Custodian Portal Authentication Provider

The Custodian Portal Authentication Provider is a connection between Relativity and an organization's single sign-on (SSO) provider that confirms the client, URL, and claim type before letting the custodian into the portal.

Note: Legal Hold Portal SSO authentication only supports OpenID Connect protocol with Implicit Flow or Code Flow. SAML is not supported. For help connecting an authentication provider, contact Support.

To connect Relativity Legal Hold and Microsoft, see Integrating Azure with Legal Hold.

Enabling Custodian Portal SSO

Enable SSO for the Custodian Portal by navigating to the Custodian Portal Authentication Provider tab. In the Authentication Provider section, fill out the fields. If you use Entra ID Provider, see Integrating Azure with Legal Hold.

In the Custodian Portal Authentication Provider tab, do the following:

  1. Click Edit.
  2. Enter in information in the Authentication Provider and Advanced fields, as described below under Authentication Provider fields and Advanced fields.
  3. Click Save when finished entering data on the dialog.
  4. After refreshing the page, the Redirect URL value is populated with unique link. Copy the Redirect URL.
    The RedirectURL, a read-only value, is the URL which will be used by the SSO Provider to redirect back to Legal Hold Portal after successful custodian authentication.

Authentication Provider fields

Custodian portal authentication provider layout

  • Name—enter the name of the application.
  • OAuth2 Flow—select Implicit or Code. Selecting the Code option typically requires that a Client Secret be generated and copied into the Client Secret field that displays.
    Note: Custodian portal authentication can use OAuth 2 framework to enable Relativity to authorize users to access to the Custodian Portal. Relativity can utilize Implicit flow or Code flow.
    • Implicit flow—passes an access token directly, not as a URL parameter.
    • Code flow—passes the access token as a parameter of the HTTP Request when preforming authorization.
    For deciding which flow to use for Custodian Portal Authentication Provider, it is recommended that clients consult their internal security teams.
  • Client Secret—only required if OAuth2 Flow is set to Code. Enter the Client Secret generated.
  • Client ID—enter the organization's security and compliance identifier.
  • Authority URL—enter the authenticated provided by organization's SSO provider. If login is successful, Relativity redirects to the next Redirect URL which is typically a Relativity URL and is the Custodian Portal.
    • Example of Azure URLs
      •  https://login.microsoftonline.com/mydomain.com
      • https://login.microsoftonline.com/tenantid
        Note: The TenantID is unique identifier (Guid) of your Azure tenant (domain). The Directory (tenant) ID on the App Overview page in the Azure Portal. This information can be provided by your Azure admin.
  • Redirect URL—enter the URL of the Custodian Portal that Relativity will redirect the user to after a successful login. This URL is typically a Relativity URL.
  • Subject Claim Type—the information the SSO provider verifies the custodian's identity.
    • The values are from the SSO Provider. If unsure about what to enter, type UNKNOWN. Some Azure claim types are:
      • http://schemas.microsoft.com/identity/claims/objectidentifier (recommended setup)
      • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn (easiest setup)
  • Subject Claim Type—enter the piece of information that the SSO provider confirms the custodian by a field.
  • Claim ID Verification Field—select the value to be used to match value coming in selected Subject Claim Type.
  • Enabled—select Yes to enable or No to disable the Custodian Portal SSO.

Advanced fields

  • Scopes—the default value for this field is openid. openid is a required value to be able to set up the Custodian Portal SSO feature. However, it is possible to add additional scopes (such as profile or email), if desired. Adding additional scopes allows the identity provider to respond with additional claims associated with the scopes being requested.
  1. After refreshing the page, the Redirect URL value is populated with unique link. Copy the Redirect URL. The RedirectURL, a read-only value, is the URL which will be used by the SSO Provider to redirect back to Legal Hold Portal after successful custodian authentication.

Okta SSO setup

To set up Okta SSO:

  1. Go to the Custodian Portal Authentication Provider page.
  2. Ensure that your Okta site is set up:
    1. Go to Applications > Applications on the tool bar on the left hand side of Okta.
    2. Click Create a new app integration.
    3. Select OpenID for Sign-in method.
    4. Select Web Application for Application Type.
  1. On the Custodian Portal Authentication page, configure the fields as follows:
    • Name—enter a unique name.
    • OAuth2 Flow—select Code.
    • Client ID—copy this ID from the General tab under the Client Credentials section.
    • Client Secret—copy this secret from the General tab under the Client Secrets section.
    • Authority URL—copy the Authority URL, which can be retrieved from the Sign On tab in Okta. It is in the OpenID Connect ID Token section of the Issuer area. It will look something like "http://customer.okta.com".
    • Redirect URL—copy the Redirect URL from Relativity to Okta. Go to the Login section and add the Redirect URL in the Sign-in redirect URLs section.
    • Subject Claim Type—set this to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn unless the following is true:
    • If you selected only OpenID in the Scopes field, this field must be set to sub.
    • If you selected OpenID and profile in the Scopes field, set this field to a property available from the identity provider. These properties differ for each provider.
    • For more information about this field, refer to configuring Okta OpenID Connect.
    • Claim ID Verification Field—select Email (see above for the other options as desired).
    • Enabled—select Yes.
    • Scopes—default is openid.

Additional documentation can be found here:

When the Custodian Portal Authentication provider is enabled, custodians are presented with your organization’s SSO provider login after clicking the portal link in the received hold notice communication email. If the portal recognizes that the custodian has not been authenticated, they will be redirected to their organizations sign on page. Upon successful entry of their SSO credentials, they will be redirected to the custodian portal.