All Collections
Integrations
Single Sign-on
SSO (SingleSignOn) Information guide
SSO (SingleSignOn) Information guide
This article will help to understand SSO better and also provide technical information for IT departments.
Martin Walzak avatar
Written by Martin Walzak
Updated over a week ago

What is SSO?

SSO stands for Single Sign-on - a session and user authentication service that permits users to use one set of login credentials to access all of their SaaS applications. The user can then sign into the LawVu application using the corporate username and password credentials.


What is SAML?

SAML is an extensible markup language (XML) standard that facilitates the exchange of user authentication and authorization data across secure domains. SAML-based SSO services involve communications among the user (You), an identity provider (Client’s IT system) that maintains a user directory, and a service provider (LawVu).


What is SCIM?

System for Cross-domain Identity Management (SCIM) is a standard for automating the exchange of user identity information between identity domains, or IT systems. It’s specification is designed to make managing user identities in cloud-based applications and services easier. Once setup the SCIM endpoints on both sites can exchange information to create, read, update and delete users in the cloud application.


Login Flows

Please note that there is a difference between the login initiated from the client’s system (identity provider) and the login initiated from the Lawvu login screen (service provider).

If a user is already logged into their corporate identity provider (Office365, OKTA, etc.) and is presented with a list of application icons, then in most cases, no further login prompt will be presented to the client. The LawVu homepage will simply appear once selected.

If the user initiates the login from the LawVu login page (https://go.lawvu.com) they will be required to enter their email address, which triggers the system to forward the login request to their corporate identity provider (O365, OKTA, OneLogin, etc.).


Supported SSO Standards

Our endpoints support:

SAML 2.0 for user authentication

SCIM 2.0 for user provisioning (automatic user creation, update and deactivation)

IMPORTANT: If you cannot achieve the automatic creation and deactivation of users in your LawVu account by utilising SCIM provisioning, our technical implementation team can assist by supporting Just in Time (JIT) user provisioning through SAML claims.

OKTA clients: Please ensure your OKTA instance includes the Lifecycle management license to support SCIM.


Supported SSO Providers

LawVu supports the below identity providers:

Identity Providers

SCIM

JIT

Native App

AzureAD

YES

YES

YES

OKTA

YES

YES

YES

OneLogin

YES

YES

in progress

Google

NO

YES

NO

JumpCloud

YES

not tested

NO

Sailpoint IIQ

YES

not tested

NO

ADFS

While we've had successful SSO configurations with clients using an on-prem ADFS server, we want to inform you that LawVu does not officially support ADFS. However, our team is more than willing to provide the necessary SAML details to your IT department for configuration and testing purposes.

Custom SSO solutions and in-house developments

We may be able to support custom solutions for clients provided they adhere to the industry standards of SAML2.0 and SCIM2.0.


Security recommendations:

To increase security and avoid malicious access, every aspect of SSO implementation must be coupled with identity governance. LawVu recommends using two-factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve security. Please talk to your IT to check if your organization can use or already uses 2FA/MFA.


Frequently Asked Questions

LawVu’s SSO technical capabilities are very flexible, and the below questions will help your I.T. team better understand the requirements and supported features.

Does LawVu support authentication through SAML 2.0 using an Identity Provider such as Okta/Azure/OneLogin?

Yes. LawVu provides support for popular identity providers such as AzureAD (Office365), OKTA, OneLogin, Google, Sailpoint, and JumpCloud. It's worth noting that LawVu's support is not restricted to the mentioned providers only, as any IDP that supports SAML2.0 and SCIM2.0 can be supported by LawVu.

OKTA clients: please ensure your OKTA license includes the Lifecycle management to utilize SCIM user provisioning.

Does LawVu provide instructions on how to configure SSO on the platform?

Yes, LawVu can provide guides for AzureAD, OKTA, OneLogin and a generic guide for compatible SAML & SCIM configurations.

Can the LawVu platform work in a mixed/hybrid mode allowing users to be able to sign in with and without SSO authentication?

Yes, LawVu can support a hybrid configuration. This allows the use of both SSO and LawVu-stored usernames/passwords when authenticating into LawVu. Please note that it is not recommended to have your SSO configured in a hybrid mode. However, there might be certain situations where hybrid access is required and requested by the client. In this instance, the LawVu technical team can enable hybrid mode on your account.

Can we have external parties like outside counsel, contractors or consultants access our LawVu instance?

In this case, a hybrid mode approach may be required but it is highly recommended to utilise our Vendor Engage module in this situation to ensure the highest level of security and keep your Single Sign-On (SSO) enforced. By using the Vendor Engage module, you will also have complete control over granting access to your individual matters and contracts to collaborate.

Please note that running a hybrid mode approach to give external parties access poses the risk of your IT department having no control over local LawVu users who use a simple username and password combination to access your LawVu account. Local LawVu user accounts must be managed by a LawVu legal administrator within the LawVu platform, resulting in two sources for user control. Once a local user account is created in LawVu, it remains active even if the user leaves their own organization, and the only way to prevent access is to manually disable the account in LawVu.

Does LawVu support SCIM 2.0 for user provisioning?

Yes, this standard is fully supported.

Does LawVu support permission-based role provisioning through SCIM?

Yes, LawVu supports role provisioning through AzureAD and OKTA.

Please note that enabling SCIM role provisioning will disable the ability to change and assign roles within the LawVu platform. The legal team member with administrative access usually does this task manually in LawVu. Please liaise with your legal team and clarify how roles should be assigned in LawVu before configuring the next step.


Does LawVu support JIT (Just In Time) user provisioning through SAML claims?

Yes, this standard is supported. Please note that with JIT there are certain limitations. Even though it is possible to create users through JIT provisioning after a successful login, it is not possible to disable a user’s account in LawVu via JIT.


Obsolete accounts must be manually disabled by the client's administrator within LawVu under the user management section. If this is delayed, there can be confusion. Once a user's account has been disabled by IT in the company's system, then login to LawVu will be denied. However, the person who left will still have an active account in LawVu and will also appear as an assignable resource under Matters and Contracts.

Does LawVu support multiple domains on the same Lawvu instance?

Yes, LawVu supports multiple login domains on the same account. Please ensure that, with SSO in place, all required domains are whitelisted by the LawVu technician.

Does LawVu support multiple identity providers under the same LawVu instance?

Yes, LawVu supports multiple IDPs under the same account. For instance, the LawVu team can configure user provisioning and login from Office365 and OKTA under the same LawVu account. This is sometimes required if the corporate organization has multiple providers from different regions or if mixed user login is needed after a merger.

Is there a cost or additional license required to enable SSO in Lawvu?

Yes, there is a cost to purchase the additional SSO feature. Please liaise with your sales consultant for pricing.

Why is there an additional cost for SSO and what is covered by this cost?

The SSO one-off payment covers the cost of purchasing an additional product feature of our LawVu platform. It also includes the implementation time required by a LawVu technician to complete the setup for the client and testing. Additionally, these costs also cover the ongoing maintenance of the SSO endpoints, including any future upgrades and security improvements.

Do I have to enter my email and password again to access LawVu?

That depends on the login flow. Please see the above paragraph about login flows.

Can I still manage users in LawVu with SSO in place?

No. Once SSO is implemented, all users are centrally managed by your organization's IT team through a secure system, which ensures a single point of control over user access within your organization.



Did this answer your question?