Documentation

    SAML SSO

    Connecting Your SAML Provider to LiveDocument

    LiveDocument provides a generic auth provider for SAML2-based authentication, allowing you to connect any SAML2-enabled IdP system.

    Supported SAML Features

    LiveDocument supports the following SAML features:

    • Identity Provider (IdP) initiated SSO
    • Service Provider (SP) initiated SSO
    • Identity Provider initiated SLO (Single Logout)
    • Automatic user provisioning via SAML attributes
    • Permission synchronization via SAML attributes

    Technical Specifications

    SpecificationValue
    NameID Formaturn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    ACS BindingHTTP POST
    SLO BindingHTTP Redirect

    Connect Your IdP to LiveDocument

    To connect your IdP to LiveDocument, navigate to the SAML section of the membership settings in your dashboard. You'll find these under General Settings » Team settings & SSO » SAML.

    1. Change the Enable SAML SSO setting to Yes.
    2. Scroll to the bottom of the page to find the Configuration information, which includes:
      ConfigurationDescription
      SAML Consumer URLUsed to log you into LiveDocument. This could also be called Assertion Consumer Service (ACS). Uses HTTP POST binding.
      SAML Single Logout URLUsed to log you out of LiveDocument when you log out in your IdP. Uses HTTP Redirect binding.
      SAML Entity IDThis could also be called Metadata, and it identifies your LiveDocument team.
    3. Create a custom application in your IdP using the information above. Your IdP will then provide you with either a XML file or a Metadata URL.
    4. If you are given a Metadata URL, enter it under the IdP Metadata URL setting on the LiveDocument website. The metadata will be fetched automatically and kept up to date.
    5. If you are given a XML file, copy its content to your clipboard and paste it into the IdP Metadata XML setting on the same page.
    6. Save the settings, and SAML will be fully set up.

    Options

    In the SAML section, you'll find the following options:

    OptionDescription
    Automatically provision new SAML users?Set up LiveDocument to automatically create an account for users logging in with SAML, without needing manual invitations. They will receive your default permission set (or what you configure through SAML attributes). If set to no, an admin must invite new agents on the members page before they can log in.
    Exclude root user from SAML SSO requirement?If set to yes, the root user (Account Owner) will not be required to log in through SAML and can use a password or a magic link. This is useful if you have an email address not part of your IdP for cloud operations.
    Update user data at login?When enabled (default), user profile information (name, phone number, language) will be synchronized from SAML attributes each time the user logs in.
    Update permissions at login?When enabled, user permissions will be synchronized from SAML attributes each time the user logs in. This allows you to manage LiveDocument permissions directly from your IdP. Disabled by default.

    SAML Attributes

    LiveDocument can read user information from SAML attributes in your IdP's response. Attribute names are matched flexibly, ignoring underscores and case (e.g., email_address, EmailAddress, and emailaddress are all equivalent).

    User Profile Attributes

    AttributeDescription
    email or email_addressThe user's email address. If not provided as an attribute, the NameID will be used (must be in email format).
    display_name, full_name, or first_name + last_nameThe user's display name. If display_name or full_name aren't set, first_name and last_name will be combined.
    phone_numberThe user's phone number.
    languageThe user's preferred language code.

    Permission Attributes

    When Update permissions at login is enabled, you can control user permissions via SAML attributes. Set each attribute to true or false.

    • permission_can_use: User can create Livedocument links. Defaults to true if not specified.
    • permission_can_manage_content: User can manage the team's templates and shared content.
    • permission_can_view_reporting: User can view reporting and usage analytics.
    • permission_can_manage_users: User can manage the team's users.
    • permission_can_manage_billing: User can pay for the team and manage the billing settings.
    • permission_can_access_settings: User can access general settings and make changes.

    This allows you to centrally manage LiveDocument permissions from your identity provider, ensuring permissions stay in sync with your organization's access control policies.