Link Search Menu Expand Document

SSO/SAML Access

Organization users can log in to Prevail through SSO integration using their client Organization credentials rather than directly signing in with an email and password on the Prevail site.

Microsoft Entra and Google Workspace corporate Identity Provider OAuth2 integration does not require configuration and users can log by selecting Continue with Google or Continue with Microsoft on the login page.

Firewall Settings

You may need to configure your firewall settings or connect from outside a VPN.

Enable SSO/SAML

Prevail can integrate with any Security Assertion Markup Language Identity Provider (SAML IdP), including Microsoft Entra, Google Workspace, and Okta. SAML offers additional security and administration features, such as sharing user groups and group memberships. SAML integration requires a setup process for each enterprise. In the SAML model, Prevail serves as the Service Provider (SP), and the enterprise supplies the IdP, whether that’s internal to the enterprise or a third-party such as Entra or Okta.

Permissions

  • Requires the Manager Organization role and above

1. Obtain Your SAML Configuration File

The first step in setting up SAML integration is to prepare your SAML configuration file. While the exact details may vary slightly between IdPs, this file must contain, at a minimum, the Entity ID, X509 certificate, and endpoint URLs. Below is an example configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     entityID="https://accounts.google.com/o/saml2?idpid=C03m0b1w1"
                     validUntil="2026-04-15T17:13:09.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" 
                       protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>   
          <ds:X509Certificate>
            MIIDdDCCAlygAwIBAgIyaddayaddayaddau3CTSH4YihqnkQkNhD6H9fsInau+ROtC7V
            1J/7F0gwyWJATeHsTx0 … many more lines …     ayaddanRZX92SnZZPnrWSmTF
          </ds:X509Certificate>
    	 </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>
      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    </md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
                            Location="https://accounts.google.com/o/saml2/idp?idpid=C03m0b1w1"
    />
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                            Location="https://accounts.google.com/o/saml2/idp?idpid=C03m0b1w1"
    />
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

For guidance on creating your SAML file, consult the documentation for your IdP. You can reference the following instructions for a few of the most popular IdPs:


2. Send Your SAML File to Prevail

After preparing your SAML file, forward it to the Prevail Support team to proceed with the integration setup. This file does not contain PII or private certificates, so it does not need to be kept secret.


3. Configure Your Identity Provider

Download Prevail’s Service Provider metadata. This file contains essential information such as the ACS (Assertion Consumer Service) URI and Entity ID. Use this file to configure the Service Provider in Your Identity Provider:

  1. Create a new SAML integration in your IdP’s admin dashboard using your Entity ID/Connection ID and ACS Assertion Consumer Service (ACS) URL. Contact Customer Success at CustomerSuccess@prevail.ai for assistance if needed.
    • Entity ID/Connection ID: https://prevail.ai/users/saml/metadata
    • Assertion Consumer Service (ACS) URL: https://prevail.ai/users/saml/auth
  2. Verify the ACS URI and Entity ID match correctly. Some Identity Providers can directly consume the SP metadata file, while others may require you to manually extract information from the file and enter it into appropriate fields. Refer to your IdP's documentation on how to create a new SAML integration.
  3. Provide user attributes to align user data from your IdP with what Prevail expects. Here are the default attributes. If your attributes differ, let us know:
    • first_name
    • last_name
    • email
  4. Provide the SAML attribute name for groups if your organization uses groups. The default attribute is typically "groups," but this may vary depending on your Identity Provider (IdP). This information is essential for setting up group assignments correctly within Prevail.
  5. Decide on the merge style to determine whether each SAML login should replace the group names passed or merge them with existing org member groups. The "merge style" setting controls how group memberships are managed. If your IdP passes the full list of groups on each login, setting the merge style to "replace" is recommended to keep group assignments accurate. Discuss this setting with the Prevail support team during the SAML setup to choose the option that best fits your organization's needs.

4. Perform Test Group Integration

After setting up group attributes, perform a test login to verify that group assignments are accurately reflected in Prevail. Check that users are placed into the appropriate groups according to your configuration. If group assignments do not align with expectations, or if there are any issues with the integration, contact Prevail support for further assistance at CustomerSuccess@prevail.ai.


4. Perform Final Testing and Login

After completing the SAML configuration, perform a final test login to confirm that the integration is functioning as expected. This includes verifying that the SSO process works and that users can log in using their enterprise credentials.

If the SSO integration does not function as expected, contact Customer Success at CustomerSuccess@prevail.ai for assistance.


Copyright ©2024 Prevail Legal

Last modified: November 26, 2024