SAML Configuration for LegalHold
LegalHold SAML Setup
This topic provides details on how to configure the SAML setup between LegalHold and a matter management system (TeamConnect or eCounsel). The goal of this setup is to enable matter management system and LegalHold users to seamlessly navigate from one application to the other.
This setup has two parts:
- Generate trusted certificate using an IdP.
- Configure SAML in LegalHold System Settings.
Prerequisites
Before you begin you must have access to, or be familiar with, the following processes and applications:
- Access to a LegalHold Instance and ability to log in as a system administrator
- Must be a user in LegalHold
- Registered on IDP with the SAME email address as what is set up in LegalHold.
-
Important Note: If you already have an account with an IDP, ensure the email address that is used in the IDP is the same as what's used in LegalHold. Otherwise this process will not work.
-
- An understanding of how to extract metadata from IDP.
Steps to Generate a Trusted Key for SAML Configuration
The instructions below detail how to set the SAML settings in the LegalHold application and are applicable to all IdPs (Identity Providers).
- Download the OpenSSL executable file for Windows or Mac from http://slproweb.com/products/Win32OpenSSL.html
- Select Win32 or Win64 file based on your system version.
- Run above executable file as system admin.
- Go to the OpenSSL-Win64 directory on your PC, and change to the /bin directory and note the path.
- Set above path into your System Properties under Advanced Settings.
- Open a command prompt from the system user location. Ex: C:\Users\John.Doe>.
- It's better to create one directory with an intuitive name such as "keys" where you would like to save the generated certificate file Ex: C:\Users\John.Doe>mkdir keys
- Go to that directory (C:\Users\John.Doe\cd keys).
- From C:\Users\John.Doe\keys location, enter the following command: openssl genrsa -out privatekey.pem 1024
- Next, enter the following command from the same location: openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
- Fill out information for Country name, State Name, Locality Name(City Name), Organization Name (Company), Organization Unit Name (section), Common Name (such as legalhold.test.mitratech.com), Email Address, and then press Enter.
- Next, enter the following command from the same location: openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer
- Select Enter when prompted to "Enter Export Password".
- Select Enter when "verifying - Enter Export Password".
- Three directories are created inside the keys folder (C:\Users\John.Doe\keys\dir): (1) privatekey.pem (2) publickey.cer (3) public_privatekey.pfx
Configure SAML Settings in LegalHold
The instructions below are specific to SSOCircle. To begin, log in as a user who has administrative rights, then log in to your chosen identity provider (IdP).
The instructions below toggle back and forth from the LegalHold application to your chosen IdP.
- Log in to LegalHold, navigate to System Settings, and select SAML Configuration.
- In the Step 1 box, upload the public/private key you created in the previous steps.
- This file needs to be in a .pfx format.
- In the Step 2 box, select the download button to download the Service Provider Metadata.
- Open the downloaded XML file, then copy all of the contents.
- Navigate to your IdP and log in. Create a new account, if necessary.
- Select Manage Metadata.
- Select Add New Service Provider. You will be redirected to a SAML Service Provdier Metadata Import page.
- Paste your LegalHold URL in the Enter the FQDN of the ServiceProvider field.
Note: Ensure you do not leave /login in the URL when you paste it. To avoid this, make sure you are logged in to your LegalHold instance before you paste the URL. - Paste the metadata from the XML sheet into the Insert the SAML Metadata information of your SP field, then click Submit.
You should receive a "Metadata was successfully imported" message. - Extract the metadata from your IdP by removing part of the URL.
For example, if the URL is http://idp.ssocircle.com/sso/hos/SPMetaImportIP.jsp, then remove everything after .com and press enter.
Note: LH errors out if there are any other elements in the IdP metadata file besides EntityDesccriptor and IdpSSODescriptor, so no matter what other elements are present in the file, those two are selected.
- The XML format file of metadata should appear. Highlight all of the metadata and copy it.
- Navigate back to Legal Hold. Log back in if your session has timed out.
- Paste the metadata into the IDP Metadata (Step 4) box at the bottom of the page.
LegalHold will not accept incorrect IdP metadata. - Turn the Enable SAML Security toggle to Yes.
- Select Save.