Microsoft Azure AD Single Sign On (SSO)
Purpose: Provide Single Sign On to login to LegalServer using Microsoft Azure AD identity management. Users logged into the Microsoft cloud environment need only click a hyperlink to log into LegalServer.
Cost: $1,800.00 one-time setup fee. $50/month added to standard maintenance fee. To get this module enabled, file a ticket from your site requesting it and we will send a change order to start the process.
Requirements: Microsoft Azure AD (the cloud product)
Users Can't Login with SSO
Please check that your Client ID and Client Secret are correct. An expired client secret or other authentication failure will result in users seeing a message like "Error validating code. Possible timeout. Try again" on the login page after clicking the SSO link.
Unique Email Addresses Required
The same email address used in more than one user account in LegalServer will prevent SSO from authenticating for any user with the repeated email address.
Be sure whatever email you will test with (yours, presumably) is ONLY used for one account. Some people put their email address in as the email address on an API account, which would not work. Each user needs a unique email.
The Admin page in LegalServer contains an SSO Ready Check button that can help identify duplicate email addresses. It will also list user accounts that do not have an email address.
Microsoft Azure Configuration
Single Sign On settings affect the security of your agency's data, and if your admin staff has any questions at all about properly configuring Microsoft Azure AD securely, we encourage you to get the help of a consultant. Our staff can provide you with contact information for consultants who have worked on Microsoft integrations with LegalServer.
If you feel comfortable configuring SSO on Azure Ad, you may find this Microsoft help article helpful: https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-openid-connect-code. For step by step instructions (as of May 2020) you can also view our help article on Agency-Side Administrator Setup for Azure AD SSO.
You'll need to know for Azure setup that your LegalServer SSO redirect URL is: https://aws-auth.legalserver.org/sso. Find this setting Azure Active Directory > App Registrations > your enterprise app> Authentication > Redirect URIs (this is the same thing as Reply URI).
Once Single Sign On is enabled for your site, configure Azure AD on the Admin > Single Sign On page:
You will need from Microsoft Azure AD:
a Client ID and
a Client Secret
The Authentication URL parameter may or may not be required depending on your setup in Azure. if you need it, it will be your Microsoft Tenant Identifier. Azure AD details change, and are beyond the scope of this help document.