Skip to main content
All CollectionsIntegrationsSingle Sign-on
AzureAD (Office365) - Mapping Roles to Lawvu Roles via SSO
AzureAD (Office365) - Mapping Roles to Lawvu Roles via SSO

This guide describes creating custom roles and the attribute mapping required for SCIM provisioning.

Martin Walzak avatar
Written by Martin Walzak
Updated over 2 weeks ago

In this article:


Features

LawVu provides the ability to map your AzureAD roles into LawVu roles. This enables the configuration of access roles via the existing IT tools, which ensures central management of users and permissions. To utilize automatic role mapping in your LawVu app, both steps will need to be completed and configured in your Azure AD app.


Limitations

PLEASE READ: Restrictions after implementation

This is an optional configuration to provision roles, which means it's not necessary if your legal team prefers to configure roles within the LawVu platform.

However, if you choose to use SCIM role provisioning, please note that it will disable the ability to change and assign roles within the LawVu platform. The legal team member with administrative access typically handles this task manually in LawVu.

Before proceeding, it's essential to liaise with your legal team and clarify how roles should be assigned in LawVu.

It's important to note that enabling roles in Azure under the LawVu application requires you to assign a role to every user or group added to the application. This requirement is designed by Microsoft and is not influenced by the LawVu app.

Utilizing Teams in conjunction with role provisioning.

Please be aware that Team and Role provisioning cannot be utilized if members of the same team have different roles within the same group. Both Azure and Okta are designed to pass through only a single role at the group level. Therefore, assigning different roles to individual users would conflict with the overarching role established for that group.

Configuring four groups for each of the four roles in LawVu will be effective, as roles will be assigned at the group level.


Requirements

You will require administrator access to your AzureAD (Office365) tenant and also be in touch with a LawVu technical contact in order to create the mapping in LawVu.


Known Issues:

Please take note of the potential issue that might arise during role configuration and group assignment to applications. Misconfigurations can lead to quarantine errors, resulting in a halt to user provisioning.

Role Assignment: Azure allows roles to be assigned to both individuals and groups. However, this introduces a risk explained below.

Role Reusability Limitation: Application roles cannot be used in multiple instances when a group and an individual user are involved. This situation arises when a user is assigned to the application and is also a member of a group that has been assigned to the same application.

Solution: When utilising role provisioning, remember that Azure enforces a constraint on role reuse, allowing a user to be assigned only once to an application. This understanding can help you navigate the challenges effectively.

Please see below error message that will be logged if the configuration is incorrect.


AzureAD - Role creation and user assignment

Access the Enterprise app Lawvu and select “Users and Groups”. Click on “Application Registration”. Please note below the role assigned to a test user, which shows as “User” by default.

Click on “Create App Role” and create your LawVu roles here.

IMPORTANT: The values chosen under "VALUE" (red box) section must be provided to your LawVu implementation team to create the mapping between LawVu's role and the values configured. The value on your side must be manually matched to the corresponding value on the LawVu site by a LawVu technician.

The below four LawVu roles are available for mapping:

  • Administrator

  • In House Legal

  • Contributor

  • Standard User

For example, if you choose to name one of the roles "LawVuAdministrator" in your setup, you must let us know that you want this value mapped to the available role of "Administrator" in LawVu. The same procedure applies to the remaining roles for In House Legal, Contributor and Standard User.

Go back to your LawVu app and to “Users and Groups”. Add a user or a group and assign a role.

Add a user or group, select the required role and apply.

Please note how the role assignment changed for our assigned user.

You can also change the role for an already existing user account or group under the app. Go to “Users and Groups”. Tick the box next to the user account and click on “Edit Assignment”

Select the role as in the previous steps and assign to user.

It is also recommended to use four groups for each role to control roles via Security Groups. The layout might look like the below:


AzureAD - Role attribute mapping for SCIM provisioning.

Create a custom attribute mapping for roles under Provisioning. Click on "Edit attribute mapping"


Expand Mappings and click on Provisioning AzureAD Users.


Scroll down and add new mapping

Create a new custom attribute mapping with below values.

Type: Expression

Expression: AppRoleAssignments([appRoleAssignments])

Target attribute: roles[primary eq “True”].value

Ensure to save your new settings and provide all newly created User roles to the LawVu technical team. All roles must be mapped on the backend of your LawVu configuration by a LawVu support team member. Without this mapping, at the backend, the roles will not apply to any of your accounts.

OR

If you're using our SSO self-service portal, this information can be configured there.


Reporting a problem

Before submitting a problem report, kindly review ALL the settings mentioned above. If the problem continues, please reach out to our support team for further assistance.

Did this answer your question?