Contents π
Introduction π
Juro offers SSO/SAML across SSO providers and SCIM for Okta customers specifically.
Connecting Juro with your SSO platform lets you automate platform access, streamline account creation and enhance your security profile. On top of that, it'll save all of your teams time when it comes to accessing Juro.
|
Enabling SSO/SAML π
π‘ NOTE: Only users with Organisation Admin privileges in Juro and your SSO platform can enable SSO/SAML for your Juro environment.
|
For Okta customers βοΈ
To enable SSO through your Okta instance:
Go to Juro's Okta integration on Okta's website
Click + Add Integration and select your Okta org
Set the subdomain to app
Navigate to the added application configuration, go the Sign On tab and click on View Setup Instructions: you'll be directed to a page similar to this one
Contact either your Juro Legal Engineer or the Juro Support Team (by clicking the Intercom icon in the bottom right-hand corner of this tab) and provide them with the IDP Metadata URL from the Setup Instructions page:
The Juro Team will now enable SSO for your organisation from our side. Once this is done, your users can log in to Juro using their existing credentials by clicking Continue with SAML SSO after they have been added to the Juro through Settings > Members & Groups > + Add Members.
|
For Microsoft SSO (e.g. Azure, Entra, ADFS) customers π
π‘ NOTE: As well as being an Org Admin in Juro, you'll need to be a Cloud Application Administrator in your Microsoft SSO environment.
|
To enable SSO through Azure, in your Azure Active Directory:
Click Enterprise Applications, then + New application and finally + Create your own application
Set "Juro" as the Input name and check the Integrate any other application you don't find in the gallery (Non-gallery) option.
Click Manage, then Single sign-on and select SAML
In the Basic SAML Configuration panel on the right, configure the following Juro-related information:
Identifier (Entity ID):
https://app.juro.ioReply URLs (Assertion Consumer Service URL):
https://app.juro.com/api/auth/saml/callback
https://app.juro.com/api/auth/saml/onboarding/callback
https://sandbox.juro.io/api/auth/saml/callback
https://sandbox.juro.io/api/auth/saml/onboarding/callback
https://test.juro.io/api/auth/saml/callback
https://test.juro.io/api/auth/saml/onboarding/callback
https://preprod.juro.io/api/auth/saml/callback
https://preprod.juro.io/api/auth/saml/onboarding/callback
Make sure to set
https://app.juro.com/api/auth/saml/callbackas the default
Now, you'll need to configure the Attributes & Claims, and input the following information into the Claim name which is under Additional claims:
For
email, the value will beuser.mail.For
firstName, the value will beuser.givennameFor
lastName, the value will beuser.surname
Finally, locate the
App Federation Metadata Url. You can find this by going to the SAML Signing Certificate section.On the SAML Signing Certificate page, copy the
App Federation Metadata Url
Contact either your Juro Legal Engineer or Juro's Support Team (which you can do by clicking the Intercom icon in the bottom right-hand corner of this tab), and provide the App Federation Metadata Url. The Juro Team will now enable SSO for your organisation from our side. Once this is done, your users can log in to Juro using their existing credentials by clicking Continue with SAML SSO after they have been added to the Juro through Settings > Members & Groups > + Add Members.
Customers using other SSO providers (e.g. JumpCloud, OneLogin) π
In your SSO platform:
Find the Metadata URL: if you cannot find this, please find the:
SSO URL
Issuer ID, and
Certificate string
Contact either your Juro Legal Engineer or Juro's Support Team (which you can do by clicking the Intercom icon in the bottom right-hand corner of this tab), and provide the data points from Step 1.
The Juro Team will now enable SSO for your organisation from our side. Once this work is complete, within your SSO platform:
Configure a Claim nameID with the user's email as the value
Configure the following Juro-related information:
Service Provider Identifier (Issuer ID, Entity ID): https://app.juro.io
Assertion Consumer Service URL: https://app.juro.com/api/auth/saml/callback
Whitelist the following Juro ACS URLs on your side (this is required to enable different environments):
https://app.juro.com/api/auth/saml/callback
https://app.juro.com/api/auth/saml/onboarding/callback
https://sandbox.juro.io/api/auth/saml/callback
https://sandbox.juro.io/api/auth/saml/onboarding/callback
https://test.juro.io/api/auth/saml/callback
https://test.juro.io/api/auth/saml/onboarding/callback
https://preprod.juro.io/api/auth/saml/callback
https://preprod.juro.io/api/auth/saml/onboarding/callback
If you need a regex for whitelisted URLs: ^https:\/\/(app|preprod|sandbox|test)\.juro\.(io|com)\/api\/auth\/saml\/(onboarding\/)?callback$
Your users can now log in to Juro using their existing credentials by clicking Continue with SAML SSO after they have been added to the Juro through Settings > Members & Groups > + Add Members.
Enabling provisioning π
Once SSO/SAML is enabled, you may want the users added to your SSO platform to also be automatically added to Juro. This can be achieved through provisioning, which allows you to select a team and permissions set to be applied to all new users added to your SSO platform.
β
To enable provisioning:
Confirm which Juro team you'd like to add all new users to
Confirm which permissions set you'd like new users to have
e.g. new users are added to the "General" team with the "User" permission set
Contact either your Juro Legal Engineer or the Juro Support Team (which you can do by clicking the Intercom icon in the bottom right-hand corner of this tab) and let them know that you'd like to enable provisioning for your environment.
We'll get back in touch to let you know when provisioning has been enabled (don't worry, this won't take too long). Once provisioning has been enabled, any new members added to your SSO platform will be added to Juro automatically.
Enabling SCIM provisioning π€
π‘ NOTE: SCIM provisioning can be enabled for Okta customers only.
|
Setup π§
SCIM allows for a more granular approach to provisioning. You may want to add members from different departments to the corresponding Teams in Juro, with the relevant permission set. e.g., add members of your Sales Team to the Sales Team only in Juro as "Users" and members of your People Team to be added to the People Team only in Juro with "Editor" access.
To enable SCIM provisioning:
Contact either your Juro Legal Engineer or the Juro Support Team (which you can do by clicking the Intercom icon in the bottom right-hand corner of this tab) and request for SCIM provisioning to be enabled
Once enabled, we will provide you with a unique API key and a base URL
https://app.juro.com/xapi/scim (base URL)
In Okta, go to the To App provisioning settings
Enable the Create Users, Update User Attributes and Deactivate Users options
Select email as the Application username format in the Sign On applications tab
βSet the user access levels via the accessLevelName attribute. Supported values for this attribute are:
org_admin: assigns Admin access in all teams, as well as Organisation Admin accessteam_admin: assigns Admin access in all teams, but not Organisation Admin accessteam_editor: assigns Editor access in all teams, but not Organisation Admin accessteam_user: assigns User access in all teams, but not Organisation Admin accessapp_managed: assigns User access in all teams for the onboarding stage, but not Organisation Admin access. After this, permissions assigned using this attribute will be controlled from the Teams or Members tabs in Juro;
If this attribute is not set, the default value is considered to be
app_managed.Optional: Assign users to the Juro app. For more information on this step, please visit this page.
Features supported by SCIM ποΈ
The following provisioning features are supported through SCIM:
Push New Users: users created in Okta are also created in Juro and added to your organization
Push Profile Updates: updates made to the Okta user profile are pushed to Juro
π‘ NOTE: the userName attribute update operation is not supported (whenever this attribute is updated a new user will be created instead). The email attribute is also not supported.
Push Groups: groups (and their members) in Okta are synchronized to Juro as Juro Teams
Import New Users: new users created in Juro will be downloaded and turned into new AppUser objects, for matching against existing Okta users
Import Groups: Juro Teams from your organization will be imported into Okta as groups
Push User Deactivation: deactivating a user or disabling application access in Okta removes the user from all assigned teams in your Juro organization.
Enforcing SSO logins β¬
You might want to enforce single sign-on (SSO) logins by disabling username/password or specific login methods like Google SSO. It's recommended to do this only when SSO is fully operational for your Juro workspace.
Contact your Juro Legal Engineer or the Juro Support Team to enforce SSO logins. You can reach them by clicking the Intercom icon in the bottom right-hand corner of this tab and informing them of the following information:
If SSO has been set up and fully configured for your Juro Workspace
Which login methods to disable (Google, username/password, both etc)
πββοΈ As always, our Support Team is happy to help you with anything further if needed. Start a chat with us right here by clicking the Intercom button in the bottom-right-hand corner of this page.
Alternatively, you can email your query to support@juro.com π
|