Custodian Portal Single Sign-on Authentication Provider

The Custodian Portal Single Sign-on (SSO) Authentication Provider is a connection between Relativity Legal Hold an organization's SSO provider. This feature enables an organization to require custodians authenticate prior to entering the Legal Hold Custodian Portal.

    Notes: Legal Hold Portal SSO authentication only supports OpenID Connect protocol with Implicit Flow (SAML is not supported).

Enable SSO for the Custodian Portal by navigating to the Custodian Portal Authentication Provider tab located in Hold Admin. In the Authentication Provider section, fill out the fields. If you use Azure AD Provider, see Microsoft Azure AD provider.

This page contains the following information:

Secure custodian portal link

When the Custodian Portal Authentication provider is enabled, custodians are presented with your organization’s SSO provider login after clicking the portal link in the received hold notice communication email. If the portal recognizes that the custodian has not been authenticated, they will be redirected to their organizations sign on page. Upon successful entry of their SSO credentials, they will be redirected to the custodian portal.

Single Sign-On Authentication Using Azure AD Provider

To complete the set up of SSO authentication using the Azure AD provider, you need:

  • A Relativity users with workspace Admin rights.
  • Azure user with sufficient access to create, register, and modify Azure applications.
  • Addition people as custodians to assist in verifying Portal SSO access.

This process also needs the following applications to be installed in your workspace:

  • Integration Points
  • Integration Points AAD provider
  • Relativity Legal Hold

Importing custodians from Azure AD

To verify functionality, you need to import Legal Hold Custodians from Microsoft Azure AD. The data imported into Relativity from Azure AD is used to match the user trying to access the Custodian Portal to the identification link Microsoft generated for the user. Use Integration Points application with Azure AD Provider to import Custodians directly into your workspace.

For testing purposes, limit the number of custodians to be imported. If using the User Principal Name as authentication verification information, map the field during setup of Integration Points AAD integration. We recommend mapping it to an existing column UserName. If UserName is already mapped to some other field, it is necessary to create a new Entity field prior to setting up Integration Points AAD integration. For more information, see

Note: It's recommended to import Custodian which corresponds to you, matching your Corporate account by email to help with troubleshooting process.

Setting up Azure AD application

Portal SSO authentication requires a reference to a dedicate Azure application that has the appropriate permission. This needs to be done on the client side by an Azure user with sufficient rights.

  1. Navigate to Azure Portal.
  2. In the left-navigation menu, click All services.
  3. Locate and click App registrations in the menu.
Registering an application

On the App registrations page,

  1. Click New application registration to open the Create form.
  2. Select a Supported account type:
    • Accounts in organizational directory only.
    • Accounts in any organization directory.
    • Accounts in any organizational directory and personal Microsoft accounts.
  3. Enter the redirect URL.
    • Enter http://localhost as the sign-on URL.
  4. Click Register.

For more information on registering an application in Azure, see Microsoft's documentation.

Setting API Permissions

Open the application to view the application's homepage. In the Manage section of the right-navigation menu,

  1. Click API permissions.
  2. Click Add a Permission to select an API.
  3. Select Delegated permissions.
  4. In the permissions menu, click User.
  5. Click the User.Read checkbox.
  6. Click Add Permissions.
  7. Click Grant Permissions.

Keep this window open. You will need to make more updates to Azure. For more information on setting API permissions in Azure, see Microsoft's documentation.

Editing the Custodian Portal Authentication Provider

Continue adding the Azure AD application by navigating to the Custodian Portal Authentication Provider tab located within the Hold Admin tab. In the Custodian Portal Authentication Provider tab,

  1. Click Edit.
  2. Enter in information in the following fields:
    • Name - enter the application name.
    • Enable - select Yes to enforce SSO Portal authentication for this workspace.
    • Client ID – the organization's security and compliance identifier.
    • Authority URL – the authenticated URL provided by organization's SSO provider. Relativity redirects to the next Redirect URL which is the Custodian Portal URL.
      • Example of Azure URLs
        •  https://login.microsoftonline.com/mydomain.com
        • https://login.microsoftonline.com/tenantid

          Note: The TenantID is unique identifier (Guid) of your Azure tenant (domain). This information can be provided by your Azure admin.

    • Subject Claim Type – the information the SSO provider verifies the custodian's identity.
      • The values are from the SSO Provider. If unsure about what to enter, type UNKOWN. Some Azure claim types are:
        • http://schemas.microsoft.com/identity/claims/objectidentifier (recommended)
        • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
    • Claim ID Verification Field - the value which will be used to match value coming in selected Subject Claim Type. Select Entity field where you expect to have a value which will be used to match value coming in selected Subject Claim Type. If you are not sure at this time, please select UniqueID.
  3. Click Save.

After refreshing the page, the Redirect URL value is populated with unique link. Copy the Redirect URL. RedirectURL (Read Only value) is an URL which will be used by SSO Provider to redirect back to Legal Hold Portal after successful Custodian authentication.

Adding Redirect URL to Azure

Navigate back to the Azure Portal window. In the application's,

  1. Select Settings.
  2. Click Reply URLs. You will see one entry which we populated when we created this application.
  3. Paste the Redirect URL into the first entry. This overrides the initial value.
  4. Click Save.

For more information on adding a redirect URL to Azure, see Microsoft’s documentation.

Note: It can take up to 10 minutes until the Custodian Portal Authentication Provider settings to go into effect. To speed up update, you will need to create/modify Instance setting with shorter time rate refresh. See this page for more information.

Troubleshooting Claims

If unsure about what to put under the Subject Claim Type and Claim ID Verification Field columns in SSO setup, at this time we will need to use Troubleshoot Claims option. Click Troubleshoot Claims.

The top of the Troubleshooting Claims page, under Main Claims, includes TenantID information. This value corresponds to currently accessed unique identifier of your Azure tenant (domain). This information can also be used for "Authority URL" as described above. The Troubleshooting Claims page has three columns:

  • Claim Type - lists all claim types which were transmitted by Azure AD authentication provider
  • Claim Value - contains corresponding value for each claim type transmitted.
  • Potential Claim ID Verification Field - contain potential corresponding Entity field(s) where matching values were detected.
      Notes: Only populated if your Relativity account, which you currently logged in under, has corresponding Custodian (Entity) entry with the same email address. So, to help with this troubleshooting process, it would be recommended to import such Custodian before.

Looking at the data on this page helps to select proper Claim Type and Relativity Entity field values to populate the Subject Claim Type and Claim ID Verification Field respectively.

Make necessary changes to Custodian Portal Authentication Provider settings at this time. It might take some time for this change to go into effect.