Single Sign On (SSO)

In this Article:

Providers

LegalServer currently offers integration with the following single sign on providers:

We currently use OpenID Connect with the three providers.

Only users who have accounts in your Google Workspace/Microsoft Tenant/Okta subscription will be able to use SSO. Pro Bono Users, Contractors, and others will need to use password based logins.

Main Administration Page

Admin > Single Sign On (SSO) is the administration page, regardless of provider.

Tip: Changing the values on this page is via a small "[Edit]" link in the upper right corner of the page.

Only Allow Login via SSO

  • Setting the Global Enforcement Policy to "Enabled and Required" removes the login fields from the landing page and provides users only with the "Single Sign-On" link:
Required SSO Warning
  • This will not work if you have people outside your organization logging in, such as pro bono users, contractors, etc. See the next section on having a mix of users.

Mix of SSO and LegalServer Credentials for Users

You can have some users logging in with SSO and others logging in with LegalServer credentials. A common use case is staff versus pro bono users, contractors, etc.

Setting the policy to "Enabled" allows this. Staff can use the SSO link, while others can enter a username and password.

You can still force staff to use SSO by setting the password for them to a random, unknown-to-the-users, value, thus forcing them to use the SSO link. See: Edit Multiple Users Simultaneously.

Break the Glass Account

Spoiler: There isn't one. A common question is how an administrator would get into a site if their SSO wasn't working and "Enabled and Required" is used, thus not showing login fields. You wouldn't be able to.

You would need to contact LegalServer support (support@legalserver.org) and ask us to set your site to just "Enabled", exposing the login fields. Someone (presumably an Administrator) could then login with LegalServer credentials, assuming they have valid ones.

NB: LegalServer staff can set a site 'back' to Enabled based on a request from a known administrator. We will not do that and provide a password reset without further steps to ensure it isn't an attempt to gain unauthorized access to a site.

SSO and API Calls

API calls for the Reports API and the Core APIs do not check on the SSO requirements for authentication. Making such an API call with either Basic or Bearer Authentication will work even if SSO is set to "Enabled and Required".

SSO and the Site Closed to Non-Admins Setting

The Admin > Site Settings page has "Site Closed to Non-admins?". The SSO link on the login page does not bypass this setting. A user not assigned to the Administrator role can click the SSO link, but will get a message that the site has been shutdown and to contact their administrator.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us

Related Articles