Please also refer to our SSO Information guide for a detailed explanation of what SSO is.
In this article:
I am not able to login through SSO
Please verify with your administrator that your LawVu account exists. Ensure you are using the correct email for login. Depending on the user creation method chosen by your IT department, account creation may take some time. Therefore, it's crucial to check with your LawVu admin and confirm that your account has been successfully created.
If your account is present in LawVu please let your LawVu admin verify that it is in an active state and not disabled.
I am not able to login through SSO even though my account exists in LawVu.
Domain whitelisting
Please ensure you have provided all login domains for whitelisting. If a domain is not whitelisted in our system, then login for this account with the unlisted domain will fail. Please contact our support team to whitelist domains.
User access granted
Furthermore, please ensure the user's account has been authorised to access the LawVu application via your Single Sign-On (SSO) solution. In situations where Just-In-Time (JIT) is employed, and the user's account in LawVu remains active despite not being granted access through SSO, such scenarios should be considered.
Certificate expired
It's possible that your certificate has expired. Typically, signing certificates have a lifespan of 3 years and must be renewed before expiration. If you're experiencing login issues potentially caused by an expired certificate, the first step is to check with your IT department, as they manage certificates and can verify the expiration. Once confirmed, provide the new certificate to our support team for updating. It is crucial to provide the certificate in the BASE64 format.
When communicating about certificates or sensitive information, ensure it's done from a secure email address that verifies your domain. For security reasons, our support team will not be able to process any updates that do not come from a registered email in the LawVu system.
Some users are not able to log in even though others can.
The user account might not exist yet in LawVu when the user tries to log in. Please check your directory to see if an account exists with the correct username/email.
Some users are not able to log in, and the UPN does not match the user's primary email address.
If your organisation employs Azure Active Directory (Azure AD) for user authentication via Single Sign-On (SSO), there may be a potential misalignment between the users' User Principal Name (UPN) and primary email address. Refer to the below guide extracted from our AzureAD guide for steps to address and mitigate such issues.
Please note: If you have a requirement to use the primary email address instead of the pre-configured UPN as the login then please follow this article.
Under Single-Sign-On and Attributes and Claims, please remove the below "user.mail" claim.
It is crucial that the the Required Claim "NameID" is matching the selected username under user attribute mappings.
If the attribute "username" under Provisioning is set to UPN then the Claim NameID must also match the UPN.
I want to reset my password
If your organization has Single Sign-On (SSO) in place, all password resets must be managed through your identity provider (e.g., O365, Okta, Google, etc.) and not through the LawVu platform.
Here's what you need to do:
SSO Handling:
With SSO enabled, password reset processes are handled within your identity provider's system. This means that the LawVu platform does not manage any password resets when SSO is in use.
Talk to your IT:
If you need to reset your password, contact your IT department or refer to your organization's password reset policies.
Note:
It's important to follow your organization's security policies and procedures when resetting passwords or managing your account credentials.
I am not able to invite a user into LawVu
With Single Sign-On (SSO) enabled, user invites are disabled within the LawVu platform. To add more users, please follow these steps:
Contact Your IT Department:
Reach out to your IT department or system administrator to add new users to the LawVu platform.
User Management through Your Identity Provider:
User management, including adding new users, is now controlled through your identity provider (e.g., O365, Okta, Google, etc.) and not through LawVu.
The LawVu support team does not have access to your identity platform and is unfortunately unable to help. For further assistance, please contact your IT support team.
User cannot be created or updated through SCIM provisioning:
Please ensure that all of the below attributes are part of your SCIM (POST or PATCH) request that is being sent.
Mandatory attributes:
Provider attribute | Application attribute |
First name | givenname |
Last name | familyname |
email or UPN (Azure) | username (email format) |
{UniqueID} | externalID |
Available attributes:
attribute name | maximum charachters |
username/email | 256 |
name/givenname | 100 |
familyname | 100 |
phonenumber | 50 |
title | 100 |
department | 100 |
User cannot be re-activated in LawVu
If a user account was previously created but then deactivated (due to parental leave, business unit change, long vacation, etc.) and now needs to be reactivated, please ensure you are re-enabling the existing account and not creating a new one in your identity provider platform. If a new account is created, the uniqueID will have changed, and this cannot be updated in LawVu as it will not find a matching user, causing the provisioning to fail. Please contact our support team for assistance.
User cannot be created or login through JIT provisioning:
Please ensure the user account has a unique ID set inside your identity platform and below mandatory SAML claims are all configured. It is required for the JIT process to uniquely identify the user account, which requires the uniqueID to be part of the SAML request so any changes to email or name can be accepted by our endpoint.
The NameID format must be set to email or emailaddress and is a mandatory claim in the SAML response.
idP Attribute on provider site | SAML response attribute |
FirstName | |
LastName | |
(unique identifier), this should be an attribute that is unique and immutable. objectID (Azure) or user.id (OKTA) | |
username (NameID) |
Please note that if the email is chosen as the unique identifier, there will be issues updating a user's account if that email changes in the future.
The creation or update of a user fails through SCIM or JIT.
If your organisation removes a user account from your identity provider and then creates a new account for that user, the unique ID will change. The SCIM protocol stores this unique ID in our database, and a change is not permitted. In this case, you'll need to contact our support to manually remove this unique ID from our system to allow a full update on this user's account. You might encounter entries in your SCIM log that refer to "external ID change not allowed" or similar messages.
SAML certificate update
Your SAML signing certificate has an expiration date and must be updated on time to ensure business continuity.
Using the SSO Self Service portal, you can directly update your certificate in LawVu. If your certificate has already expired and you need support to regain access, please ensure your IT team provides the certificate in the following format:
Single SAML signing certificate
BASE64 format
Please note that Metadata URL's in the XML format containing multiple SSO details and certificates will not be accepted by our support team.
Additional provider configuration to check
There might be some additional configuration switches that must be set correctly at your provider site, so our endpoint accepts the SAML response.
Signed SAML response | NO |
Signed Assertion | YES |
Encrypt Assertion | NO |
Guide Library to help you understand the configuration
Reporting a problem
Before you report a problem, can you please check provided guides and help articles. If the issue continues, then please reach out to our support team.