Integration Guide: SAML 2.0 Single Sign-On
This guide provides instructions for IT administrators to configure Single Sign-On (SSO) between your SAML 2.0 compliant Identity Provider (IdP) and the Legora platform. This will allow your users to log in to Legora using their corporate credentials.
How it Works
Legora’s SSO implementation leverages the SAML 2.0 protocol. The configuration is an interactive, guided process that establishes a trust relationship between your organization’s IdP (like Okta, ADFS, PingFederate, etc.) and Legora. This is achieved by exchanging SAML metadata between your IT team and our platform.
Prerequisites
You must have administrative access to your organization’s SAML 2.0 Identity Provider.
You must be an administrator in your Legora organization.
Setup Instructions
The setup process is a guided flow that involves exchanging configuration details between your Identity Provider and the Legora platform.
Step 1: Initiate the SSO Request
To begin, please contact your Legora representative or our support team. You will need to provide them with the name of the Legora organization for which you want to enable SSO.
Once you have notified us, we will initiate an SSO configuration flow on our end.
Select Custom SAML
Step 2: Configure Your Identity Provider with Legora’s Details
The flow will provide you with two key artifacts from our system that you will need to create the SAML application in your IdP:
Single Sign-On URL
Service Provider Entity ID
Using these two values, please perform the following actions in your Identity Provider’s administration console:
Create a new SAML 2.0 Application for Legora.
When prompted for the service provider details, enter the Single Sign-On URL and Entity ID provided by Legora.
Configure Attribute Mapping (Required): Configure your IdP to send the following attributes in the SAML assertion. The attribute names must match exactly, as Legora uses them to provision and identify users.
emailgiven_namefamily_name
Step 3: Provide Your Identity Provider Details to Legora
After you have configured the application in your IdP, the next step in the flow is to provide Legora with your IdP’s metadata. You have two options:
Option A (Recommended - Automatic Configuration): Provide us with the Metadata URL from your IdP. This allows for the quickest and most reliable configuration.
Option B (Manual Configuration): If a metadata URL is not available, you will need to manually provide the following:
Single Sign-On Login URL (also known as SSO URL or SAML 2.0 Endpoint)
X.509 Signing Certificate (please provide this as an attached file, typically a
.pemor.cer).
These details complete the trust relationship.
Step 4: Test the Connection
Once the connection is configured on both sides, the final step is to test it.
Assign a Test User: In your Identity Provider, ensure that the user you will be testing with has been assigned or granted access to the new Legora SAML application.
Initiate the Test: In the next step of the flow, you will be prompted to test the connection.
Log In: Attempt to log in to Legora. You should be redirected to your organization’s SSO login page. After successful authentication, you will be logged back into Legora.
If the test is successful, the SSO connection is active and ready to be used.
Troubleshooting
Login Fails / User Not Found: This is often caused by incorrect attribute mapping. Ensure that
email,given_name, andfamily_nameare being sent exactly as named in the SAML assertion. Also, confirm that the test user is assigned to the application in your IdP.Redirect Issues or Invalid Request: This can happen if the Single Sign-On URL or Entity ID in your IdP’s configuration does not exactly match the values provided by Legora. Please double-check these values.
If you continue to experience issues, please contact our support team for assistance.