Single Sign-On (SSO) is a user authentication service that allows users to access all their SaaS applications with a single set of login credentials. With SSO, users can sign into the LawVu application using their corporate username and password, streamlining the login process and enhancing security.

SAML (Security Assertion Markup Language) is an XML-based standard that enables the secure exchange of user authentication and authorization data across different domains. In a SAML-based Single Sign-On (SSO) service, three main entities are involved: the user, the identity provider (such as the client's IT system that manages the user directory), and the service provider (like LawVu).

This setup allows users to authenticate once with the identity provider and then access multiple applications without needing to log in again, streamlining the user experience and enhancing security.
​

The System for Cross-domain Identity Management (SCIM) is a standardized protocol designed to automate the exchange of user identity information between identity providers and cloud applications. SCIM simplifies managing user identities in cloud-based applications by providing a common service protocol.

Once SCIM endpoints are set up on both the identity provider and the cloud application, they can seamlessly exchange information to create, read, update, and delete user accounts. This automation reduces the manual effort required for user provisioning and ensures that user attributes are consistently synchronized across systems.

SCIM also supports features like automatic provisioning of new accounts, deprovisioning of accounts when users leave an organization, and group provisioning, which allows entire groups of users to be granted access to necessary applications simultaneously.

This standardization not only enhances efficiency but also improves security by ensuring that user access is accurately managed and audited.
​

Just in Time (JIT) Provisioning is a SAML protocol-based method that is used to create users the first time they log in to an application via an identity provider. JIT provisioning eliminates the need to provision users or create user accounts manually.

To enable JIT provisioning, administrators must set up Single Sign-On (SSO) between the web application and the identity provider, ensuring required user attributes are included. This allows new users to automatically create their accounts upon first login, once access is granted at the identity provider side.

Additionally, any updates to user attributes (First Name, Last Name, email) in the identity provider are automatically reflected across the LawVu application.

This method can be used if SCIM is not available but there are certain limitations with JIT compared to SCIM.

Account automation (pre-creation and removal) is not possible with JIT. In order to create an account in LawVu, the user must successfully log in. Additionally, the legal team administrator has the responsibility of disabling a user's account within the LawVu platform to prevent it from being assigned as a resource in the future. As long as the user's account remains active in LawVu, it can be assigned to contracts and matters.

The below four claims are mandatory. If any one is missing in the SAML request then login will fail.

A unique identifier, like a Federation ID, is essential for matching user information from the identity provider with the user account in the application. This ensures accurate synchronization of user attributes and consistent account management.

To set up unique identifiers for JIT provisioning, configure your identity provider and target application to use a consistent and immutable attribute, such as an employee ID, or other unique identifier. Using a stable unique identifier avoids issues if an email address changes.

By following these steps, JIT provisioning will work smoothly, ensuring each user is uniquely identified and their attributes are synchronized across systems.

Please note the SAML attributes (claims) are not a website.

Please note that there is a difference between logins initiated from the client’s system (identity provider) and those initiated from the LawVu login screen (service provider). The main difference between identity-provider-initiated SSO and service-provider-initiated SSO is where users start the login process. IdP-initiated login requests start in the identity provider (e.g., Office365, OKTA), whereas SP-initiated login requests begin in the application users want to access.

If a user is already logged into their corporate identity provider (Office365, OKTA, etc.) and is presented with a list of application icons, then in most cases, no further login prompt will be presented. The LawVu homepage will simply appear once selected.

If the user initiates the login from the LawVu login page (https://go.lawvu.com), they will be required to enter their email address, which triggers the system to forward the login request to their corporate identity provider (Office365, OKTA, OneLogin, etc.).

Please note that LawVu does not support custom client domains, so users don't have to enter their email address.

The LawVu platform facilitates the configuration of multiple identity providers, with each configured domain directing users to the corresponding identity provider's login points. Any existing multi-factor authentication (MFA) details implemented by each provider will be utilized during the authentication process. The platform does not intervene with these MFA procedures; instead, it seamlessly hands over authentication to each domain's SAML authentication and their respective multi-factor authentication setups.

SAML 2.0 for user authentication

SCIM 2.0 for user provisioning (automatic user creation, update and deactivation)

IMPORTANT: If you cannot achieve the automatic creation and deactivation of users in your LawVu account by utilising SCIM provisioning, our technical implementation team can assist by supporting Just in Time (JIT) user provisioning through SAML claims.

OKTA clients: Please ensure your OKTA instance includes the Lifecycle management license to support SCIM.

While we've had successful SSO configurations with clients using an on-prem ADFS server, we want to inform you that LawVu does not officially support ADFS. However, our team is more than willing to provide the necessary SAML details to your IT department for configuration and testing purposes.

We may be able to support custom solutions for clients provided they adhere to the industry standards of SAML2.0 and SCIM2.0.

In this mode, SSO is fully deactivated, and only LawVu platform accounts are permitted to log in, bypassing any SSO settings. If an account was previously synchronised and SSO is subsequently deactivated, the user must reset their password to access LawVu.

This mode enables both SSO and non-SSO accounts to log in. Accounts that have received an SSO flag through SCIM or Just-in-Time provisioning will trigger the SSO flow. Accounts without the flag will be prompted for a platform username and password.

The enforced mode offers the highest level of security by requiring login through the configured identity provider. It is recommended after the configuration is finalized. Non-SSO accounts are locked out in this mode.

To increase security and avoid malicious access, every aspect of SSO implementation must be coupled with identity governance. LawVu recommends using two-factor authentication (2FA) or multifactor authentication (MFA) with SSO to improve security. Please talk to your IT to check if your organization can use or already uses 2FA/MFA.

Please be advised that the integration of Single Sign-On (SSO) entails the utilization of your company's identity provider for the administration of Multi-Factor Authentication (MFA/2FA), superseding the functionality of the LawVu platform in this regard.

LawVu’s SSO technical capabilities are very flexible, and the below questions will help your I.T. team better understand the requirements and supported features.

Does LawVu support authentication through SAML 2.0 using an Identity Provider such as Okta/Azure/OneLogin?

Yes. LawVu provides support for popular identity providers such as AzureAD (Office365), OKTA, OneLogin, Google, Sailpoint, and JumpCloud. It's worth noting that LawVu's support is not restricted to the mentioned providers only, as any IDP that supports SAML2.0 and SCIM2.0 can be supported by LawVu.

OKTA clients: please ensure your OKTA license includes the Lifecycle management to utilize SCIM user provisioning.

Does LawVu provide instructions on how to configure SSO on the platform?

Yes, LawVu can provide guides for AzureAD, OKTA, OneLogin and a generic guide for compatible SAML & SCIM configurations.

Can the LawVu platform work in a mixed/hybrid mode allowing users to be able to sign in with and without SSO authentication?

Yes, LawVu has the capability to facilitate a hybrid/mixed configuration, which permits the utilisation of both Single Sign-On (SSO) and LawVu-stored usernames/passwords for authentication into the LawVu system. It's essential to note that configuring SSO in a hybrid mode is not advisable. However, there could be specific scenarios where hybrid access is necessary and requested by the client. Should such a situation arise, the technical team at LawVu can activate hybrid mode for your account.

In this case, a hybrid mode approach may be required, but it is highly recommended to utilise our Vendor Spend Management in this situation to ensure the highest level of security and keep your Single Sign-On (SSO) enforced. By using the Vendor Spend Management, you will also have complete control over granting access to your individual matters and contracts to collaborate.

Does LawVu support SCIM 2.0 for user provisioning?

Yes, this standard is fully supported.

Please be advised that the integration of Single Sign-On (SSO) entails the utilisation of your company's identity provider for the administration of Multi-Factor Authentication (MFA/2FA), superseding the functionality of the LawVu platform in this regard. Once SSO has been enabled, any MFA/2FA requests are handled by your identity provider and not the LawVu platform.

Does LawVu support permission-based role provisioning through SCIM?

Yes, LawVu supports role provisioning through AzureAD and OKTA.

Please note that enabling SCIM role provisioning will disable the ability to change and assign roles within the LawVu platform. The legal team member with administrative access does this task manually in LawVu. Please liaise with your legal team and clarify how roles should be assigned in LawVu before configuring the next step.

Yes, this standard is supported. Please note that with JIT there are certain limitations. Even though it is possible to create users through JIT provisioning after a successful login, it is not possible to deactivate a user’s account in LawVu via JIT.

Obsolete accounts must be manually deactivated by the client's administrator within LawVu under the user management section. If this is delayed, there can be confusion. Once a user's account has been disabled by IT in the company's system, then login to LawVu will be denied. However, the person who left will still have an active account in LawVu and will also appear as an assignable resource under Matters and Contracts.

Does LawVu support multiple domains on the same Lawvu instance?

Yes, LawVu supports multiple login domains on the same account. Please ensure that, with SSO in place, all required domains are whitelisted by the LawVu technician.

Does LawVu support multiple identity providers under the same LawVu instance?

Yes, LawVu supports multiple IDPs under the same account. For instance, the LawVu team can configure user provisioning and login from Office365 and OKTA under the same LawVu account. This is sometimes required if the corporate organisation has multiple providers from different regions or if a mixed user login is needed after a merger.

Do I have to enter my email and password again to access LawVu?

That depends on the login flow. Please see the above paragraph about login flows.

Can I still manage users in LawVu with SSO in place?

No. Once SSO is implemented, all users are centrally managed by your organisation's IT team through a secure system, which ensures a single point of control over user access within your organisation.

No, the SSO login process through Outlook or any other add-in is precisely the same as through the website or your identity provider.

No. Adding attributes is currently not supported.
​

It is required for the JIT process to uniquely identify the user account, which requires the uniqueID to be part of the SAML request so any changes to email or name can be accepted by our endpoint.

Please note that if the email is chosen as the unique identifier, there will be issues updating a user's account if that email changes in the future as this attribute is immutable in our database.

When does the application disable or revoke user access?

Once a user is removed from the client's identity provider SSO group through the utilisation of the SCIM protocol, they are marked for deactivation in Lawvu. Please note the above limitations if JIT is used, where a user cannot be deactivated in Lawvu.

​Following de-provisioning or manual disabling of a user's account, are users retained within the system?

Users are maintained in the system to preserve a historical record of their participation in matters and/or contracts. However, they are deactivated to prevent future association with matters and/or contracts.

Before you report a problem, can you please check provided guides and help articles. If the issue continues, then please reach out to our support team.