Ease the Xakia sign-in process for users by linking to your federated identity service with Microsoft Entra (formerly known as Azure Active Directory)
Non legal team users should not be added to the Xakia SCIM application.
Only legal team users should be added to the assignments. Note that any user added to the Xakia SCIM application will become a billable Xakia user.
In the event that non legal team members are accidentally added as billable Xakia users, the Xakia support team can help clean this up, however this will attract a service fee.
Xakia currently supports Federated Identity (also known as single sign on) via Microsoft Entra (formerly known as Azure Active Directory) via the OpenId Connect (OIDC) protocol. This is available at all subscription levels.
The Microsoft Entra (Azure AD) SCIM federated identity option allows user creation and management using SCIM functionality configured and managed in Microsoft Entra (Azure AD).
If you are not interested in utilizing Microsoft Entra's SCIM functionality, you can still configure Single-Sign On (SSO) with Microsoft Entra (Azure AD) OIDC.
If your team is using Azure Directory Federation Services (AD FS), you can configure Azure Directory Federation Services (AD FS) Single Sign On.
The Microsoft Entra (Azure AD) SCIM federated identity option requires a Microsoft Entra system administrator to configure SCIM within Microsoft Entra.
Before configuring Microsoft Entra (Azure AD) SCIM federated identity using the below steps, it is highly recommended to setup a Xakia Support Account on your Xakia Location to ensure minimal downtime during your switch to Microsoft Entra (Azure AD) SCIM federated identity. You can set this account up by contacting the Xakia support team.
Note: Xakia Location Administrator access is required to set up Single-Sign On. Please ensure that the member of IT managing Microsoft Entra has a Xakia Location Admin user account setup. This account can be configured without Matter or Contract access and set as non-billable by contacting Xakia Support.
Setting up your Microsoft Entra in Xakia
Xakia's federated identity is configured at the Location Level, but will require the assistance of an Entra Directory Global Administrator for your organization. This is possibly someone from your internal IT team who may need to be added as a user in Xakia to manage this process.
In order to configure Federated Identity in Microsoft Entra, follow the steps below.
Configure Xakia
In Xakia:
Click on 'Admin' in the top navigation menu
Click on 'Users & Security' in the left hand side menu
Select the 'Federated Identity' tab
In the 'Identity Provider' field, select ‘Azure Active Directory – SCIM’
Click ‘Save’ to confirm Azure Active Directory as your provider
Click 'Get the App' and this will take you to Microsoft Azure Active Directory
Please follow the prompts to accept the permissions for the terms of the application (see below)
Go to your Enterprise Applications list and check that the 'Xakia SCIM SSO' application was created successfully
Once these steps have been completed, the following fields will be automatically populated in Xakia:
Tenant ID
Consent Granted by (person who provided consent)
Consent granted on (date of acceptance in UTC)
SCIM Base URI
SCIM API Key
Take note of the ‘SCIM Base URI’ and ‘SCIM API Key’ for use later.
Note: We do not store the API Key, so make sure you copy this before navigating away. It can be regenerated later, but will have to be updated everywhere it has been used.
Configure Microsoft Entra (formerly known as Azure Active Directory):
The auto-generated enterprise application set up above will handle the SSO authentication for Xakia. We will need to create a second enterprise application to handle the user provisioning via SCIM.
Create a new Enterprise Application by going to Microsoft Entra (Azure Active Directory) -> Enterprise Applications and selecting new application. Then select ‘Create your own application’
Provide a name (Xakia SCIM) and select ‘Integrate any other application you don't find in the gallery’
Click ‘Create’
Once the application is created, select ‘Provisioning’ then click ‘Get started’
Select ‘Automatic’ as the provisioning mode
Enter the ‘SCIM Base URI’ value from Xakia into the ‘Tenant URL’ field
Enter the ‘SCIM API Key’ value from Xakia into the ‘Secret Token’ field
Click ‘Test Connection’ to ensure everything is configured correctly
Click ‘Save’
Once saved, under the ‘Mappings’ header, select ‘Provision Azure Active Directory Groups'
Toggle 'Enabled' to 'No' and then save
Navigate back to the provisioning settings. Then under the ‘Mappings’ header, select ‘Provision Azure Active Directory Users’
Under 'Target Object Actions', ensure that 'Create', 'Update' & 'Delete' are all checked
Ensure that the userName, email, active, name.givenName, and name.familyName, externalId fields are mapped correctly. The username and primary email fields must be the email the user will use to login. All other fields can be removed. For example:
Note: If the external Id field is not immediately available, please return to Entra Id after 15 minutes. At that time, refresh Entra Id and configure the external Id field mapping. If the external Id is not available at this time, please contact Xakia Support for assistance.
Click ‘Save’
Under 'Provisioning', ensure that the Provisioning is toggled to 'On'
Add legal team members to the Xakia SCIM application with the Users and Groups menu blade. You can add individual users or an Entra Id group to provide access
New Xakia users will be added with a 'My Matters' access. A Xakia Admin can adjust this, if needed
Non legal team users should not be added to the Xakia SCIM application.
Only legal team users should be added to the assignments. Note that any user added to the Xakia SCIM application will become a billable Xakia user.
In the event that non legal team members are accidentally added as billable Xakia users, the Xakia support team can help clean this up, however this will attract a service fee.
User Provisioning in Xakia
Syncing users to Xakia via SCIM is the recommended approach. However, if user provisioning is required from Xakia directly, go to Admin > Settings > Users & Security > Federated Identity - select the 'Enable User Provisioning from Xakia' box and click 'Save'
This will allow a Xakia Admin to provision a new user in Xakia directly as a SSO user, by going to Users & Security > Users > Add user
Complete all new user details as prompted and the Identity Provider field will default to 'Azure Active Directory - SCIM'
The new Xakia user will immediately have access to Xakia via SSO
Best practice is for the new user to also be added to the Xakia SCIM app in AAD to ensure they stay in sync
Implementation Guide
When implementing and testing federated identity in Xakia, we recommend the following:
Test in your Production Location
Set up a production federated identity provider directly in your Xakia location and use a single test user to verify configuration.
Creating and configuring a federated identity provider in your Xakia location will not disrupt sign-ins for any current users and will not result in any downtime or unavailability in your Xakia location
Existing users will continue to sign in using their Xakia identity as normal while you are testing
Once you have confirmed that your test user can sign in with the federated identity provider as expected, you can complete the implementation for all desired users
Avoid Separate Test Environments
Do NOT create a new Xakia location or use a separate test identity provider. Similarly, avoid using a test IDP tenant or instance. Xakia supports only one federated identity provider per company (with the exception of Microsoft Entra (Sync Job), which supports multiple tenants and locations). Using test locations or IDPs can cause unexpected behavior.
Use a Pilot User
Always test with a real user from your production environment and production IDP to ensure accuracy and avoid complications during rollout (with the exception of Microsoft Entra (Sync Job), which supports multiple tenants and locations).