Overview
Single Sign-On (SSO) allows users to log into Legl using their organisation's existing identity provider credentials.
This guide explains how to set up SAML-based SSO with Google Workspace and how to test the setup with Legl Support before rolling it out to all users.
Before you start
Before setting up SSO, make sure that:
You are a Google Workspace Super Admin
You have admin access to your Legl account
You have approximately 15 minutes available to complete setup
You can download and send XML metadata files
Step 1: Download the Legl SAML metadata file
Download the XML file and save it locally. You will reference values from this file when configuring Google Workspace.
Step 2: Add a custom SAML app in Google Admin
Sign in to admin.google.com
Go to Apps > Web and mobile apps
Click Add App > Add custom SAML app
Name the application Legl, then click Continue
Step 3: Download Google's IdP metadata
On the Google Identity Provider details screen, click Download Metadata and save the XML file
Keep this file β you will send it to Legl Support at the end of setup
Click Continue
Step 4: Enter Legl's Service Provider details
Enter the following values exactly:
Field | Value |
ACS URL | |
Entity ID | |
Start URL | Leave blank |
Signed response | Leave unchecked |
Name ID format | |
Name ID | Basic Information > Primary email |
Click Continue.
βΉοΈ Important
Legl matches users by their primary email address. The Name ID must be set to the user's primary Google email.
Step 5: Add attribute mapping
Map the following Google Directory attribute to the Legl app attribute:
Google Directory attribute | App attribute |
Primary email |
|
Click Finish.
Step 6: Turn on user access
Go back to Web and mobile apps and open the new Legl app
Click User access
Set the service status to ON for everyone, or for the organisational unit (OU) that needs access to Legl
Click Save
How to test SSO with Legl Support
Before migrating all users to SSO, testing is required.
Email the Google IdP metadata XML file from Step 3 to [email protected]
Legl Support will configure the backend and enable SSO on a single test user
Legl will confirm when the test user is ready to verify login
Test login at account.legl.com/login. You should be redirected to Google, complete authentication, and return to Legl
Once confirmed working, Legl will migrate your full team to SSO
Other supported identity management tools
Legl supports any SAML 2.0-compatible identity provider.
Legl has experience supporting setup with:
Google Workspace (this guide)
Microsoft Entra ID / Azure Active Directory. See How to set up single sign-on (SSO) with Legl
Okta
If you use a different identity provider, contact our Support team and we will assist you.
Important information
SSO must be tested with at least one user before full rollout
You must be a Google Workspace Super Admin to complete setup
The Name ID must be the user's primary Google email address. Legl matches users on email
Only users with User access turned on in Google Admin can sign in via SSO
Users must already exist in Legl. If a user is new, Legl Support will provide an invite link
If you rotate the SAML certificate in Google Admin, re-send the updated IdP metadata XML to [email protected]