In this article:
Features
You will have the ability to create and manage all SSO settings yourself. However, this part of the platform is intended to be configured by an IT professional.
Requirements
You will require a LawVu administrator account and have the SSO Self-Service portal activated for your account. Please contact our support team if you do not see this feature in your settings.
Please note that the LawVu team cannot create a user administrator account for you. You must contact one of your LawVu administrators so they can invite you into LawVu and create a user account for you.
Please use the below provider specific guides in conjunction with this guide.
Please pay attention to this article if the UPN is not matching the primary email in your Azure tenant as user login will fail if misconfigured.
Creating an SSO provider
Access the SSO tab from Settings to begin configuring your Single Sign-On (SSO) settings.
Click on "Add SSO Provider" to start a new SSO configuration. Please note that SSO providers cannot be deleted but can be deactivated.
After creating an account, use the "Configure" button to enter your settings.
This screen also provides an overview of the SSO state and the selected provisioning type. It also indicates whether manual user email invites are enabled. It's important to note that when SSO is configured, all manual email invites are deactivated, as users will be managed entirely by the IT team and through the identity provider.
Configuration screen overview
1. Choose from three SSO modes:
Deactivated (SSO is turned off)
Hybrid (Allows both SSO and non-SSO account logins)
Enforced (Only SSO accounts can login, other accounts are locked out)
2. Service provider settings (LawVu): Select user provisioning as SCIM or JIT, and use the corresponding details for Url and secret token at your identity provider site.
3. Identity provider settings (AzureAD,OKTA, etc): Enter your identity provider SAML settings. This is also known as your SAML metadata.
4. Domain whitelisting: Control which domains are allowed to log in. Note that this only applies to SSO logins, not to LawVu non-SSO accounts created with usernames and passwords within the platform.
5. If SSO Roles are enabled, set up the mapping here and select a fallback default role if role provisioning fails or is misconfigured. This box is not visible if role provisioning is not activated.
6. If SSO Roles are disabled, select a default role that applies to all newly provisioned accounts.
SSO modes
Deactivated
In this mode, SSO is fully deactivated, and only LawVu platform accounts are permitted to log in, bypassing any SSO settings. If an account was previously synchronized and SSO is subsequently deactivated, the user must reset their password to access LawVu.
Hybrid
This mode enables both SSO and non-SSO accounts to log in. Accounts that have received an SSO flag through SCIM or Just-in-Time provisioning will trigger the SSO flow. Accounts without the flag will be prompted for a platform username and password.
Enforced
The enforced mode offers the highest level of security by requiring login through the configured identity provider. It is recommended after the configuration is finalized. Non-SSO accounts are locked out in this mode.
Configuration tip:
The recommended configuration flow would be to set the mode to "Hybrid" and sync the initial test users to test login. Once all users have been synced SSO should be enforced.
Service Provider Settings
Provisioning
Select SCIM (preferred) or JIT as your user provisioning method, noting the limitations of JIT provisioning as described in our SSO guide.
SCIM Provisioning URL
Copy this Base URL into your provider's SCIM settings.
SCIM Provisioning Token
This is the provisioning token needed to access the above Base SCIM URL.
Ensure you have started the provisioning cycle at your provider site!
JIT Provisioning
When configuring JIT as the provisioning method please ensure your SAML Response has ALL the below attributes setup. If one of them is missing, the login will fail.
The NameID format must be set to email or emailaddress and is a mandatory claim in the SAML response.
idP Attribute on provider site | SAML response attribute |
First Name | |
Last Name | |
(unique identifier), this should be an attribute that is unique and immutable. |
Please note that if the email is chosen as the unique identifier, there will be issues updating a user's account if that email changes in the future.
SAML ACS Reply URL
This is the SAML URL that your provider will use to initiate the login to LawVu. Please copy and paste this into your providers ACS Url settings. Please note that every provider can name this differently.
This can also be called:
Reply URL (Assertion Consumer Service URL)
Base URL
ACS Consumer URL
ACS URL
SAML Entity ID
You can choose your Entity ID in LawVu and then ensure you paste this in your IDP settings. Please note that every provider can name this differently.
This can also be called:
Identifier
Entity ID
Audience Uri
SAML Audience URL
LawVu recommends simply using https://lawvu.com as the EntityID.
Please do not mix this up with the identifier provided by your iDP. The service provider site and the identity provider site have their own identifer.
Examples:
This EntityID should be pasted under the EntityID in Azure:
In OKTA this should be placed under Audience Uri:
Identity Provider Settings
IDP Issuer/Identifier
Transfer your SAML Issuer/Identifier from your IDP (AzureAD, OKTA, etc) settings. This is also called, Microsoft Entra Identifier, entityID, or IssuerURL.
IDP Login URL
Transfer your SAML Login URL from your IDP settings. This must be the SAML POST URL.
IDP Certificate
Please paste your SAML signing certificate (BASE64) into the provided placeholder. If you have a .cer file, then please open it in a text editor and paste the content into this field.
Exclude the "Begin Certificate" and "End Certificate" notations when pasting into the LawVu configuration field.
Domain Whitelisting
For Domain Whitelisting, ensure the correct entry of your email domain to trigger an SSO login flow. A mistyped domain can prevent account login. If your system syncs multiple domains, enter all of them for domain whitelisting. Non-SSO accounts do not require whitelisting.
Default user role
Default User Role: Newly created accounts are assigned the "Standard user" role by default. Adjust this behaviour by configuring the settings below. Note that this default role is only assigned when an account is provisioned via SCIM or JIT.
SCIM Role Mapping
If your organisation wants to utilise SCIM for user role provisioning, please reach out to our support team as this feature is disabled by default and must be enabled upon request.
Please be aware that role provisioning is only compatible with SCIM, and there are extra configuration steps needed for OKTA and AzureAD. Please take a look at each provider's guide in our help articles for detailed instructions and restrictions that apply after configuration for the Legal Team's LawVu administrator.
The setup has pre-filled the identity provider names, which can be modified if necessary. Please ensure the values match exactly, as they will be directly passed through in the SCIM request.
If there is a misconfiguration or misspelling for any reason, the fallback user role below will apply.
Additional configuration details
There might be some additional configuration switches that must be set correctly at your provider site, so our endpoint accepts the SAML response.
Signed SAML response | NO |
Signed Assertion | YES |
Encrypt Assertion | NO |
Reporting a problem
Before you report a problem, can you please check provided guides and help articles. If the issue continues, then please reach out to our support team.