL of the Legatics instance you are on. You can find this in the accounts page. Don't include https://.

customer_ID

Your unique client number. You can find this in the top of the sidebar in the admin system or the accounts page

Add these details to your IdP

Entity ID

https://legatics_URL/customer_ID

Single Sign On URL

https://api.legatics_URL/auth/v0/saml/customer_ID/callback

This is also known as Recipient, Destination, or Consumer URL

Single Logout URL (optional)

https://api.legatics_URL/auth/v0/saml/customer_ID/logout

Step 2: Add your IdP to Legatics

  1. In the Admin System, go to Integrations > Single Sign On and press Connect SSO

  2. In the pop-up that appears either:

    1. manually populate the details below

    2. upload an XML file from your IdP system with configuration details

  3. Press Add SSO

Tip: IdP allow you to export configuration information as an XML file. If you can do this, it will make the setup process in Legatics much simpler.

Entity ID

This is also known as the Identity provider issuer or the Microsoft Entra ID identifier

This is different to the Entity ID from Step 1.

Login URL

This is also known as the Identify Provider Single Sign-On URL

X.509 certificate

When copying the X.509 certificate, don't include:

-----BEGIN CERTIFICATE--------

-----END CERTIFICATE----------

Only include the text between these two values

Your SSO is now connected, but isn't available to users. At this point you may want to make configurations (see below).


Configuring your SSO setup

Once your IdP is connected, you can configure it in a number of ways. The section below sets out the configurations available.

Editing details

You can edit the entity ID, login URL and x.509 certificate at any time. Simply go to the SSO page, make your changes and press save.

Restricting access to specific Members

You can restrict what Members can use SSO to sign in. To do this:

  1. Go to the SSO page and toggle Restrict to specific members

  2. Search for the Members you want to restrict SSO to (you can search by user name or email) and press on the Member.

  3. Repeat this for any additional Members

  4. Press Save to apply your changes

Warning: Only users in this list will log in using SSO. Everyone else will log in with username and password. We only recommend using this feature when testing if SSO is working.

Enabling SSO

Once you're happy with how SSO set up, you need to make it available to users. To do this press the toggle at the top right of the SSO screen.

This will require all your Members to log into Legatics using SSO (or only Members the feature is restricted to)

Disabling SSO

To disable the integration, press the Enable toggle in the top right of the SSO screen.

Note: When you disable the integration, your users will be required to reset their password and then will need to log in using username/password.

Updating your certificate details

If your certificate is expiring, you'll need to generate a new one in your IdP. Once you've got that certificate, you can either:

  • upload the XML file from your SSO system (with the new certificate) into Legatics using the button update from XML; or

  • manually add the new certificate

Caution: XML files often have multiple X.509 certificates (they include expired certificates). If you upload from the XML file, we only take the latest certificate. So check that the certificate extracted is the one you need to use.

Did this answer your question?