Learn about SSO to Legito using OAuth or SAML
Single sign-on (SSO) is an authentication scheme that allows a user to log in once with a single ID to multiple
independent software systems.
Legito supports SSO according to your chosen plan (see https://www.legito.com/pricing/)
The following SSO providers are currently supported by Legito:
- Azure AD (https://learn.microsoft.com/entra/identity/enterprise-apps/one-click-sso-tutorial)
for detailed setting inside Azure AD, please check our https://www.legito.com/developers/oauth-2-0-authentication-with-azure-active-directory/
- Okta (https://www.okta.com/customer-identity/single-sign-on/)
- JumpCloud (https://jumpcloud.com/platform/single-sign-on)
If you use another SSO provider, please let us know via email@example.com.
How to set up SSO
- Contact Legito support via firstname.lastname@example.org with your SSO request.
- We will create a 3rd level domain (<yourcompanyname>.legito.com)
- We will enable the SSO feature in your Settings.
- Legito will assign you with a specific subdomain yourcompanyname.legito.com. You need to use your assigned
subdomain for SSO.
- Go to Settings > SSO and complete the input fields as illustrated below:
Legend for fields
set your SSO provider
Create User after login if it does not exist
When set correctly, Legito will automatically create a new user with a role marked as Default (See Tab Roles &
Permissions). If not set correctly, and a user is not pre-created in ‘People’, the user will be denied access.
Update User after login
When set, user details (username/roles/permissions) will be updated and local changes will be discarded. If not set,
changes made in Legito will remain.
Email attribute from userinfo claims
Fill in the name of the attribute (in the SSO message) where the email identity will be filled in. Typically email,
The email address as a primary key for identifying users. If their email address is changed, their user identity
Username attribute from userinfo claims
Fill in a name of the attribute (in the SSO message) where the user name can be found. Typically
preferred_username or username.
Role Name attribute from userinfo claims
Fill in a name of an attribute (in the SSO message) where the role can be found. This attribute value has to match
the Identifier from the “Roles & Permissions” tab.
Logout from SSO after logout from Legito
This Option redirects users to the logout page of the SSO provider, so the user will also be logged out of the
After Logout redirect URI
When filled, Legito will redirect the user to the defined URI. Otherwise, the user is redirected to the login page
(which will redirect the user to your SSO provider).
Client ID and Client Secret
Provided by your SSO provider.
Complete all the claims you want to use in the fields above: typically: preferred_name, email, username, role. SSO can send those anyway and ignore the requested scope.
Complete in case of Azure AD SSO. (see details here