Setting Up a Single Sign-On Integration
Single Sign-On (or SSO) allows you to manage your organization’s membership via a third-party provider such as Active Directory, OKTA etc.
Once SSO is activated, all existing users will need to link their account before they are able to continue.
SSO is not available for users on a Free Trial.
Using Okta for IdP Authentication for Single Sign-On
ou will need your Single Sign-on (SSO) administrator to complete this configuration. This is usually someone in IT who manages Microsoft apps or SSO.
- Sign into your Okta administrative account and select the Applications menu.
- Click the Add Application button.
- Search and select Parley Pro.
- Click Add.
- On the General Settings page, enter an Application label.
- Click Done.
- Assign the users who are allowed to use this application.
- Click the Assign button.
- Choose to assign by Individual or Group.
- Select users or groups by clicking the Assign buttons to the right.
- Click Done.
- Repeat for each user or group.
- Select the Sign On tab.
- Click the Edit button.
- Specify your Default Relay State. The default relay state for the application is the 3rd level domain name. (Example: For a domain name of acme.parleypro.com, the default relay state is acme.)
- Uncheck the box Disable Force Authentication.
- For the Application username format, select email.
- Click Save.
- Click the View Setup Instructions button and follow those instructions.
- Go to the My Applications section and confirm the application button displays. The setup is complete.
Using SAML in Azure AD for Single Sign-on
Microsoft Azure Setup
- Download the metadata file from:
- Click on Upload metadata file and select the metadata file.
- In the Basic SAML Configuration popup, type your Relay State (e.g., the 3rd level domain name of your own Parley Pro instance, such as 'acme' from acme.parleypro.com). Click Save and close the popup window.
- In the User Attributes & Claims section, click Edit.
- Change the claims section.
The Namespace field should be empty.
Configuring CLM for ADFS
- Go to the Administration page.
- Select the Integrations tab.
- In the Single Sign-On section, click ADFS.
- Enter the three required data points:
- Single Sign-On URL - Enter the Login URL.
- Issuer - Enter the Azure AD Identifier URL.
- Metadata - Download the Federated Metadata XML from the SAML Signing Certificate and paste the contents of the file into this field.
Testing the Integration
After entering the required SSO Integration information, test user access.
- Open the Parley Pro app in ADFS/Azure.
-
Assign users to the application.
NOTE: The user must exist in the system with at least a Viewer role.
- Click Test and confirm that it authenticates.
Assign Proper Roles/Permissions to Users
- A user with the Administrator role must assign the correct roles/permissions to each user.
- Currently there is not a way for this to be completed in Azure.
Optionally: Lockdown SSO
Once SSO is configured and tested, you may choose to force users to only access CLM through the new Login URL. In order to lock it inside Azure SSO, identify the following URLs, then provide them to your Customer Success Manager and request the lockdown.
logoutURL - This URL is commonly used for MS Azure logout. It should be confirmed with MS support in case it is subject of change: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0'.
- authURL - To get this Azure URL where users can login and be redirected, login to https://my apps.microsoft.com/ as an Azure AD administrator and copy the Parley Pro App link.
Note: The App url should look like this
Using Microsoft ADFS or AZURE for Single Sign-on
You will need your Single Sign-on (SSO) administrator to complete this configuration. This is usually someone in IT who manages Microsoft apps or SSO.
Follow these steps to configure Single Sign-on with Microsoft ADFS or AZURE:
Adding the Application
- In your Microsoft admin console, find Add an Application under All Services.
- Select Non-Gallery Application.
- Type Parley Pro in the Name field.
Click Add.
- In the app just created, click Overview.
- Select Set Up Single Sign On.
-
Select SAML.
Uploading the Metadata File
1. Download the appropriate METADATA.xml files to configure the app for your region:
- USA METADATA URL: https://api.parleypro.com/auth/sso/saml/spMetadata.xml;
- EUROPE METADATA URL: https://api.parleypro-eu.com/auth/sso/saml/spMetadata.xml;
- AUSTRALIA METADATA URL: https://api.parleypro-au.com/auth/sso/saml/spMetadata.xml.
2. At the top, select the Upload Metadata File option
3. Click Add to upload the regional metadata file that you previously downloaded.
3. Edit the Relay State. Enter the 3rd level domain name for your instance. For example, for an application domain of acme.parleypro.com, the Relay State would be acme. DO NOT enter the full URL.
4. Click Save single sign-on configuration.
5. When prompted to test, select No, I’ll test later. There are a few more steps required before you should test.
Editing User Attributes and Claims
In the User Attributes and Claims section, click Edit.
- Change all the Claims to match this table:
| Claim Name | Value |
| Unique Identifier | user.mail |
| user.mail | |
| firstName | user.givenname |
| lastName | user.surname |
3. Delete any other claims not listed above.
Configuring for ADFS
Go to the Administration page.
- Select the Integrations tab.
- In the Single Sign On section, click ADFS.
- Enter the three required data points:
- Single Sign-On URL - Enter the Microsoft Login URL.
- Issuer - Enter the Azure AD Identifier URL.
-
Metadata - Download the Federated Metadata XML from the SAML Signing Certificate and paste the contents of the file into this field.
Testing the Integration
After entering the required SSO Integration information, test user access.
- Open the SSO app in ADFS/Azure.
-
Assign users to the application.
NOTE: The user must exist in CLM with at least a Viewer role.
- Visit the Login URL and confirm that ADFS/Azure authenticates at login.
Assign Proper Roles/Permissions to Users
- A user with the Administrator role must assign the correct roles/permissions to each user.
- Currently there is not a way for this to be completed in Azure.
Optionally: Lockdown SSO
Once SSO is configured and tested, you may choose to force users to only access it through the new Login URL. To disable the custom URL (e.g., acme.parleypro.com), provide the Login and Logout URLs to your Customer Success Manager and request the lockdown.
Updating a Certificate for Single Sign-on Integration
Before your current certificate expires, take the following steps to generate a new single sign-on certificate and configure the CounselLink® CLM integration to recognize it for user authentication.
Prerequisites
Coordinate with the technical team that manages single sign-on for your company network to provide you the new certificate. Ask them to:
- Generate and activate the new SAML Signing Certificate, using their standard protocols.
- Download the Federated Metadata XML file and send it to you.
Update the CLM Integration
You must be a CLM Administrator to complete these steps.
Once you have the Federated Metadata XML file, access CounselLink CLM to update the certificate.
- Click the Corporate Profile option under your user name.
-
Click Integrations under the CLM Administration section of the QuickLinks panel.
-
Scroll down to the Single Sign-on Integrations section and select the configured integration type (e.g., ADFS).
- Make a backup of the current content in the Metadata field.
- Click into the Metadata field.
- Press Ctrl+A to highlight all the content.
- Press Ctrl+C to copy the content.
- Open a text editor application (e.g., Notepad) and press Ctrl+P to paste the copied content.
- Save the text file.
-
In CLM, delete the highlighted contents in the Metadata field.
Do not click the Delete Config button as that also removes the Single Sign-On URL and Issuer information.
- Open the new Federated Metadata XML file received from the technical team and copy/paste the contents into the empty Metadata field in CLM.
- Click Save.
Test the Configuration
Ask your technical team to go to the certificate configuration page and click the Test button to confirm the single sign-on works properly.
If the connection fails, you may need to revert to the previous certificate. This will allow users access to CLM while the technical team troubleshoots the new certificate. To revert:
- In CLM, delete the contents in the Metadata field.
- Copy/paste the old XML information from the backup file into the Metadata field.
- Save it.
- Have the technical team deactivate the new certificate and activate the old one temporarily, then test the connection to confirm it works.