In this article:
🛠️Features
You will have the ability to create and manage all SSO settings yourself. However, this part of the platform is intended to be configured by an IT professional.
⚠️Requirements
To configure SSO, you must have a LawVu administrator account and the SSO Self-Service portal activated. If you do not see this feature in your settings, please contact the LawVu support team for assistance.
Please note that the LawVu support team cannot create administrator accounts on your behalf. To gain access, please contact one of your organization’s LawVu administrators. They can invite you into LawVu and create your user account directly.
📄Guide Library
It is strongly recommended to refer to the provider-specific guides below in conjunction with this guide.
Please review this article carefully if the User Principal Name (UPN) does not match the primary email address in your Azure/EntraID tenant, as misconfiguration will result in login failures.
🧠SSO dashboard (Quick reference)
Select from three available modes:
Deactivated - SSO is turned off
Hybrid - Allows both SSO and non-SSO account logins
Enforced - Only SSO accounts can log in; all others are locked out
Choose user provisioning method as SCIM or JIT
Copy the SCIM URL and secret token into your identity provider (IdP) app
Copy the SAML ACS URL and chosen identifier into your IdP app
Enter your SAML metadata details (Login URL, Identifer and Certificate)
Define all allowed login domains for SSO users
Only users with emails matching these domains will trigger the SSO login flow
Non-SSO accounts manually invited (username/password) will bypass this check
Map idP roles to LawVu roles.
Set a fallback role for cases where mapping fails.
This section appears only if role provisioning is enabled.
Assign a default role for all newly provisioned accounts.
🧰Create an SSO provider
Access the SSO tab from Settings to begin configuring your Single Sign-On (SSO) settings.
Click on "Add SSO Provider" to start a new SSO configuration. Please note that SSO providers cannot be deleted but can be deactivated.
After creating an account, use the "Configure" button to enter your settings.
This screen shows the current SSO state, provisioning type, and whether manual email invites are enabled. When SSO is active, manual invites are automatically disabled and user management shifts entirely to the identity provider and IT controls.
1. Select SSO mode
🔒Deactivated
SSO is fully disabled. Only LawVu platform accounts are permitted to log in, bypassing all SSO settings. If an account was previously synchronized via SCIM or JIT and SSO is subsequently deactivated, the user must reset their password to regain access.
🔀Hybrid
Both SSO and non-SSO logins are permitted. Accounts flagged for SSO via SCIM or Just-in-Time provisioning will initiate the SSO flow. Accounts without the SSO flag will be prompted for their LawVu username and password.
✅Enforced
SSO is mandatory. All users must authenticate via the configured identity provider. This mode is recommended once configuration is complete. Non-SSO accounts are denied access.
ℹ️Configuration tip:
Start with Hybrid mode to validate login for initial test users. Once all users are successfully synchronized, switch to Enforced mode to secure access.
2. Configure Service Provider Settings
🧑💼2.1 Provisioning Options
You can choose between two user provisioning methods. Select the method that best aligns with your identity provider capabilities and check our Guide Library above.
SCIM (recommended): Supports automated user lifecycle management and is ideal for most enterprise setups.
JIT (Just-in-Time): Creates users dynamically at login via SAML.
⚠️ Note: JIT has limitations. Refer to our SSO guide for details.
🔗 2.2 SCIM Setup
SCIM Provisioning URL
Copy this Base URL into your provider's SCIM settings.
SCIM Provisioning Token
Use this token to authenticate access to the SCIM Base URL.
✅ Ensure you have started the provisioning cycle at your provider site!
🔧2.3 JIT Setup
When using Just-in-Time (JIT) provisioning, your SAML response must include all of the following attributes. If any are missing, login will fail.
idP Attribute (Provider site) | SAML Response Attribute |
NameID | Must be set to |
First Name | |
Last Name | |
Unique Identifier (unique & immutable) |
⚠️ Important:
If you use email as the Unique Identifier, user updates will fail if the email address changes in the future. Choose an attribute that is both unique and immutable to avoid provisioning conflicts.
📡2.4 SAML ACS Reply URL
This is the SAML URL your identity provider uses to initiate login to LawVu. Copy and paste it into your provider’s ACS URL (Assertion Consumer Service URL) settings.
ℹ️ Terminology may vary across providers. This field may also be labeled as:
Reply URL
Base URL
ACS Consumer URL
ACS URL
🆔2.5 SAML Entity ID
You can define your Entity ID in LawVu, then copy it into your identity provider (IdP) settings.
ℹ️ Terminology varies across platforms. This field may also be labeled as:
Identifier
Entity ID
Audience URI
SAML Audience URL
LawVu recommends using "https://lawvu.com" as the EntityID.
⚠️Do not confuse this with the identifier provided by your IdP. The Service Provider (LawVu) and the Identity Provider (IdP) each have their own distinct identifiers.
🧰Examples:
Entra ID: Paste the LawVu SAML Entity ID into the Entity ID field.
OKTA: Paste the LawVu SAML Entity ID into the Audience Uri field.
3. Configure Identity Provider Settings
🔐 3.1 IDP Issuer/Identifier
Transfer your SAML Issuer/Identifier from your IdP (e.g., Azure AD, Okta).
ℹ️ Terminology varies across platforms. This field may also be labeled as:
Microsoft Entra Identifier
Entity ID
Issuer
🔗3.2 IDP Login URL
Transfer your SAML Login URL from your IDP settings. This must be the SAML POST URL.
ℹ️ Terminology varies across platforms. This field may also be labeled as:
Login URL
Sign On URL
🧾3.3 IDP Certificate
Paste your BASE64-encoded SAML signing certificate into the provided field. If you have a .CER file, open it in a text editor and copy the content, excluding the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
Exclude the "Begin Certificate" and "End Certificate" notations.
🌐4. Domain Whitelisting
Ensure your email domain is entered correctly to trigger the SSO login flow. Non-SSO accounts do not require domain whitelisting.
⚠️ A mistyped domain or extra spaces can prevent account access.
🧭If your system syncs multiple domains, list all of them in the whitelisting settings.
🔍 Remove any leading or trailing spaces when entering domains.
📄5. SCIM Role Mapping
SCIM role provisioning is optional. If your legal team prefers to manage roles directly in LawVu, this setup isn’t required.
🚫Please contact the LawVu support team as this feature is disabled by default and must be enabled upon request.
ℹ️Role provisioning is only compatible with SCIM, and requires additional configuration for Okta and Azure AD.
⚠️Limitations after configuration
Enabling SCIM role provisioning disables manual role changes in LawVu. Confirm with your legal team how they prefer to assign user roles before proceeding.
The setup includes pre-filled identity provider names, which can be modified if needed.
✅ Ensure the values match exactly, as they are passed directly in the SCIM request.
⚡If there's a misconfiguration or typo, the fallback user role listed below will be applied automatically.
🧑6. Default user role
Newly created accounts are assigned the Standard user role by default.
ℹ️ This setting applies only to accounts provisioned via SCIM or JIT.
🔍 You can adjust this behavior using the settings below.
🪛 Additional SAML configuration details
Your identity provider may require additional configuration to ensure LawVu accepts the SAML response.
⚠️ Ensure the following settings are applied:
Signed SAML response | ❌ No |
Signed Assertion | ✅ Yes |
Encrypt Assertion | ❌ No |
🧑💻 Reporting a problem
Before you report a problem please check the provided guides and help articles first. If the issue persists, reach out to our support team for assistance.