In this article:
Features
The following provisioning features are supported:
Push new users
Push profile updates
Push user deactivation
Requirements
You will require a LawVu account and be in contact with our implementation team.
You will also be required to provide all login domains for whitelisting.
You must complete both steps for SAML and SCIM.
Limitations
If you plan to use security groups to sync and create a team in LawVu, please follow our Teams guide. Note that our currently released app in the Microsoft Store does not support the group sync feature, so a manual app setup is required. Please contact your LawVu representative for a manual guide in the meantime.
Overlapping Groups or Multiple Roles
LawVu does not support overlapping Azure AD groups or assigning multiple app roles to the same user. If a user is part of multiple groups or has multiple roles assigned, provisioning will fail on Azure’s side. In such cases, the Standard User role will be applied by default. To avoid this issue, ensure that each user belongs to a single group mapped to a single LawVu role.
SSO Configuration Timing
SSO configuration is only available once the customer agreement or at minimum the POC agreement has been signed. We cannot share SSO metadata, certificates, or other sensitive configuration details beforehand, as these function like secure API keys and are protected under our security policies. Once signed, your team gains access to the environment and the SSO Self‑Service Portal.
Azure Active Directory (AAD) - SAML Authentication Setup
This part must be completed before the certificate download!
Go to Azure Active Directory Admin Centre.
Under All Services, go to Enterprise Applications and click on New Application.
Search for LawVu under Gallery application and click create.
Once created, select Single sign-on and enter the values provided by LawVu.
Identifier (Entity ID) | Will be supplied by LawVu
OR
If you're using our SSO self-service portal, this information is already available there. |
Reply URL | Will be supplied by LawVu
OR
If you're using our SSO self-service portal, this information is already available there. |
LawVu configuration
Please provide us with the following values using your preferred secure method.
Additionally, please notify us of any other domains that will be utilized for login purposes.
Microsoft Entra Identifier | Please provide to LawVu |
Login URL | Please provide to LawVu |
Certificate Base64 | Please provide to LawVu |
Do not download the certificate following the blue path below as it is incorrect. Your SAML signing certificate gets updated once the SAML details have been configured, and it must be downloaded through the Download button in the red box.
Azure Active Directory (AAD) - SCIM Provisioning Setup
This step must also be completed to keep user accounts in sync.
Select Provisioning, click on Get Started and enter values supplied by LawVu.
Tenant URL | Will be supplied by LawVu
OR
If you're using our SSO self-service portal, this information is already available there. |
Secret Token | Will be supplied by LawVu
OR
If you're using our SSO self-service portal, this information is already available there. |
Set your desired scope and set Provisioning to On under settings.
Ensure you add the desired users into the LawVu app for automatic user provisioning. Please communicate with your Legal team leader which accounts require access to LawVu.
After enabling provisioning, please ensure the sync has started and is completed.
Group Provisioning in LawVu
Configure a New Enterprise Application (if needed)
If the Groups section is not present, create and configure a new Enterprise application for LawVu that supports SCIM group provisioning. LawVu can provide a manual guide.
Important: UPN is not matching the primary email address
Lawvu's enterprise app is pre-configured with the correct and Microsoft-recommended attributes compatible with most of our client's accounts.
Please note: If you have a requirement to use the primary email address instead of the pre-configured UPN as the login then please follow this article. Do not remove the below claim if you decided to use the email as the login.
If your AzureAD contains user accounts where the user's UPN does not match the user's primary email address, then the below modification must be made.
Under Single-Sign-On and Attributes and Claims, please remove the below "user.mail" claim.
Reporting a problem
Before submitting a problem report, kindly review ALL the settings mentioned above. If the problem continues, please reach out to our support team for further assistance.
Best Practices for Administrators
Map Groups to Roles Carefully: Ensure that each Azure AD group is mapped to a single, specific LawVu role to prevent provisioning conflicts.
Test Configurations: Before rolling out SSO provisioning to all users, test the setup with a small group to identify and resolve any issues.
Stay Updated: Regularly check for updates in both LawVu and your identity provider to ensure compatibility and access to new features.
Consult Documentation: Refer to the latest Azure AD and LawVu documentation for detailed instructions on configuring SCIM and SSO settings.