Last date modified: 2026-Jun-11

Centralized Authentication

Centralized Authentication is a unified system for managing user authentication and identities across RelativityOne. Powered by the Okta Customer Identity platform, it delivers secure workflows and advanced features that help clients manage authentication with confidence and consistency. By centralizing authentication data, it streamlines administration and offers users a seamless sign-in experience across multiple RelativityOne instances.

Centralized Authentication supports a variety of authentication methods, including standard password-based login and Single Sign-On (SSO). For SSO, it is compatible with both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) protocols, allowing organizations to integrate with their preferred identity providers and authentication standards.

Already onboarded to Centralized Authentication? If your instance transitioned before the release, use the Community articles for your onboarding wave instead of this guide:
**January – June 2025 (Primarily password) See [V1]
**June – December 2025 (SSO + password) See [V2]

Prerequisites

Confirm your browser allows traffic to and from the new login page: login.relativity.one and *.okta.com

Centralized Authentication workflow

  1. System Administrator sets up the authentication provider[s].
  2. System Administrator invites users to Relativity instance via Centralized Authentication.
  3. Users accept the invitation.
  4. Users log in to RelativityOne using Centralized Authentication.

Setting up your Authentication Provider

The Authentication Provider page streamlines the management of authentication providers and allows you to create and edit password providers with ease.

System Administrators can set up one or both of the following types of authentication providers:

  1. Password–a two-factor authentication (2FA) method that includes a username, (the user's email address), and a password. See Password Provider setup.
    Simple password setup is currently permitted, however, disabling two-factor authentication is not recommended.
  2. SSO (Single Sign-On)–a method that allows users to use an external authentication provider so they have one set of login credentials to access multiple applications, including Relativity. See SSO setup.

SSO setup

System administrators can configure SSO provider connections using the guided self-service wizard that walks them through configuring their Single Sign-On provider, including testing the connection at the end. Additional, detailed information will be added here prior to the rollout to SSO customers.

To use your existing SSO provider with Centralized Authentication, you will need to re-register the SSO connections in Relativity using the wizard. For best results, open your identity provider in a separate window and/or work with someone who has access to it.

Password Provider setup

From the Authentication Provider tab, click the New Password Provider button and fill out the following fields:

New Password Provider window settings

  1. Under General Settings, enter a Password Provider Name
  2. In the Two-Factor Authentication (2FA) Settings section, confirm the settings in the following fields:
    • Enable 2FA–this toggle is enabled by default to use two-factor authentication for a more secure password experience. If you disable this toggle, a warning is displayed as it does not align with RelativityOne Security Best Practices.
    • 2FA Methods–select one or both two-factor authentication challenge methods: Email and Authenticator App. By default, the Authenticator App is selected.
      • If both are selected, the user can select which one they want to use during the login process.
      • To learn more, see the [Authenticator App section].
  3. In the Password Settings section, set the following fields:
    • Minimum Password Length–enter the least number of characters permitted for user account passwords. RelativityOne security best practices recommends 10 or more characters.
    • Enable Password Expiration–this toggle is enabled by default with the Days Before Password Expiration set to 180. If disabled, passwords never expire.
      • You may update the desired number of days in the Days Before Password Expiration field.
      • This value is calculated per user account based on the date the user last reset their password.
    • Enable Password Dictionary–enable this toggle to prevent the most commonly used passwords from being used in password creation. If disabled, these passwords are permitted.
    • Enable Password History–enable this toggle to prevent reuse of passwords. Enter the maximum number of previous passwords to be tracked in history in the Maximum Password History field. If disabled, users are permitted reuse previous passwords.
  4. Click Save.

Password requirements

Legacy Requirements Centralized Authentication Requirements

Minimum character length – defined by customers

(default 8)

Minimum character length - defined by customers

(default 14)

4 of the 4 criteria:

  • 1 lower case letter
  • 1 upper case letter
  • 1 number
  • 1 non-alpha-numeric character

No change

Additional password considerations

Feature Legacy Centralized Authentication
Maximum character length

X

(default 50)

No enforced max

(72 character evaluation limit)

Maximum failed password attempts before password reset required

(Brute Force Protection)

X

X

(10 failed attempts)
Maximum password age

X

(default no expiration)

X

(default 180 days)
Maximum password history X X
Disallow commonly used passwords Not supported X
Set password for user X Not supported to mitigate risk of user account sharing.
Suspicious IP Throttling Not supported X
Breached Password Detection Not supported X

After you complete the password setup, you can confirm user eligibility or enrollment status from the Centralized Authentication tab.

Edit a Password Provider

  1. In the Authentication Provider tab, select the Edit icon next to the Password Provider you want to update.
  2. In the modal window, update any of the following:
    • Provider Name
    • Two-Factor Authentication (2FA) Settings
    • Password Settings
    • Trusted IP usage
  3. To change the 2FA challenge method, select your preferred option (for example, switch from Authenticator App to Email).
  4. To update Trusted IP addresses, add or remove addresses as needed.
  5. Click Save to apply your changes.
    Window to edit Password Provider settings

Trusted IP Support

Trusted IP support allows you to restrict user logins to specified IP addresses or ranges to enhance the security posture of your environment.

Trusted IP Overview

Centralized Authentication support for trusted IPs will differ from legacy behavior in that they will be applied at the authentication provider level instead of the individual user level.

  • Password Providers - trusted IPs are defined and managed at the password provider level.
  • SSO Providers - trusted IPs on OIDC providers can no longer be managed within Relativity and should be configured on your Identity Provider.
  • If a user attempts to log in from an unauthorized IP address, authentication will fail.
  • The Bypass MFA on Trusted IP is no longer a supported workflow.
If you previously configured trusted IP addresses with legacy authentication, remove them to avoid unintended interaction.

Setting up Trusted IP addresses

Follow these steps to configure trusted IP addresses for a password provider:

  1. Navigate to the Authentication Provider tab.
  2. Click the edit icon next to the password provider you want to configure.
  3. Enable the Restrict Login to Trusted IP Addresses toggle.
  4. In the Trusted IPs field, enter one or more IP addresses or ranges. Separate multiple entries with a comma, space, or new line.
    General Settings (Add trusted IP addresses)
  5. Click Save.

Inviting users

If your instance is using Password Only and transitioned to Centralized Authentication between January 2025 - June 2025, please refer to V1 - Centralized Authentication - Setting Up Passwords and Inviting Users on the Community site.

You can invite new users individually from their user record or in bulk from the Eligible tab on the Centralized Authentication page.

The following invitation instructions apply only to users who authenticate with a password provider. By default, users who authenticate through an SSO provider will not need to accept an invitation to use Centralized Authentication. System administrators will still need to create the user account in Relativity, and grant access through their identity provider; however, users can sign in directly using Centralized Authentication, and the system will authenticate them through their SSO identity provider.

Centralized Authentication tab invitation

  1. Navigate to the Centralized Authentication tab.
  2. Select the Authentication Provider you want to manage users for.
    Centralized authentication tab showing two providers to select from.
  3. For Password Providers:
    1. In the Status field drop-down, select Eligible to view users who can be invited to this password provider.
    2. Select one or more users and click Invite, then Save and Invite in the Confirmation window.
      Password Provider mass invitation

User tab invitation

  1. Navigate to the Users tab and click the Edit icon next to the user you want to invite.
  2. Select the desired password provider from the drop-down menu.
    User tab Password Provider drop-down
    After you select the password provider, the system displays the configured MFA settings.
  3. Click Save.
  4. Click Save and Invite to send the email invitation to the user to join this RelativityOne instance via Centralized Authentication.
    Save and Invite confirmation window

The user receives an email invitation from support@relativity.one with the subject, "Welcome to RelativityOne." See User accepts the invitation. Once invited, the user appears on the Pending list until they accept the invitation, at which point they move to the Enrolled list within the tab for this specific password provider.

Managing user transition

Administrators can track user transitions to Centralized Authentication and manage invitations directly from the Centralized Authentication tab. This overview helps you see which users are assigned to each authentication provider and monitor their progress.

Monitor progress by Authentication Provider

Navigate to the Centralized Authentication tab, then choose the authentication provider you want to review. The information you see changes based on the provider type.

Password Providers

Status: View users in each category for the selected provider in the drop-down menu.

Eligible: Displays users not currently assigned to the provider. The list shows only enabled users and lets you filter by Artifact ID, Full Name, Email, or User Type.

Enrolled: Lists users who accepted the invitation to sign in with this provider. You can view details like Artifact ID, Full Name, Email, enrollment date, number of logins, last login date and time, and User Type.

Pending: Shows users who received an invitation but haven’t accepted it yet. The list displays Artifact ID, the Inviter’s name, the Invitee’s name, the invitation URL, when the invitation expires, and the creation date. Use the Invitation URL if a user can’t receive the invitation email.

If an invitation expires, select the user and choose Re-invite at the bottom of the screen to send a new invitation.

Centralized Authentication - Password Provider Status field

User accepts the invitation

With the transition to a global identity model, the login experience will differ slightly for new and existing Relativity users:

  • New users will continue to receive an invitation to set up their password as part of the onboarding process.
  • Existing users will receive a notification email and can access the new instance using their current credentials.

When the user receives the email invitation from support@relativity.one with the Subject, “Welcome to Centralized Authentication in RelativityOne,” they need to accept it.

  1. The user clicks the Accept invitation button or copies the hyperlink displayed into their browser which will take the user to the universal login page. The invitation expires after 7 days by default.
    Invitation email
  2. In the "Accept your invitation" dialog, follow these steps:
    1. Click Set up.
      Setup password window

    2. Set your password, re-enter your password, and click Next.
      Create and confirm your password window

    3. The user will be prompted to configure an optional MFA factor.
      This step is not required, and the user can simply click Continue to proceed.

    4. If multi-factor authentication (MFA) is enabled, complete the MFA challenge based on the method configured:

      1. Email: Enter the one-time passcode sent to your email, then select "Send me an email".
        Email verification window
        1. Authenticator app: Select the Google Authenticator option, then use your preferred mobile authenticator app to scan the QR code displayed on the screen. Enter the one-time code generated by the app in the provided field and click Continue.
          Google Authenticator window

  3. The user logs in to RelativityOne using Centralized Authentication. Admins can verify the user’s acceptance status by checking the Enrolled list for the associated authentication provider in Centralized Authentication.
    Enrolled Users Tab

Existing RelativityOne users

When an existing user is added to a new RelativityOne instance, they receive a welcome email from support@relativity.one with the subject line “Welcome to RelativityOne.” The email notifies the user that they have been added to another instance and confirms that they can log in using their current credentials.

Notification email

Logging in to RelativityOne

Your organization will notice a slight change in the login process as Centralized Authentication rolls out to users.

Transition period to Centralized Authentication

During the transition period, your organization will use both the legacy authentication and Centralized Authentication workflows to allow time for reviewing settings, registering SSO providers, and performing testing. During this time, the user login process works as follows:

  1. Navigate to your RelativityOne URL.
  2. On the login page, click Centralized Authentication, then enter your Username and select Password as your method of verification.
    Centralized Authentication login window
    Users should login with their existing RelativityOne password. If MFA is enabled, you will be prompted either to send a verification email to receive a one-time code or to enter the code from your Authenticator app. You can enter your password or one time code first; the other option will be requested afterward.

User profile

During the initial login, users will be prompted to provide basic profile information, including Organization Type and Title. This is a one-time step to ensure profiles are complete and accurate.

User Profile window

Over time, this will give administrators better visibility into their users and provide a stronger foundation for other product areas, such as enhanced reporting and more personalized interactions throughout the platform.

Centralized Authentication login

Once the transition period ends and your organization is fully using Centralized Authentication, the user login process will work as follows:

  1. Navigate to your RelativityOne URL.
    Enter username window
    Relativity Support is not able to reset user passwords.To reset your password, go to the RelativityOne login page. After entering your email address (username) and clicking Next, the Forgot your password? link will appear. If you still do not see this option, please contact your RelativityOne system administrator for assistance, as only they can reset your password. Relativity Support cannot perform password resets on behalf of users.
  • Using Password login: Enter an email address and click Next, then select your verification method (password, email, or authenticator app) and follow prompts to complete the process.

Reset a User’s Authenticator App

Follow these steps to reset a user's Authenticator App:

Users may need to reset their Authenticator app when switching phones or changing apps (for example, from Google Authenticator to Microsoft Authenticator).
  1. Navigate to the Users tab and open the user's detail page.
  2. Select Reset Authenticator App.
    Reset Authenticator App
  3. After the reset, the system displays a success message.
  4. Notify the user that they need to sign in again.

What the user sees next

  1. The user signs in with their username and password.
  2. After entering their password, the system prompts them to scan a QR code to set up their Authenticator app.
    Google Authenticator
  3. The user enters the one-time code generated by the app and signs in successfully.
Return to top of the page
Feedback