Welcome,
How Can We Help You?

Single-Sign-On for Users (SSO)

Set up OpenID (single sign-on) for users

Info

This feature is only available in the unlimited plan. 

 

Here you can find an explanation on how to set the login for LAWLIFT users via SSO. For internal reasons, it may be necessary for your employees to log into LAWLIFT exclusively via SSO.

Warning

Please note that the menu items DOCUMENTS and FILES or MANDATES and CASE GROUPS cannot be offered with this login due to information security.

 

Step 1: Activate SSO

Info

The settings can only be made from the superadmin role. To access SSO for users you need to use LAWLIFT on a subdomain. For further information please contact our support via support@lawlift.com.

 

Click on the menu item ADMIN and FURTHER ACTIONS. Now activate Single-Sign-On and click on the configuration button below. 

Step 2: Add SSO configuration

Once in configuration click on the edit button, add the discovery URL and load the settings. Also, add the client ID and client secret. 

Step 3: Add default user role for the new SSO users:

This role will be added to all users who will log in for the first time with SSO. 

Info

For SSO with just publications, set this Redirect URL in Microsoft Entra ID:

https://app.lawlift.de/auth/publications

For SSO with users, use this one:

https://app.lawlift.de/auth

If you need both, add both URLs.

 

 

Optional Step 4: Prevent silent login

If the user is already logged in with the SSO provider, this option will prevent no password login (silent login). The user must type in the password every time he opens a new tab.

Optional Step 5: Prevent automated user creation:

By default, whenever a customer logs in with their SSO provider for the first time, their LAWLIFT user account is automatically created. With this setting, it can be prevented from happening and only pre-created users (with the corresponding email address) can log in to the app.3

 

Optional Step 6: Restricted group access

You will find an example below of how to restrict access to the LAWLIFT app to members of a specific group in Microsoft Entra.
Select the app you used in the app registration section of Microsoft Entra, select “Token configuration”, then “Add groups claim”, then the fourth option and then “Add”: 

We used groups assigned to the application, but an Microsoft Entra administrator can choose another option.
In LAWLIFT, you then need to activate restricted groups access:

Step 6 requires you to add the group scope claim. In Microsoft Entra, it's groups, but it can vary for different services. Now, you need to create a group and add a group identifier.

Add the group name and SSO group identifier. Microsoft Entra uses groupId (objectId of the group). Different services may use different identifiers.

From that point forward, only users belonging to the specified group will be able to log in. There is no limit to the number of groups you can add.

Optional Step 7: SSO provisioning with roles

When you set up different roles for your Microsoft Entra users, you can map them to your custom LAWLIFT roles easily. For this you have to click the option “Map to SSO role” in the “Edit user roles”-menu.

Next, put the LAWLIFT role name in the role details in Microsoft Entra. When a new user signs in to LAWLIFT, they are created and linked to the right role based on their role in Microsoft Entra. Check that you haven't turned on "Prevent automated user creation" in the SSO settings. If it's on, the system can't create users automatically.

Was this article helpful?

Can't find what you're looking for?

Our award-winning customer care team is here for you.

Contact Support