Google SSO
LILT platform users can sign in using their Google account. After receiving an invitation from your organization, you can create an account using Google Sign-On. If you have an existing LILT account with traditional username/password authentication, you can access it using Google Sign-On with a matching email address. Both sign-in methods work interchangeably.OpenID Connect
OpenID SSO for platform customers is coming in 2025. This feature will enable sign-in through your organization’s SSO using OpenID Connect (OIDC). OpenID Connect is an authentication protocol built on OAuth 2.0 (IETF RFC 6749 and 6750). It provides a standardized way to verify user identity through an Authorization Server and obtain user profile information. OIDC works with many identity providers including Amazon, Microsoft, and Okta.Microsoft SSO
LILT supports Microsoft authentication for platform customers. Organizations using Active Directory or Azure credentials can use their existing SSO for LILT. To set up Microsoft SSO, a user from your organization needs to:- Log into LILT.com using Microsoft SSO
- Complete the consent page
Enterprise applications
in your Azure Active Directory (AD) or Azure Entra ID, where you can configure access controls.
Restricting Access
To limit access to specific users:- Click on the LILT app in Enterprise applications and navigate to Manage > Properties
-
Set
Assignment required
to Yes -
Add users under Manage > Users and Groups
- Grant access to entire roles, or
- Add individual users
SAML Setup
To set up a SAML connection with LILT, your organization needs to engage with your LILT customer team. The setup process involves: LILT Actions- LILT creates a new organization configuration with a specific identifier (for example:
customer:okta
)- You can choose any name in place of
customer:okta
. This acts as a verification piece to ensure you’re connecting to the correct configuration.
- You can choose any name in place of
- Set up SAML configuration on your organization’s side and provide the following to LILT:
- The sign-on URL for your application
- The entity ID for your application
- The metadata file for your application
- The certificate for your application
- New user accounts will be provisioned automatically through just-in-time provisioning when users first log in through SAML
- Configure two custom claims in your organization’s identity provider:
lilt_api
- Your organization’s API key for organization identificationlilt_role
- The user’s role for permissions within LILT (for example:Administrator
,Manager
)
- We recommend a phased rollout approach, starting with your admin and 5 test users before migrating all users to the new SSO experience
OpenID Connect (OIDC) Setup
LILT is expanding SSO support to include OpenID Connect (OIDC) in addition to SAML. This provides more flexibility for organizations using different identity providers. Note: LILT currently supports SAML configuration. OIDC support is being added and will be available soon.Frequently Asked Questions
Is SCIM supported? Currently, SCIM is not supported. Auto-provisioning is handled through the two custom claims/attributes (lilt_api
and lilt_role
) listed in the SAML configuration section.
Is SSO a global setting or per user/group?
SSO is configured per user. The LILT platform supports:
- Regular logins via
/signin
- SSO logins via
/signin2
/signin2
, then tries to log in as a regular user, the system will deny entry and require SSO login.
For organization-wide SSO implementation, auto-provisioning works as follows:
- If a user doesn’t exist in the LILT database, they’ll be automatically added when they log in
- The user must have the API key attached to their claims (to identify the organization)
- The user must have the role claim configured (to assign appropriate permissions)
- Once configured this way, users can only log in via
/signin2
(SSO), not via/signin
(regular login) - Your organization won’t need to manually add users to the LILT system