Note: This article contains instructions for updating your SAML configuration after the June 2023 release of Everlaw. If you are setting up your SAML configuration for the first time please visit this article.
Expected US Release: June 23, 2023
Expected International Release: June 30, 2023
Expected Federal Release: July 7, 2023
With this release Everlaw will be updating Single Sign-On (SSO) implementation on the platform to improve the overall security of the platform for users. Organizations will have until the next release (July 21st US release) to make changes to their SAML SSO configuration.
Organizations with SAML Single Sign-On currently configured will need to update their configuration. To complete the changes users must
- Have organization admin permissions.
- Have access to their IDP configuration. This may require support from your organization's IT staff.
Note that when making this update, users’ ability to login may be impacted. It is recommended that you coordinate the update outside of working hours.
1. Navigate to your organization page and find the "Security Settings" and the SAML Single Sign-on section. Your organization should have the toggle to "Use legacy SSO to login" set.
Before making any changes, it is highly recommended that you download the original metadata file by clicking on the "Download Everlaw service provider metadata" should you need to revert your configuration.
It is also highly recommended to switch the "Authentication setting" to optional before proceeding to the next steps. If you do not take this step and your SSO is misconfigured, your organization's users may be locked out of their accounts.
2. Set the "Use legacy SSO to login" toggle to off. Click on the "Download Everlaw service provider metadata" to download the new provider metadata.
3. In your IDP, you will need to upload the new Everlaw provider metadata.
If your IDP doesn't support metadata upload (e.g. Okta) you will need to manually change the ACS URL. To find the new ACS URL, open the new provider metadata file in a text editor. Search for the term "Location". The URL string following "Location=" is the new ACS URL. Replace the legacy ACS URL with the new ACS URL.
- The legacy ACS URL should have a pattern like this: …everlaw.com/…/saml/SSO
- The new ACS URL should follow a pattern like this: …everlaw/com/…/login/saml2/sso/…
When updating your IDP, please make sure to double check that the new URL you are using follows the correct pattern. After the old URL is deprecated, organizations still using the old URL will no longer be able to login using SSO.
4. Confirm the IDP configurations.
- If you are not encrypting the Assertions, make sure that you are signing the SAML Response or all of the Assertions.
- If you are encrypting the Assertions, the Response must be signed! For example, if you are using ADFS, you might want to run this command Set-AdfsRelyingPartyTrust -TargetName “Everlaw” -SamlResponseSignature “MessageAndAssertion”
5. Navigate back to Everlaw and attempt to login using SSO. You should be able to log in as usual.
If you changed your configuration to optional in a previous step, remember to set it back to required.
If you are using the Everlaw Okta App, please proceed with the following steps:
*Note Okta will update the Everlaw app integration on Tuesday, August 1, 2023
- Go to your Okta’s App configuration settings for Everlaw. Click on the “Sign on” tab and click on the “Edit” button in the settings section.
- Under the “Advanced Sign-on Settings” section, fill in the “Customer ID” field with the hash value at the end of the ACS URL found in the Everlaw SP metadata.
- If you need to revert back to using the Legacy SSO URL, simply revert the Customer ID field to be blank.
If you are unable to login using SSO, please reach out to Everlaw support. Should this occur, it is recommended that you:
- Login using your password and return to the Org Admin page.
- From there, toggle “Use legacy SSO” on and upload the original metadata file from Step 1 to your IDP.
This will revert the changes and users in your organization should be able to login using SSO again using the legacy SSO.