Skip to main content

Solutions

Law firms

Tax, audit & accounting firms

Corporations

Governments

Products

Legal

Trade & supply

Tax, audit & accounting

Corporate tax

Risk & fraud

Books

Recommended products

Questions? We are here to help.
Contact us

Purchase

Buy solutions

Buy books

Contact sales

Questions? We are here to help.

Resources

Insights

Events

Product training

Product communities

Developers

License and users

Set up single sign-on for your license space

With Contract Express, you can use your organisation's single sign-on (SSO) identity provider to manage authentication and allocation of internal licenses.
This guide outlines the steps to configure your license space for SSO authentication and how to manage permissions, including automatic allocation of licenses to new users.
note
You will need to work with the Contract Express Services Team and your IT department to register your identity provider and grant permissions.

Register your identity provider

To configure SSO for your license space, you must first register your organisation's identity provider and email domain with Contract Express.
You will need to work with your IT department to provide the following information to the Contract Express Services Team.
This information must be sent from an email address that uses the domain to be registered.
Configuration Setting
Description
SSO Type
Contract Express supports:
  • SAML 2.0 Protocol
  • SAML Ws-Federation Protocol
  • Azure Active Directory (AAD)
Email Domain
You may only register an email domain that is owned and used solely by your organisation.
Metadata URL
Required for SAML authentication.
Azure Directory ID
Required for AAD authentication.
note
SSO can be configured for only one license space per email domain. If you use multiple license spaces, please speak to the Services Team to discuss your options.

Grant permissions within your identity provider

Contract Express as an approved application

You will need to work with your IT department and the Contract Express Services Team to mark Contract Express as an approved application within your SSO identity provider.
You may also want to work with your IT department to create a security group within your identity provider to manage Contract Express permissions.

Create permission group

Once SSO has been enforced for your license space, individual user access to Contract Express is managed via your identity provider.
To restrict access to a specific set of users, a security/permissions group should be created within your identity provider. Once created, only users in that group will be permitted to sign-in to Contract Express.
If access has not been restricted in this method, Contract Express will automatically assign a license to any new user who signs in with valid SSO credentials, where unallocated licenses are available in your license space.
note
Users who have been automatically assigned a license upon first SSO login will be added to your Internal site with standard User permissions.
If higher permissions are required – e.g. Author or Admin – your Contract Express Administrator can update this within Contract Express at any time.

Test the SSO configuration

Before enabling SSO for your license space, our Services Team will provide you with access to a sandbox (test) environment where you can test and confirm that authentication is working as expected.
It is recommended that you test SSO authentication with a mix of individuals that are included and excluded by the security group in your identity provider (if you created one) to ensure access is permitted and denied appropriately.

Enable SSO for your license space

Upload SSO enabled license

Once you are satisfied that SSO authentication is working as expected in the test environment, the Services Team will issue a new SSO enabled license for you to upload to your license space.
  1. Sign into your Contract Express environment.
  2. Go to
    Admin
     >
    License
     and click the
    Upload License
     button in the top right corner.
  3. Select your SSO enabled license and Save.
  4. The
    License info
     section will update to display the email domain registered for your license space.
Immediately after uploading your SSO enabled license, authentication will be managed as follows:
  • Any new user attempting to sign into Contract Express with an email address that contains your registered domain will be redirected to your SSO identity provider for authentication.
  • Existing users in your license space will continue to sign in with their existing Contract Express credentials until you enforce SSO for your users.

Enforce SSO for your license space

To allow existing users to sign in using their SSO credentials, you will need to enforce SSO for your license space:
  1. Go to
    Admin
     >
    License
    .
  2. Click on the
    Enforce SSO for my organization's email domain
     button at the bottom of the page.
  3. Select
    Confirm
     when prompted.
note
Once you have enforced SSO, all users from your organization must sign in via your SSO provider and can no longer use any existing Contract Express credentials.
This will not affect any users in your license space who sign in with a different email domain – e.g. Client Users.

Working with Sites in an SSO enabled license space

With SSO enabled, all new users who sign in via your SSO identity provider will be added to the Internal site by default.
If you wish to add a SSO user to a specific site within your license space, you should add them to that site before they attempt to sign in for the first time.
If they have signed in previously and been added to the Internal site, you will need to remove them from the Internal site user list and add them to the required site.
Client User invitations and sites remain unchanged.
For further information and support, please contact the Contract Express Services Team at contractexpress-support@tr.com.

This article applies to:

  • Product: Contract Express