Legal Tracker Product Content · • Users are added in Tracker, and user names and passwords are stored securely in the Tracker database. • Company users enter their user name
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
User Experience ............................................................................................................................................................. 4
Appendix 1 – User Notification Message Template ............................................................................................................ 6
Appendix 2 - New User Experience .................................................................................................................................... 7
Existing Users – First Sign in .......................................................................................................................................... 7
Existing Users – Subsequent Sign ins ............................................................................................................................ 8
New Users ...................................................................................................................................................................... 9
Sign Out .......................................................................................................................................................................... 9
Appendix 3 – New-user email example ............................................................................................................................ 11
Appendix 4 - Assign an Application in OKTA ................................................................................................................... 12
Companies who use Tracker currently sign in by using one of these authentication methods:
• Tracker account
• OnePass
• Azure Active Directory (Azure AD, AAD)
TRACKER ACCOUNT
• Users are added in Tracker, and user names and passwords are stored securely in the Tracker database.
• Company users enter their user name and password on a Tracker sign-in page to begin using Tracker.
ONEPASS
• Law firm users are required to use OnePass to sign in to Tracker.
• OnePass allows users to sign in to multiple Thomson Reuters® products and websites with a single user name and password.
• When a new user is created in Tracker, Tracker sends that user an email that includes a link to register the account.
• Users can create their own OnePass accounts, and the user names and passwords are stored by OnePass.
• The Tracker sign-in page redirects company users to the OnePass sign-in page so that all company users are authenticated by OnePass before they begin using Tracker.
AAD
• Active Directory integration lets customers use their existing company-issued credentials, identity provider (IdP), single sign-on (SSO) provider, and Active Directory to manage user access, authentication, and user adding/deactivating in Legal Tracker.
• The Tracker start page redirects company users to their company-managed sign-in page so that all company users are
authenticated by the company system before they access Tracker.
• Company users sign in to Tracker by using their company-issued credentials, which are authenticated by the company’s identity or SSO provider. Companies can add and deactivate company users with their existing onboarding processes and tools.
• AAD integration provides a single, automated, auditable user adding and deactivating process. User identity attributes (including name, address, phone number, email address) in Tracker are synchronized from Active Directory.
New Tracker authentication framework
IDENTITY PROVIDER / SSO SUPPORT
More and more companies today want to streamline access to different business systems for their users in a simple and unified
way—without a proliferation of user names and password. Tracker account and OnePass authentication methods that involve
unique account user names and passwords, don’t align well with this objective. Other companies aren’t using Microsoft products or
AAD, but may have selected an Identity provider (IdP) to perform SSO.
To give these companies the simpler sign-in experience they’re looking for, Legal Tracker has added SAML as an authentication
that supports modern identity solutions and SSO.
SAML
Security Assertion Markup Language, or SAML, is an open standard for exchanging authentication and authorization data between
parties: an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security
assertions (statements that service providers use to make access-control decisions).
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 2
The single most important use case that SAML addresses is web browser single sign-on (SSO).
SAML MANUAL PROVISIONING IN TRACKER
SAML authentication lets companies extend their IdP (for example, OKTA) to Tracker, and bypass classic Tracker account sign-ins.
The company’s IdP manages user names and passwords. Users must have both a valid Tracker account and a valid IdP user
account to be able to sign in to Tracker.
If the company is already using Tracker, no further action is needed for existing users, other than to message those users about the
change. See the Messaging section for more information.
For new users, an authorized Tracker company user, typically the Tracker Coordinator, will need to manually create user accounts
in Tracker.
PHASED ROLLOUT AND TIMELINE
To help drive adoption, SAML authentication will be rolled out on a progressive timeline that includes these phases:
• Build an agnostic B2C tenant as the foundation of the solution and controller of all authentication requests to Tracker
(completed in Summer 2018)
• Deliver SAML 2.0 support with manual provisioning to add and deactivate users (completed in Summer 2018)
• Deliver SAML 2.0 just-in-time (JIT) provisioning MVP (delivered in Tracker 2018 R3, November 2018)
• Deliver SAML 2.0 JIT advanced features (H1 2019)
• Extend the support SAML 2.0 support with manual provisioning to Tracker for Outlook (H1 2019)
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 3
Adopting SAML authentication Adopting SAML as a Tracker company authentication method is accomplished in these phases:
• Configuration
• Discrete testing
• Messaging
• Enablement
Note: Filezone does not support SAML 2.0. When considering the change to SAML 2.0 authentication, be
aware that Filezone will no longer be available to company users
CONFIGURATION
The company’s identity provider (IdP), for example OKTA, will access Tracker through the B2C tenant.
Thomson Reuters will complete a one-time configuration of the B2C tenant with the company’s IdP URL, and assign a unique
company ID.
The company also completes a one-time configuration for where the assertion is sent to the IdP.
DISCRETE TESTING
This step in the process is optional, but it is recommended to ensure that the configuration has been completed successfully.
The company can designate 1-5 existing Tracker users to test the new sign-in experience with SAML and your IdP.
A Client Success Manager or Tracker Support will provide those users with the Tracker URL, which redirects them sign in with the
company IdP.
Note: The designated users will see the same user experience as company users will after SAML is enabled. Some IdPs may
require that the discrete users have all related permissions set in the IdP. For example, with OKTA, the user must have Legal
Tracker assigned as an application (see Appendix 4 for more details).
If needed, discrete testers can have authentication reset to their company’s default method by contacting the Tracker Support.
Discrete testing is conducted securely in the Legal Tracker production instance only. There is no provision for a sandbox at this
time. If discrete testers fail to authenticate using SAML, then they can still sign in to Tracker by using their existing credentials.
MESSAGING
While discrete testing is in progress, companies might want to start thinking about how to message users prior to enabling SAML
authentication. Even though users are familiar with using their company’s single sign-on, they have not used it to sign in to Tracker.
We recommend messaging users a few days in advance of enabling SAML authentication for Tracker, taking national and
international holidays into account. In Appendix 1 we provide a message template that can be customized for the company’s IdP
and configuration. In Appendix 2, we also provide documentation and screenshots of the user experience that can be customized
and attached to messages sent to users.
ENABLEMENT
When discrete testing is concluded and an enablement date selected, companies will work with a Client Success Manager or
Tracker Support to enable SAML for all company users on that date. The CSM or Tracker Support will enable SAML in Tracker
Settings > Password and Sign-in Options, and confirm the company’s support contact email address.
The support contact information is needed so that Tracker can generate friendly messages to company users about who to contact if
there are problems with their user accounts, because user names and passwords are managed by the IdP rather than Tracker.
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 4
USER EXPERIENCE
Users will need to be manually provisioned and deactivated by a company administrator in Tracker. After the company is configured
within the B2C tenant, SAML is enabled, and users in Tracker are provisioned by the company administrator, the mapping between
the company IdP and Legal Tracker through the B2C tenant happens dynamically with the user’s email address and the unique
company ID.
Note: For the very first sign-in, it’s a good idea to verify that the user’s email address in Tracker corresponds to the user’s email
address in the IdP.
To access Tracker, company users will need to have a valid company IdP account and a valid Tracker account. Possible user sign-
in experiences are as follows:
• Users with a valid IdP account but not a valid Tracker account will be prompted with an informational message and will not be able to access Tracker.
• Existing users who access Tracker by using the Tracker URL will be redirected to the company’s IdP sign-in page, where they will enter their credentials and then go to their Tracker home page.
• New users will receive a Tracker welcome email that includes the Tracker URL, which takes them to the IdP sign-in page where they enter credentials and then see the Tracker welcome page.
• In some cases, depending on the company’s IdP configuration and/or use of cookies, users may see a Tracker sign-in page first, where they can click Continue and be redirected to the IdP sign-in page.
Note: If users are decommissioned in the company’s IdP but not manually deactivated in Tracker, they will have no access to
Tracker, as the SSO would block the sign in (Tracker authentication is performed through the IdP).
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 5
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 6
Appendix 1 – User Notification Message Template
This template can be customized for the company and IdP. The attached document this email refers to is shown in
Appendix 2.
Dear {User First Name Last name}
From {date} we will be introducing a Single Sign On (SSO) to Legal Tracker for a seamless sign-in experience.
Therefore, you will be prompted {our company IdP} when signing in to Legal Tracker.
Please enter the user name and password that you normally use to sign in to your {company systems} or {our
company IdP}
If you have the Legal Tracker URL bookmarked, you do not need to take any action after the above-mentioned date
as it will continue working as it currently does.
Overall the workflows in Tracker are unaffected by the switch to SSO, but please note the following few changes to
your user experience:
• Should you wish to reset your password, please do it in {our company IdP} or contact {our company IdP Administrator}
• User name and password will no longer be managed by Legal Tracker, but by {our company IdP}
• If your Legal Tracker session times out, you will be prompted with a new session expiration page and by selecting Continue, you will be signed back in Tracker
If you have not signed in to Legal Tracker in the last {Tracker company settings/ Password and Sign-In Options
Inactivity days} you will be prompted an error message upon sign in as your Tracker account is now locked. Kindly
contact your Tracker Coordinator {Tracker Coordinator e-mail} so that your account can be un-locked.
Please refer to the attached document to find out more details about the upcoming changes to your Legal Tracker
sign-in experience.
If you have any questions, please contact your Tracker Coordinator {Tracker Coordinator e-mail}.
Kind Regards,
{Tracker Coordinator First Name Last Name}
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 7
Appendix 2 - New User Experience
EXISTING USERS – FIRST SIGN IN
Any existing user is likely to follow the workflow below.
Legal Tracker sign-in After email address is entered (if not pre-
populated by cookie), clicking Continue will take
user to IdP sign-in page
Company IdP Substitute with company’s IdP sign-in
page
Legal Tracker Substitute with your company’s
Action/Dashboard page if needed
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 8
EXISTING USERS – SUBSEQUENT SIGN INS
Most users will follow the workflow below after the very first sign-in using the IdP. However, depending on company IdP
configurations and user bookmarks to Tracker, user might go directly to the bookmarked Tracker page, without having to re-enter
their IdP credentials.
Company IdP Substitute with company’s IdP sign-in
page
Legal Tracker Substitute with company’s
Action/Dashboard page if needed
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 9
NEW USERS
New users will still receive a welcome email from Tracker with the Tracker URL. No temporary user name or password is included in
the email as they are now managed by the IdP. See Appendix 3 for a sample of the new welcome email to SAML users.
When users click the URL in the welcome email, they will be redirected to the company’s IdP sign-in page.
After signing in to Tracker by using the company SSO for the first time, they will see the Legal Tracker Welcome & Terms of Use
page followed by User Profile page and Print Quick Reference Guide page, prior accessing the Tracker home page.
RESET PASSWORD
The Change Password action is no longer available in Tracker because the password is now managed by the IdP.
SIGN OUT
Upon sign out in Tracker, the user is redirected to the sign-out page. The user can click the Sign In button to sign
in to Tracker again by using the company’s IdP and SSO.
Commented [SN(1]: The screenshot was explicitly requested by both Disney and Amex so that they can relate to what a new user sees and the different pages presented to a new user.
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 10
SESSION EXPIRATION
If a user’s session expires for inactivity, the user is redirected to session expiration page as shown below. The user
can click the Continue button to sign in again by using the company’s IdP and SSO.
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 11
Appendix 3 – New-user email example
The new user is provided with the Tracker URL and instructions to sign in with the company user name and password that is
associated with the user’s email address.
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 12
Appendix 4 - Assign an Application in OKTA
When adding or updating users, ensure that you check that Legal Tracker has been assigned as an application.
1. Click the Assign Application button
2. On the assign Application page, select Legal Tracker and click on the Assign button.
3. Click the button Done when assignment is completed.
.
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 13
Appendix 5 - FAQs
QUESTION ANSWER
What will happen to firm users? Firm users are assimilated to local users. Refer to the OnePass section in the document. Note that we plan to transition firm users to the new architecture in 2019.
Can firms take advantage of SAML or AAD? At this time, we do not envision providing support to firms for SAML or AAD. However, this is under consideration for future development depending on other roadmap and market priorities.
Who can I contact to discuss transitioning from my company’s current authentication to the new architecture?
Please contact Tracker Support or your Client Success Manager.
My company would like to implement SAML SSO. What do we need to do?
With the new architecture, authentication is routed via IdP. Therefore, if SSO is supported by your IdP, you will be able to take advantage of it.
Note: For 2018, only companies who use Tracker account authentication can transition to SAML SSO.
How long does it take to transition to SAML 2.0 in Tracker? It all depends on how quickly your company’s IT department can complete the configuration phase, how long you want the discrete phase to last and how much notice you would like to give to your users for the switch over with the messaging.
Typically, the configuration phase can be accomplished in a couple of days, the discrete testing can be 1-3 days, and the notice period is really variable depending on company practice but can be anything between 1 to 3 weeks.
My company is currently using OnePass but we would like to transition to SAML 2.1 asap so that the user sign in is completely unified and streamlined. What do we need to do?
It is possible to transition from OnePass to SAML 2.0.
Please contact Tracker Support or your Client Success Manager.
We are currently considering the AAD integration. What are options with the SAML support?
AAD is an IdP and therefore it is possible to take advantage of SAML for Tracker authentication without opting for the full AAD integration.
My company is currently using OnePass SSO. How would we be affected?
In early 2019, existing OnePass and AAD companies will be transitioned transparently to the B2C tenant without changing the authentication method. More details will be communicated at a later time.
We are currently using or planning to use Tracker for Outlook and would like to take advantage of SAML 2.0 as well. Is there any concern that we should be aware of?
Tracker for Outlook authentication will be enhanced to support SAML and the B2C tenant authentication architecture in a later phase.
B2C tenant support in Tracker for Outlook is currently targeted for 2019 H1. Therefore we recommend that you either:
• Wait to start using Tracker for Outlook until then, if you are already using Tracker with SAML 2.0
• Wait to transition to SAML 2.0 if you are already using Tracker for Outlook
Commented [SN(2]:
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 14
My company has two separate Tracker databases that share the same domain name. Can we implement SAML for both accounts?
No. This scenario is currently not in scope for the first SAML authentication phases.
LEGAL TRACKER PRODUCT CONTENT
SAML 2.0 authentication – manual provisioning 15
Appendix 6 - Glossary
TERM DESCRIPTION
API Application programming interface.
IdP (also IDP) Identity provider (for example, OKTA and Microsoft AAD).
Local user A user who has an identity in, and is authenticated by the B2C tenant. User attributes are managed in Tracker and pushed to the B2C tenant if required. These can be company, firm, or Thomson Reuters users.
Managed user A user who has an identity in the B2C tenant that is associated with an external IDP/SSO system, and solely authenticated by that system. User attributes are provided by the external IDP/SSO and Tracker is updated with those values. Where user attribute values are missing, Tracker provides defaults. For V1.0, only company and Thomson Reuters users can be managed users.
Web services user A forms-based credential issued by Tracker for use with certain Tracker APIs. User sign-in is authenticated by Tracker. Tracker product access will be revoked for these users, and a password reset scheme will be in added for these user types. This credential cannot be managed by an external IDP/SSO system.