Configure CAM SSO

Information to Provide Litera

Provide the following information to Litera when asked to do so:

  • Let Litera know you are enabling SSO before starting for both AzureAD and ADFS.

  • Adding the Certificate on Step 5 for ADFS configurations

  • Adding the Public URL on Step 6b for ADFS configurations

  • The App Federation Metadata URL on Step 10 for AzureAD/EntraID configurations

Litera Provided Information

The following information is provided by Litera when you reach out to Litera Support OR Litera DevOps to enable SSO (support@litera.com):

  • AWS User Pool Domain Name before starting

  • AWS Cognito User Pool URN before starting

  • Certificate for the Relaying Party Trust on Step 5 for ADFS configurations for ADFS configurations

  • Documentation confirming SSO is configured on Step 11 for AzureAD/EntraID configurations

 

Configuring CAM SSO (Single Sign-On) via On-Premises Active Directory

CAM supports SSO via SAML 2.0 which is available on ADFS version 2.0 and above. To enable SSO for your domain, CAM acts as the Service Provider (SP). An AD FS Identity Provider (IdP) must be deployed and configured to handle the sign-in process and provide your system user's credentials to CAM. This topic describes how to set up the Single Sign-On Service (SSO) for CAM as the Service Provider (SP) and AD FS as the Identity Provider (IdP).

These steps are similar if you are implementing teams, or even if you are not implementing teams.

Prerequisites

  • Active Directory Domain Services (ADDS) and Active Directory Federation Services (AD FS) must be installed on your server.

  • It is recommended that the firm creates a new domain group and adds a list of users from the firm who will access CAM, for example, CAM Users. This will allow administrators to filter user groups when enabling synchronization with CAM.

  • The user configuring the AD FS and SSO setup must have domain administrator permissions.

  •  Please call Litera Support to enable SSO for your domain before beginning. Contact Litera support at support@litera.com

Step 1: Configure Federation Server

  1. In the deployed AD FS Server launch the Active Directory Federation Services Configuration Wizard

  2. On the Welcome page, choose an option for a Federation Server, and then click Next. Proceed through the wizard.

  3. On the Specify Service Properties page select:

  • SSL Certificate: This should be pre-populated. If it isn’t, select your valid certificate from the drop-down menu. CAM will redirect to this URL for authentication.

  • Federation Service Name: Enter a fully qualified domain name (FQDN). It is recommended this matches the SSL certificate name.

Note: By default, the ADFS Configuration Wizard retrieves the SSL certificate bound to CAM in IIS. If you use a wildcard certificate you will need to enter the Federation Service name.

  • Federation Service Display Name: Enter a friendly display name

4. Continue with the configuration and click Close on completion.

Step 2: Add Your Amazon Cognito User Pool ID as Relying Party Trust in AD FS

  1. In ADFS Management, select the Relying Party Trusts folder.

  2. Click Add Relying Party Trusts from the Actions sidebar.

  3. In the Add Relying Party Trust WizardWelcome page, choose Claims aware and click Start.

  4. On the Select Data Source screen, click Enter data about the relying party manually and click Next.

  5. On the Specify Display Name screen, enter a Display Name and enter any optional notes.

  6. Skip the Configure Certificate screen. Click Next.

  7. On the Configure URL screen, select the box labeled Enable Support for the SAML 2.0 WebSSO protocol.

  8. In the field under Enable Support, enter the Amazon Cognito User Pool domain name. The URL should look something like this https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse

  9. URN’s would look like:

The URn should look something like this urn:amazon:cognito:<region>

Note: Litera will generate and provide the AWS User Pool Domain Name for your account.

9. On the Configure Identifiers screen, enter the provided Amazon Cognito User Pool URN as the relying party trust identifier. The URN should look something like this urn:amazon:cognito:sp:<yourUserPoolID>

10. On the Choose Access Contol Policy screen, select Permit everyone and click Next.

11. On the Ready to Add Trust screen, review your settings. Click the Endpoints tab to view the auto-configured endpoint for SAML 2.0 POST binding (also known as the assertion consumer endpoint/URL). Based on the details entered in Step 8, the Endpoint is auto-configured. The URL should look something like this: https://<yourDomainPrefix>.auth.<region>.amazoncognito.com/saml2/idpresponse. Click Next.

12. On the Finish screen, check the box for Open the Edit Claim Rules dialog for this relying party trust when the wizard closes and click Close. This opens the claim rule editor.

Step 3: Create Claim Rules

When using SAML login with ADFS, other values can be passed in addition to the authentication values. These values are defined as Claim Rules in the Relying Party Trust. Once the relying party trust has been created, you can create the claim rules. after the completion of Step 2 listed above, the claim rule editor opens by default. If the claim editor does not open to edit the Claim Rules, select the Relying Party Trusts folder from the ADFS panel, right-click the added Relying Party Trust, and then click Edit Claim Issuance Policy.

Step 4: Create Rules to Map Attributes from Active Directory with ADFS 

CAM requires you to set up four attribute rules for user authorization. You can also add any other additional attributes that you want to be sent over as claims. The table below specifies the four mandatory attributes to be configured and the pre-defined Claim template to be used to create the claim rule.

Attribute

Claim Template to be used

Attribute

Claim Template to be used

Name ID

Transform an Incoming Claim

Email

Send LDAP Attributes as Claims

First Name

Send LDAP Attributes as Claims

Last Name

Send LDAP Attributes as Claim

 

  1. In the Edit Claim Issuance Policy dialog, click Add Rule

2. In the Choose Rule Type node, from the Claim Rule Template drop-down select Transform an Incoming Claim. Click Next

 

3. In the Configure Claim Rule node, enter the following settings and click Finish to create the claim rule.

  • In the field for the Claim rule name type, type Name ID

  • From the drop-down for the Incoming claim type, select Windows account name

  • From the drop-down for the Outgoing claim type, select Name ID.

  • From the drop-down for the Outgoing Name ID Format, must be selected as Persistent Identifier.

  • Select the radio button to Pass through all claim values.

  •  

  1. In the Edit Claim Issuance Policy dialog, click Add Rule

  2. In the Choose Rule Type node, select Send LDAP Attributes as Claims from the Claim Rule Template drop-down. Click Next.

  3. In the Configure Claim Rule node, enter or select the following settings and click Finish to create the claim rule.

    1. In the field for Claim Rule Name, type E-mail.

    2. From the drop-down for the Attribute store, select Active Directory.

    3. From the LDAP Attribute drop-down, select E-Mail-Addresses and map it to Outgoing Claim TypeE-Mail Address.

  1. In the Edit Claim Issuance Policy dialog, click Add Rule

  2. In the Choose Rule Type node, select Send LDAP Attributes as Claims from the Claim Rule Template drop-down. Click Next.

  3. In the Configure Claim Rule node, enter or select the following settings and click Finish to create the claim rule.

    1. In the field for the Claim Rule Name, type First Name.

    2. From the drop-down for the Attribute store, select Active Directory.

    3. From the LDAP Attribute drop-down, select Given Name and map it to Outgoing Claim Type Given Name.

  1. In the Edit Claim Issuance Policy dialog, click Add Rule.

  2. In the Choose Rule Type node, select Send LDAP Attributes as Claims from the Claim Rule Template drop-down. Click Next.

  3. In the Configure Claim Rule node, enter or select the following settings and click Finish to create the claim rule.

    1. In the field for Claim Rule Name, type Last Name.

    2. From the drop-down for the Attribute store, select Active Directory.

    3. From the LDAP Attribute drop-down, select Surname and map it to Outgoing Claim Type Surname.

Step 5: Import the signature into the new Relying Party Trust

1. From the Relying Party Trusts folder, select your new Relying Party Trust, and from the Actions side bar click Properties.

2. Go to the Signature Tab and Click Add to add a certificate.

3. Navigate to the Endpoints tab and you should see a SAML Assertion Consumer Endpoint that you inserted in the Configuration Wizard. Click Add SAML to add a second endpoint.

4. From the Endpoint type drop-down, choose SAML Logout.

5. From the Binding drop-down, choose Redirect.

6. In the Trusted URL field, add the following: https://YOUR-DOMAIN/adfs/ls/?wa=wsignout1.0 -where YOUR-DOMAIN matches the correct URL that you have specified during ADFS setup.

7. In the Response URL field, type your CAM domain, i.e.: https://subdomain.domain.topleveldomain

8. Click OK on the Add an Endpoint window as well as the Relying Party Trust window to save your changes.

Step 6: Verify the Configuration

Your SSO integration with CAM should now be enabled. All CAM users within your firm will be provided with the following sign-in prompt:

Step 6b: Provide Litera the public URL

Step 7: Edit Access Control Policy for User Groups

Edit the Access Control Policy list to deny user group(s) access to CAM.

  1. In the ADFS console, right-click the Relying Party Trust that you want to permit/deny access to and select Edit Access Control Policy.

  2. On the Access control policy, select your policy and then click Apply and Ok.

 

SSO on Microsoft Entra (Azure AD) Instructions

Prerequisites

Set-up

Create and configure an Entra Enterprise Application
The client will have to configure one Enterprise Application to be able to SSO through TeamsApp and CAM.

  1. Open the Azure portal, and choose Azure Active Directory on the list of services

  2. In the Active Directory left pane, choose “Enterprise Applications”

  3. In the opened section click on “Create on your Own Application”.

  4. Name your application

  5. After the application is created you need to Assign the application to Users and Groups, to do so click on “Assign Users and Groups”

  6. After assigning your application to your users, you need to set up SSO. On the main pane of the application click on “Configure Single Sign On”.

  7. After clicking you will be asked to choose a single sign-on method. Choose SAML
    You will then be redirected to the Single sign-on page. There you will have to modify the following values.

Identifier (Entity ID)

The URn should look something like this: urn:amazon:cognito:<region>

urn:amazon:cognito:ap-southeast-1_TTvx

Reply URL (Assertion Consumer Service URL)

Based on your production endpoint region, set the URL should look something like this:

https://camapac-com-abl.auth.ap-southeast-1.amazoncognito.com/saml2/idpresponse

Redirect Endpoint URI's

Redirect Endpoint URI's are as follows:

Domain

Region

URI

Staging/Production URLs are used for CAM to connect Office 365. Select staging or production URIs based on the environment you are setting up.

Staging

EU (eu-west-1)

https://indfh04pbk.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect

Staging

US East

https://4cpwp6xw51.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect

Production

UK (eu-west-2)

https://5cerfmm2b5.execute-api.eu-west-2.amazonaws.com/v1/cam/auth/redirect

Production

EU (eu-west-1)

https://y20ve77is6.execute-api.eu-west-1.amazonaws.com/v1/cam/auth/redirect

Production

US East

https://90uqmfzsbl.execute-api.us-east-1.amazonaws.com/v1/cam/auth/redirect

Production

US West

https://1aj9ofu8f8.execute-api.us-west-2.amazonaws.com/v1/cam/auth/redirect

Production

APAC (ap-southeast-1)

https://c9efufodx8.execute-api.ap-southeast-1.amazonaws.com/v1/cam/auth/redirect

Production

Australia (ap-southeast-2)

https://43b9imoxzb.execute-api.ap-southeast-2.amazonaws.com/v1/cam/auth/redirect

If you are using the CAM teams app, then Microsoft Office 365 URIs are required. It allows accessing documents that a user has access to in Teams or all shared documents like Teams/SharePoint/OneNote/OneDrive.

Microsoft Office 365

UK

https://camteamapp.prosperowaredev.co.uk/team/ukprod/web/auth-end.html

Microsoft Office 365

EU

https://camteamapp.prosperowaredev.eu/team/euprod/web/auth-end.html

Microsoft Office 365

US

https://camteamapp.prosperoware.io/team/usprod/web/auth-end.html

Microsoft Office 365

APAC

https://camteamapp.camapac.com/team/apacprod/web/auth-end.html

 

  1. After configuring the SAML single sign-on click on Save.

  2. Under the single sign-on pane Step 3, SAML Signing certificate please copy the App Federation Metadata URL.

 

  1. Once Litera DevOps gets the App Federation Metadata URL, you will be notified by email when SSO is configured for you.

A PDF Guide of this information is below:

File/ Description

Attachment

File/ Description

Attachment

Single Sign On AzureAD Guide- For the setup of Azure AD to SSO

 

FAQs

Does SSO need to be enabled separately for the CAM teams app?

  • Yes, there is a separate client in cognito for the teams app.

Let's Connect📌

☎ +1 630.598.1100
☎ ‪+44 20 3880 1550‬
📧 support@litera.com
💻 https://www.litera.com/support/

📝 Support is available:
4 am - 8 pm US Eastern
(9 am - 1 am GMT/BST
7 pm - 11 am AET) on normal business days (excluding holidays)

© 2024 Litera