Configure CAM SSO
- 1 Information to Provide Litera
- 2 Litera Provided Information
- 3 Configuring CAM SSO (Single Sign-On) via On-Premises Active Directory
- 3.1 Prerequisites
- 3.2 Step 1: Configure Federation Server
- 3.3 Step 2: Add Your Amazon Cognito User Pool ID as Relying Party Trust in AD FS
- 3.4 Step 3: Create Claim Rules
- 3.5 Step 4: Create Rules to Map Attributes from Active Directory with ADFS
- 3.6 Step 5: Import the signature into the new Relying Party Trust
- 3.7 Step 6: Verify the Configuration
- 3.8 Step 6b: Provide Litera the public URL
- 3.9 Step 7: Edit Access Control Policy for User Groups
- 4 SSO on Microsoft Entra (Azure AD) Instructions
- 4.1 Prerequisites
- 4.2 Set-up
- 5 FAQs
Information to Provide Litera
Provide the following information to Litera when asked to do so:
Let Litera know you are enabling SSO before starting for both AzureAD and ADFS.
Adding the Certificate on Step 5 for ADFS configurations
Adding the Public URL on Step 6b for ADFS configurations
The App Federation Metadata URL on Step 10 for AzureAD/EntraID configurations
Litera Provided Information
The following information is provided by Litera when you reach out to Litera Support OR Litera DevOps to enable SSO (support@litera.com):
AWS User Pool Domain Name before starting
AWS Cognito User Pool URN before starting
Certificate for the Relaying Party Trust on Step 5 for ADFS configurations for ADFS configurations
Documentation confirming SSO is configured on Step 11 for AzureAD/EntraID configurations
Configuring CAM SSO (Single Sign-On) via On-Premises Active Directory
CAM supports SSO via SAML 2.0 which is available on ADFS version 2.0 and above. To enable SSO for your domain, CAM acts as the Service Provider (SP). An AD FS Identity Provider (IdP) must be deployed and configured to handle the sign-in process and provide your system user's credentials to CAM. This topic describes how to set up the Single Sign-On Service (SSO) for CAM as the Service Provider (SP) and AD FS as the Identity Provider (IdP).
These steps are similar if you are implementing teams, or even if you are not implementing teams.
Prerequisites
Active Directory Domain Services (ADDS) and Active Directory Federation Services (AD FS) must be installed on your server.
It is recommended that the firm creates a new domain group and adds a list of users from the firm who will access CAM, for example, CAM Users. This will allow administrators to filter user groups when enabling synchronization with CAM.
The user configuring the AD FS and SSO setup must have domain administrator permissions.
Please call Litera Support to enable SSO for your domain before beginning. Contact Litera support at support@litera.com
Step 1: Configure Federation Server
In the deployed AD FS Server launch the Active Directory Federation Services Configuration Wizard
On the Welcome page, choose an option for a Federation Server, and then click Next. Proceed through the wizard.
On the Specify Service Properties page select:
SSL Certificate: This should be pre-populated. If it isn’t, select your valid certificate from the drop-down menu. CAM will redirect to this URL for authentication.
Federation Service Name: Enter a fully qualified domain name (FQDN). It is recommended this matches the SSL certificate name.
Note: By default, the ADFS Configuration Wizard retrieves the SSL certificate bound to CAM in IIS. If you use a wildcard certificate you will need to enter the Federation Service name.
Federation Service Display Name: Enter a friendly display name
4. Continue with the configuration and click Close on completion.
Step 2: Add Your Amazon Cognito User Pool ID as Relying Party Trust in AD FS
In ADFS Management, select the Relying Party Trusts folder.
Click Add Relying Party Trusts from the Actions sidebar.
In the Add Relying Party Trust Wizard, Welcome page, choose Claims aware and click Start.
On the Select Data Source screen, click Enter data about the relying party manually and click Next.
On the Specify Display Name screen, enter a Display Name and enter any optional notes.
Skip the Configure Certificate screen. Click Next.
On the Configure URL screen, select the box labeled Enable Support for the SAML 2.0 WebSSO protocol.
In the field under Enable Support, enter the Amazon Cognito User Pool domain name. The URL should look something like this https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse
URN’s would look like:
The URn should look something like this urn:amazon:cognito:<region>
Note: Litera will generate and provide the AWS User Pool Domain Name for your account.
9. On the Configure Identifiers screen, enter the provided Amazon Cognito User Pool URN as the relying party trust identifier. The URN should look something like this urn:amazon:cognito:sp:<yourUserPoolID>
10. On the Choose Access Contol Policy screen, select Permit everyone and click Next.
11. On the Ready to Add Trust screen, review your settings. Click the Endpoints tab to view the auto-configured endpoint for SAML 2.0 POST binding (also known as the assertion consumer endpoint/URL). Based on the details entered in Step 8, the Endpoint is auto-configured. The URL should look something like this: https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse. Click Next.
12. On the Finish screen, check the box for Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close. This opens the claim rule editor.
Step 3: Create Claim Rules
When using SAML login with ADFS, other values can be passed in addition to the authentication values. These values are defined as Claim Rules in the Relying Party Trust. Once the relying party trust has been created, you can create the claim rules. after the completion of Step 2 listed above, the claim rule editor opens by default. If the claim editor does not open to edit the Claim Rules, select the Relying Party Trusts folder from the ADFS panel, right-click the added Relying Party Trust, and then click Edit Claim Issuance Policy.
Step 4: Create Rules to Map Attributes from Active Directory with ADFS
CAM requires you to set up four attribute rules for user authorization. You can also add any other additional attributes that you want to be sent over as claims. The table below specifies the four mandatory attributes to be configured and the pre-defined Claim template to be used to create the claim rule.
Attribute | Claim Template to be used |
---|---|
Name ID | Transform an Incoming Claim |
Send LDAP Attributes as Claims | |
First Name | Send LDAP Attributes as Claims |
Last Name | Send LDAP Attributes as Claim |
Step 5: Import the signature into the new Relying Party Trust
1. From the Relying Party Trusts folder, select your new Relying Party Trust, and from the Actions side bar click Properties.
2. Go to the Signature Tab and Click Add to add a certificate.
3. Navigate to the Endpoints tab and you should see a SAML Assertion Consumer Endpoint that you inserted in the Configuration Wizard. Click Add SAML to add a second endpoint.
4. From the Endpoint type drop-down, choose SAML Logout.
5. From the Binding drop-down, choose Redirect.
6. In the Trusted URL field, add the following: https://YOUR-DOMAIN/adfs/ls/?wa=wsignout1.0 -where YOUR-DOMAIN matches the correct URL that you have specified during ADFS setup.
7. In the Response URL field, type your CAM domain, i.e.: https://subdomain.domain.topleveldomain
8. Click OK on the Add an Endpoint window as well as the Relying Party Trust window to save your changes.
Step 6: Verify the Configuration
Your SSO integration with CAM should now be enabled. All CAM users within your firm will be provided with the following sign-in prompt:
Step 6b: Provide Litera the public URL
Step 7: Edit Access Control Policy for User Groups
Edit the Access Control Policy list to deny user group(s) access to CAM.
In the ADFS console, right-click the Relying Party Trust that you want to permit/deny access to and select Edit Access Control Policy.
On the Access control policy, select your policy and then click Apply and Ok.
SSO on Microsoft Entra (Azure AD) Instructions
Prerequisites
Set-up
Create and configure an Entra Enterprise Application
The client will have to configure one Enterprise Application to be able to SSO through TeamsApp and CAM.
Open the Azure portal, and choose Azure Active Directory on the list of services
In the Active Directory left pane, choose “Enterprise Applications”
In the opened section click on “Create on your Own Application”.
Name your application
After the application is created you need to Assign the application to Users and Groups, to do so click on “Assign Users and Groups”
After assigning your application to your users, you need to set up SSO. On the main pane of the application click on “Configure Single Sign On”.
After clicking you will be asked to choose a single sign-on method. Choose SAML
You will then be redirected to the Single sign-on page. There you will have to modify the following values.
Identifier (Entity ID)
The URn should look something like this: urn:amazon:cognito:<region>
urn:amazon:cognito:ap-southeast-1_TTvx
Reply URL (Assertion Consumer Service URL)
Based on your production endpoint region, set the URL should look something like this:
https://camapac-com-abl.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse
Redirect Endpoint URI's
Redirect Endpoint URI's are as follows:
After configuring the SAML single sign-on click on Save.
Under the single sign-on pane Step 3, SAML Signing certificate please copy the App Federation Metadata URL.
Once Litera DevOps gets the App Federation Metadata URL, you will be notified by email when SSO is configured for you.
A PDF Guide of this information is below:
File/ Description | Attachment |
---|---|
Single Sign On AzureAD Guide- For the setup of Azure AD to SSO |
|
FAQs
Does SSO need to be enabled separately for the CAM teams app?
Yes, there is a separate client in cognito for the teams app.
Let's Connect📌
☎ +1 630.598.1100
☎ +44 20 3880 1550
📧 support@litera.com
💻 https://www.litera.com/support/
📝 Support is available:
4 am - 8 pm US Eastern
(9 am - 1 am GMT/BST
7 pm - 11 am AET) on normal business days (excluding holidays)
© 2024 Litera