Legalsense supports the ability to connect and login users via Single Sign-On.
We currently support Microsoft Azure AD as a provider, but will be adding more SSO providers in the future.
To use SSO, the following steps need to be completed:
1. Enable SSO.
SSO needs to be enabled in Legalsense. This is a setting that can be turned on/off by a Legalsense employee. To change this setting, please call or email our support department.
2. Add a provider.
Under 'Settings' - 'Security' - 'Single Sign-On' a provider must be added via the button 'New Single Sign-On Provider'.
Next, the following data should be entered for this:
- Tenant ID: You can find this in your Microsoft Azure account in the overview under your name.
- Client ID: here you need to create a new registration for it in Microsoft Azure. You do this by going to "App registrations" and then choosing "New registration". You choose "One tenant" and "Web" as the redirection URL. In the redirection URL field, enter https://yourfirmname.legalsense.nl/single_signon/microsoft_azure/callback/.
Once you have created it, you need to copy the 'Application (client) ID' into Legalsense.
- Client secret: In Microsoft Azure, go to 'Client credentials' and click 'New client secret'. Copy the value and ignore the 'Secret id'. (Note! After generating the 'Client Secret' you will only have a short time that it is visible. Keep it in a secure place with controlled access)
- Group ID: here you enter the Object ID of your group from Microsoft Azure.
3. Set up client access.
In your Microsoft Azure, go to 'AP Permissions'. Then click on 'New Permission' - 'Microsoft Graph' - 'Application Permissions' and select 'GroupMember.Read.All' and 'User.Read.All'. You need to remove the access for 'User.Read'.
4. Grant admin permission.
Caution! This step can only be done by an Admin user.
Caution! For the permission, the 'Application permission/ Application permission' should be selected.
Click on the 'Grant admin permission for...' button. You should then be taken to the following screen:
Finally, you can also indicate in Legalsense whether logging in through Microsoft Azure should be enforced for all users that are linked. You do this at the very last setting in Legalsense:
All active users who are not yet linked will still be able to login in the usual way with a login name and password.
When the above steps have been completed and the correct data has been entered when creating the provider in Legalsense, you can press 'Save'. After this, the configuration of SSO has been fulfilled.
1. Sync users.
Through the Microsoft Azure AD SSO intergration it is possible to synchronize legalsense users to their Microsoft accounts. Before this can be done, legalsense must first have an up to date list of the available Microsoft accounts. This synchronization runs automatically in the background, but it is also possible to start it manually.
First you navigate to the configured provider:
Then click "Synchronize Now."
2. Linking users.
Linking legalsense users to their Microsoft account is done via the "Users" tab.
First click on the respective user you want to link:
Next, click the "Edit" button next to Microsoft Azure account:
Here you can select the desired Microsoft account that the user can then log in with and click "Save."
If you want to disconnect a user, repeat the above two steps, but select "---------" as the Microsoft account.
In addition, you can also link users in 'Bulk'. You can do this by clicking on your Microsoft Azure link under 'Security'- 'Single Sign-on'. In the next screen you will see a 'Bulk link' button on the top right
When you press this button, you will enter the screen where all non-linked users are shown. Here you can check or complete the data, before you click on 'Save'.
You can see in the overview under 'Users' in the column 'SSO' whether a user is linked or not:
3. Login via SSO.
To log in via SSO, click the "Sign in with Microsoft" button on the login screen:
Here you will get the following pop-up the first time:
Here you click on "Accept".
Then you are successfully logged in via Microsoft Azure AD.