Single Sign-On (SSO) integration offers a streamlined and secure approach to user authentication for Legal Server platforms. This article provides a comprehensive overview of SSO within Legal Server, focusing on its benefits, implementation, and key considerations for administrators.
Supported SSO Providers for Legal Server
Legal Server is designed to integrate seamlessly with leading identity providers to facilitate single sign-on functionality. Currently, Legal Server utilizes OpenID Connect to ensure compatibility with these primary providers:
- Google Workspace: For organizations leveraging Google’s suite of services.
- Microsoft Azure Active Directory: For environments integrated with Microsoft’s cloud services.
- Okta: A dedicated identity management platform offering robust SSO solutions.
It’s important to note that SSO access is restricted to users with existing accounts within your organization’s Google Workspace, Microsoft Tenant, or Okta subscription. Users external to these systems, such as pro bono volunteers or contractors, will require traditional password-based logins to access the Legal Server.
Navigating the Legal Server SSO Administration Page
The central hub for managing SSO settings within Legal Server is located under Admin > Single Sign On (SSO). This administration page serves as the control panel for all SSO configurations, regardless of the chosen provider.
Tip: To modify any settings on this page, locate the discreet “[Edit]” link situated in the upper right corner. This link activates the editing mode, allowing you to adjust the SSO parameters.
Enforcing SSO Login on Legal Server: The “Only Allow Login via SSO” Policy
Legal Server offers granular control over SSO enforcement through the “Global Enforcement Policy”. Setting this policy to “Enabled and Required” significantly alters the login experience. When activated, the standard username and password fields are removed from the Legal Server landing page. Users are exclusively presented with the “Single Sign-On” link for authentication.
Important Consideration: The “Enabled and Required” policy is best suited for organizations where all users accessing the Legal Server are internal and managed within the configured SSO provider. If your Legal Server instance requires access for external users who do not have accounts within your organizational SSO system (e.g., pro bono attorneys, external contractors), this setting should not be used. Implementing this policy in such scenarios will inadvertently block access for these external users.
Accommodating Mixed User Access: SSO and Legal Server Credentials
For organizations needing to accommodate a diverse user base, including both SSO-enabled internal users and users relying on traditional Legal Server credentials, the “Enabled” policy offers a flexible solution.
By setting the Global Enforcement Policy to “Enabled”, Legal Server presents both the “Single Sign-On” link and the standard username/password login fields on the landing page. This setup allows internal staff members with SSO access to utilize the dedicated SSO link, while external users can log in using their established Legal Server usernames and passwords.
Furthermore, even with the “Enabled” policy, administrators can enforce SSO usage for specific internal user groups. This can be achieved by setting randomly generated, unknown passwords for these users within Legal Server. This effectively compels these users to utilize the SSO link for login, as they will not possess valid Legal Server credentials. For instructions on bulk password updates, refer to the Legal Server help documentation on “Edit Multiple Users Simultaneously”.
Addressing the “Break the Glass” Account Scenario in Legal Server SSO
A frequently asked question regarding SSO implementation is the availability of a “break the glass” or emergency access account for administrators in situations where the SSO system is temporarily unavailable.
Contrary to common expectations, Legal Server does not offer a dedicated “break the glass” account. If the SSO system experiences an outage and the “Enabled and Required” policy is active, preventing the display of login fields, administrators will be locked out of the Legal Server platform.
In such emergency scenarios, administrators must contact LegalServer support at [email protected]. Upon verification of administrator identity, LegalServer support can temporarily downgrade the site’s SSO policy to just “Enabled”. This action will re-expose the traditional login fields, allowing an administrator to log in using their Legal Server credentials, assuming valid credentials exist.
Important Security Note: LegalServer support will only revert a site to the “Enabled” SSO policy upon request from a verified administrator. LegalServer support will not perform both a policy change and a password reset concurrently without implementing stringent verification procedures to prevent unauthorized access to the Legal Server site. This security measure safeguards against malicious attempts to gain unauthorized entry.
SSO Considerations for Legal Server API Interactions
It is crucial to understand that Legal Server’s Application Programming Interfaces (APIs), specifically the Reports API and the Core APIs, operate independently of the SSO enforcement policies configured for user logins via the web interface.
API calls to Legal Server, whether utilizing Basic Authentication or Bearer Authentication methods, will bypass SSO requirements. This means that API access will remain functional even when SSO is set to “Enabled and Required” for standard user logins. This design ensures uninterrupted programmatic access to Legal Server data and functionalities, regardless of the active SSO policy.
SSO and the “Site Closed to Non-Admins” Setting
Legal Server offers a “Site Closed to Non-admins?” setting within the Admin > Site Settings page. This setting allows administrators to temporarily restrict site access to only users with the Administrator role.
The “Single Sign-On” link presented on the login page does not circumvent this “Site Closed to Non-admins?” setting. If this setting is enabled, even users with valid SSO credentials who are not assigned the Administrator role will be unable to access the Legal Server site via SSO. Upon attempting to log in through SSO, non-administrator users will encounter a message indicating that the site is currently shut down and advising them to contact their administrator.
This behavior ensures that the “Site Closed to Non-admins?” setting maintains its intended function of restricting access, even when SSO is implemented.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.
Still need help? Contact Us Contact Us
