Organization Admin: Single Sign-On

 

Table of Contents

Organizations can request to have single sign-on (SSO) enabled for all members of their organization. Single sign-on enables users to log into Everlaw via their organization’s existing directory service (e.g., GSuite, Active Directory, LDAP). They will not have to maintain a separate username and password for Everlaw.

Return to table of contents

Enabling single sign-on using directory service metadata

To enable single sign-on, you first have to download the IDP metadata for your directory service. This is an XML document that tells Everlaw how to communicate with your system. There should be a download link in your directory service’s support center or Security Assertion Markup Language (SAML) control panel. This file allows your identity provider (in this case, your directory service) to communicate with your service provider (in this case, Everlaw) to establish a connection so that you can set up single sign-on.

You’ll then upload this metadata to Everlaw by clicking “Upload” on the Projects & Users tab of your organization admin dashboard, under SAML Single Sign-On.

saml2.png

Everlaw will validate the metadata once it is uploaded. If the original file cannot be validated, you may upload another version of the file. Once the file is validated, you will be able to choose to enable or require single sign-on on an organization-wide basis. Requiring single sign-on will disable Everlaw’s normal password-based login process for the organization. It is recommended that you initially set the authentication setting to "Optional". Don't select "Required" until you've tested SSO login and know that it is working; otherwise, you risk getting locked out of your account!

If your identity provider has multi-factor authentication (MFA), you can switch on "Bypass Everlaw multi-factor authentication.”

saml1.png

For more information about the consequences of disabling, enabling, or requiring single sign-on, see *the relevant section* below.

Return to table of contents

Providing your directory service with Everlaw metadata

In order for SSO to function correctly, you will also need to supply your directory service with Everlaw service provider metadata. You can download this metadata in XML form by clicking “Download Everlaw service provider metadata,” under SAML Single Sign-On.

You should then be able to upload the the Everlaw metadata in the directory service’s settings page (different directory services may have different requirements).

You may additionally need to register Everlaw's Entity ID and ACS URL with your identity provider. The relevant IDs and URLs are as follows:

Everlaw US:

Entity ID: everlaw.com:us-web
ACS URL: https://app.everlaw.com/saml/SSO

Everlaw AUS:

Entity ID: everlaw.com:au-web
ACS URL: https://app.everlaw.com.au/saml/SSO

Everlaw EU:

Entity ID: everlaw.com:eu-web
ACS URL: https://app.everlaw.eu/saml/SSO

Everlaw CAN:

Entity ID: everlaw.com:ca-web
ACS URL: https://app.everlaw.ca/saml/SSO

Return to table of contents

Single sign-on and user experience

Enabling or requiring single sign-on affects user experience at the time of login, as well as users’ ability to change their profile settings.

If single sign-on is disabled:

  • Users will need to sign into Everlaw using their passwords. Users will not be able to log into Everlaw using single sign-on, and will have to authenticate using MFA, if applicable.
  • Users will be able to change their passwords and toggle MFA authentication from their profile pages.
  • Users will be able to request password resets.

If you enable single sign-on:

  • Users who have been authenticated by your identity provider will be able to log into Everlaw with single sign-on and bypass *MFA authentication*, if applicable. They can also choose to log in using their Everlaw password.
  • Users will be able to change their passwords and toggle MFA authentication from their profile pages.
  • Users will be able to request password resets.

If you require single sign-on:

  • Users will not be able to log into Everlaw using their passwords, nor will they create a password when they are invited to Everlaw. Instead, they will be required to use single sign-on.
  • Users will be able to bypass MFA authentication upon login, if applicable.
  • Users will not be able to change their passwords and toggle MFA authentication from their profile pages.
  • Users will not be able to request password resets.
  • If you disable single sign-on, users will need to create an Everlaw password.

The image below displays a login screen for an account that has single sign-on enabled. The user can either log in using SSO, by clicking the blue “Log in via [domain name]” button, or with their password, by clicking the blue “Log in with password” button. The option to log in through SSO will not appear for users whose organizations do not have SSO enabled, and the option to log in with a password will not appear for users whose organizations require SSO.

pasted_image_0__1_.png

Return to table of contents

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.