Lawvek — Okta Integration Guide

Connect Lawvek to Okta for Single Sign-On (OIDC or SAML 2.0) and automated user provisioning (SCIM). Once configured, your team can log in to Lawvek using their Okta credentials, and user accounts are automatically created, updated, and deactivated as you manage them in Okta.

Supported Features

Feature Description
Single Sign-On (OIDC or SAML 2.0) Users log in to Lawvek with their Okta credentials — no separate password required.
IdP-initiated login Users can launch Lawvek directly from their Okta dashboard app tile.
SP-initiated login Users can start from the Lawvek login page and be redirected to Okta.
Automated provisioning Assigning a user to the Lawvek app in Okta instantly creates their Lawvek account.
Automated deprovisioning Removing or suspending a user in Okta immediately deactivates their Lawvek access.
Import Users Import users from Lawvek into Okta.
Import Groups Import groups/teams from Lawvek into Okta.
Group sync Okta groups are synced to Lawvek Teams automatically.
Just-in-Time (JIT) Provisioning Lawvek automatically creates a user account on first Okta SSO login.

Prerequisites

  • Okta administrator access
  • A Lawvek account with Org Admin or higher permissions

Part 1 — Single Sign-On (OIDC or SAML 2.0)

Choose the Single Sign-On protocol that matches your organization's requirements. We support both OpenID Connect (OIDC) and SAML 2.0.

Option A — OpenID Connect (OIDC)

OIDC is the recommended and modern protocol for connecting Okta to Lawvek.

Create the Lawvek app in Okta

Choose the setup method that applies to you:

Option A — Okta Integration Network (recommended)

If Lawvek is listed in your Okta app catalog:

  1. In the Okta Admin Console, go to Applications → Browse App Catalog
  2. Search for Lawvek and click Add Integration
  3. Set the Application label (e.g. Lawvek) and click Done

Okta automatically pre-configures the redirect URIs and scopes — no manual OIDC settings required. Proceed to Step 2.

Option B — Manual Setup

If you are not using the Okta catalog, create a custom OIDC app:

  1. In the Okta Admin Console, go to Applications → Create App Integration
  2. Select OIDC – Web Application and click Next
  3. Set the Application label (e.g. Lawvek)
  4. Under Sign-in redirect URIs, add:
    https://dashboard.lawvek.ai/api/auth/sso/callback
  5. Under Sign-out redirect URIs, leave blank
  6. Set Controlled access to the appropriate policy for your org
  7. Click Save

Note your Okta details

From the app's General tab, copy:

Value Where to find it
Client ID General → Client Credentials
Client Secret General → Client Credentials → Show secret
Okta domain Top-right of any Okta Admin page, e.g. acme.okta.com

Your Discovery URL (needed in Step 3) is:

https://<your-okta-domain>/.well-known/openid-configuration

Configure SSO in Lawvek

  1. Log in to Lawvek as an Org Admin
  2. Open your organisation dashboard and click the SSO & SCIM tab
  3. Click Configure SSO and fill in:
Field Value
Provider Okta
Client ID (from Step 2)
Client Secret (from Step 2)
Discovery URL https://<your-okta-domain>/.well-known/openid-configuration
JIT Provisioning Enable if users should be auto-created on first login

Note: The Client Secret is encrypted at rest and is never displayed again after saving.

Click Save

Assign users

In the Okta app → Assignments tab:

  • Click Assign → Assign to People to add individual users
  • Click Assign → Assign to Groups to assign an entire group

Assigned users can now log in at dashboard.lawvek.ai by entering their work email — Lawvek automatically detects SSO and redirects them to Okta.

Option B — SAML 2.0

Use SAML 2.0 if your organization requires it instead of OIDC. SCIM provisioning works the same way regardless of which SSO protocol you choose.

Create a SAML 2.0 app in Okta

  1. In the Okta Admin Console, go to Applications → Create App Integration
  2. Select SAML 2.0 and click Next
  3. Enter the Application name (e.g. Lawvek) and click Next
  4. On the Configure SAML screen, enter:
Field Value
Single sign-on URL (ACS URL) https://dashboard.lawvek.ai/api/auth/saml/callback
Audience URI (SP Entity ID) https://dashboard.lawvek.ai
Name ID format EmailAddress
Application username Email

Under Advanced Settings, configure the following:

  • Set Assertion Signature to Signed
  • Set Signature Algorithm to RSA-SHA256

Click Next, select the appropriate options for your organization, and click Finish.

Once saved, go to the Sign On tab, click View SAML Setup Instructions under the active certificate, and copy:

  • Identity Provider Issuer
  • Identity Provider Single Sign-On URL
  • X.509 Certificate (copy the body text only, excluding the headers/footers)

Configure SAML in Lawvek

  1. Log in to Lawvek as an Org Admin
  2. Go to Org Settings → SSO & SCIM
  3. Click Configure SSO and select SAML 2.0
  4. Paste the three copied values from Okta:
    • Identity Provider Issuer
    • Identity Provider Single Sign-On URL
    • X.509 Certificate (body only)
  5. Enable Just-in-Time Provisioning if users should be auto-created on first login
  6. Click Save

Assign users and test

In the Okta app, go to the Assignments tab and assign users or groups.

Then test both authentication flows:

  • SP-initiated: Go to https://app.lawvek.ai/login, enter your work email. The system should redirect you to Okta and land you back on the dashboard.
  • IdP-initiated: Click the Lawvek tile in your Okta portal. You should land on the Lawvek dashboard directly.

Part 2 — Automated Provisioning (SCIM)

SCIM keeps Lawvek user accounts in sync with Okta automatically. When you assign a user to the Lawvek app, their account is created in Lawvek within seconds. When you deactivate them in Okta, their Lawvek access is revoked immediately. Note: The SCIM configuration and setup process is identical regardless of whether your organization chooses OIDC or SAML 2.0 for Single Sign-On.

Generate a SCIM token in Lawvek

  1. In Lawvek, open your organisation dashboard and click the SSO & SCIM tab
  2. Scroll to SCIM Provisioning
  3. Click Generate Token, enter a description (e.g. Okta production), and click Generate

Important: Copy the token immediately — it is shown only once and cannot be retrieved again.

The SCIM Base URL is:

https://dashboard.lawvek.ai/scim/v2

Configure SCIM in Okta

In the Okta Lawvek app → Provisioning tab:

  1. Click Configure API Integration
  2. Check Enable API integration
  3. Fill in:
Field Value
SCIM connector base URL https://dashboard.lawvek.ai/scim/v2
Unique identifier field for users id
Authentication mode HTTP Header
Authorization Bearer <token from Step 1>

Click Test API Credentials — you should see "Verified successfully", then click Save.

Enable provisioning actions

Still in the Provisioning tab → To App section, enable:

  • Create Users — provisions a Lawvek account when a user is assigned
  • Update User Attributes — syncs name and email changes from Okta
  • Deactivate Users — revokes Lawvek access when deactivated in Okta

Click Save

Enable Group Push (optional)

To sync Okta groups as Lawvek Teams:

  1. In the Okta app → Push Groups tab
  2. Click Push Groups → Find groups by name
  3. Search for and select the groups you want to sync
  4. Click Save

Synced groups appear in Lawvek under the Teams section of your organisation dashboard.

Attribute Mapping

Okta automatically maps the following attributes to Lawvek:

Okta attribute Lawvek field
login / email Email address
firstName First name
lastName Last name
status Account active/inactive

Login flows

User-initiated (SP-initiated)

  1. User goes to dashboard.lawvek.ai
  2. Enters their work email address
  3. Lawvek detects SSO is configured for their domain and redirects to Okta
  4. User authenticates in Okta (password, MFA, etc.)
  5. Okta redirects back to Lawvek — user is signed in

Okta dashboard (IdP-initiated)

  1. User opens their Okta dashboard
  2. Clicks the Lawvek app tile
  3. Okta redirects to /api/auth/sso/init and starts the OIDC flow
  4. Since the user already has an active Okta session, they are signed in to Lawvek immediately

Revoking a SCIM token

If a SCIM token is compromised or needs to be rotated:

  1. In Lawvek, open your organisation dashboard and click the SSO & SCIM tab
  2. Scroll to SCIM Provisioning and find the token to revoke
  3. Click Revoke next to the token — it is immediately invalidated
  4. Generate a new token (Part 2, Step 1) and update it in the Okta Provisioning settings

Troubleshooting

Issue Resolution
"SSO login failed" error Verify Client ID/Secret match exactly. Confirm Discovery URL. Ensure user is assigned in Okta.
User can't log in after assignment If JIT is off, user must be pre-created. Ensure emails match exactly between Okta and Lawvek.
"SCIM credentials could not be verified" Token may be revoked. Base URL must be https://dashboard.lawvek.ai/scim/v2 (no trailing slash).
User not deactivated after removal Confirm "Deactivate Users" is enabled in Okta Provisioning. SCIM sync may take a few minutes.

Support

If you encounter issues not covered here, please reach out to our team:

Website:
lawvek.ai