Overview
Single Sign-On (SSO) allows users to log into Legl using their organisation's existing identity provider credentials.
This guide explains how to set up SAML-based SSO with Duo and how to test the setup with Legl Support before rolling it out to all users.
Before you start
Before setting up SSO, make sure that:
You have admin access to the Duo Admin Panel
Your Duo plan includes Duo SSO — available on Duo Essentials, Advantage, and Premier plans
Duo SSO is already configured with an authentication source (Duo, Active Directory, or another SAML identity provider)
You can download and send XML metadata files
How to set up SSO with Duo
Follow the steps below to configure SAML SSO for Legl using Duo's Generic SAML Service Provider application.
Step 1: Download the Legl SAML metadata file
Download the XML file and save it locally. You will reference values from this file when configuring Duo.
Step 2: Create a Generic SAML Service Provider application in Duo
Sign in to the Duo Admin Panel
Go to Applications > Application Catalog
Locate Generic SAML Service Provider with the SSO label and click + Add
Name the application Legl so it is easy to recognise. You can change the name from the default value in the application's settings
Step 3: Enter Legl's Service Provider details
In the Service Provider section of the application page, enter the following values exactly:
Field | Value |
Entity ID |
|
Assertion Consumer Service (ACS) URL |
|
In the SAML Response section, set the following:
Field | Value |
NameID format | Email address |
NameID attribute | The user's email address — select the pre-configured |
ℹ️ Important
Legl matches users by their primary email address. The NameID must be set to the user's primary email.
Step 4: Set the Default Relay State
In the Service Provider section, find the Default Relay State field
Enter your firm's Legl subdomain
Scroll to the bottom of the page and click Save
ℹ️ Tip
The relay state value is your firm's Legl subdomain. For example, if your Legl URL is moysewhite.legl.com, enter moysewhite.
Step 5: Grant user access
On the application page, update the User access setting to grant access to the users or groups who should be able to log into Legl. No users can log in to the application until access is granted, so make sure the user you plan to test with has access
Click Save
Step 6: Download the Duo SAML metadata and send it to Legl
At the top of the application page in Duo, go to the Metadata section
Next to SAML Metadata, click Download XML. This file contains Duo's entity ID, Single Sign-On URL, and signing certificate
Send the file to our Support team
How to test SSO with Legl Support
Before migrating all users to SSO, testing is required.
Send the Duo SAML metadata XML file from Step 6 to our Support team
Legl Support will configure the backend and enable SSO on a single test user
Legl will confirm when the test user is ready to verify login
Test login at account.legl.com/login. You should be redirected to Duo, complete authentication, and return to Legl
Once confirmed working, Legl will migrate your full team to SSO
Other supported identity management tools
Legl supports any SAML 2.0-compatible identity provider.
Legl has experience supporting setup with:
Duo (this guide)
Microsoft Entra ID / Azure Active Directory. See How to set up single sign-on (SSO) with Azure Active Directory
Google Workspace. See How to set up single sign-on (SSO) using Google Workspace
Okta
If you use a different identity provider, contact our Support team and we will assist you.
Important information
SSO must be tested with at least one user before full rollout
Duo admin access and a Duo plan that includes Duo SSO (Essentials, Advantage, or Premier) are required to complete setup
The NameID must be the user's primary email address. Legl matches users on email
Users must already exist in Legl. If a user is new, Legl Support will provide an invite link
If you rotate the SAML certificate in Duo, re-send the updated metadata XML to our Support team
