Single Sign-On (SSO)¶
LeapFILE supports single sign-on (SSO) using OpenID Connect — the modern standard behind Microsoft Azure AD / Entra ID, Google Workspace, Okta, and any other OpenID Connect identity provider. Once configured, your users sign in to LeapFILE with their existing company credentials. LeapFILE never sees or stores their passwords; authentication — including any MFA or conditional-access policies — happens entirely in your identity provider.
SSO is configured per account at Account Settings → Security → SSO by a full account administrator.
Note
If your organization currently uses an older CAS-based SSO integration, it continues to work. New SSO setups use OpenID Connect; contact support if you are migrating an existing CAS tenant.
What SSO Gives You¶
- One login for your users — the same credentials they already use for Microsoft 365, Google Workspace, or your other connected apps.
- Centralized access control — you decide who can sign in from your identity provider. Revoke access there and it takes effect immediately.
- No passwords to manage — LeapFILE never handles your users' passwords. MFA and conditional access are enforced by your provider.
- Automatic account creation — with automatic provisioning, an assigned user's LeapFILE account is created from their directory profile the first time they sign in.
Setting Up SSO with Azure AD / Entra ID¶
Azure AD is the most common provider. Setup takes about 5 minutes in the Azure portal plus a few minutes in LeapFILE.
Step 1 — Create an App Registration in Azure¶
- Sign in to the Azure Portal.
- Go to Azure Active Directory → App registrations → New registration.
- Enter a name (e.g., "LeapFILE SSO").
- Under Supported account types, select Accounts in this organizational directory only.
- Leave Redirect URI blank for now — you'll add it after entering your configuration in LeapFILE.
- Click Register.
On the Overview page, copy the Application (client) ID and the Directory (tenant) ID. You'll enter both in LeapFILE.
Note
You do not need to configure API permissions or scopes. Azure automatically grants the standard identity permissions (name, email, profile) that LeapFILE needs. No admin consent is required.
Step 2 — Create a Client Secret¶
- In your App Registration, go to Certificates & secrets → New client secret.
- Enter a description and choose an expiry period (12 or 24 months recommended).
- Click Add, then copy the secret value immediately — it is shown only once.
- Note the expiry date. When the secret expires, SSO stops working until you create a new one and update it in LeapFILE. LeapFILE reminds the account administrator 30 days before expiry, but track it on your own calendar too.
Step 3 — Align User Emails (Important)¶
When a user signs in via SSO for the first time, LeapFILE links their existing account to their directory identity by matching on email address. If a user's LeapFILE email doesn't match their Azure AD email (their User Principal Name or mail attribute), the match fails — resulting in either a duplicate account or a "not found" error.
Before enabling SSO, review your LeapFILE users (Account Settings → Users → Accounts) and update any address that doesn't match Azure AD. For example, change jdoe@company.com in LeapFILE to jane.doe@company.com if that's their Azure AD address.
Once emails are aligned, each user's first SSO login links their existing account automatically and all their files and settings carry over.
Step 4 — Configure SSO in LeapFILE¶
At Account Settings → Security → SSO:
- Select Azure AD as the provider.
- Enter the Tenant ID, Client ID, and Client Secret from the steps above, plus the secret's expiry date.
- Click Save. LeapFILE validates the connection — it confirms it can reach your Azure tenant and that the client credentials work. A typo (e.g., in the Tenant ID) is reported immediately.
- LeapFILE then displays a Redirect URI. Copy it, return to your Azure App Registration → Authentication → Add a platform → Web, and paste it there. This tells Azure where to return users after they sign in.
Step 5 — Choose How New Users Are Provisioned¶
- Automatic (recommended): the first time an assigned user signs in via SSO without an existing LeapFILE account, one is created automatically from their directory profile (name and email).
- Manual: only users who already have a LeapFILE account can sign in. New users must be created by an administrator first.
Step 6 — Test, Then Enable¶
- Click Test SSO to run a complete sign-in round-trip and confirm everything works — this does not affect your live users.
- Once the test passes, Enable SSO. For your protection, enabling, disabling, and removing SSO each require a one-time code sent to the administrator's email.
SSO is now live for your account.
Other Identity Providers¶
LeapFILE works with any OpenID Connect provider. At Account Settings → Security → SSO, choose the provider type and supply the minimum it needs:
| Provider | What you enter |
|---|---|
| Azure AD / Entra ID | Tenant ID + Client ID + Client Secret |
| Google Workspace | Client ID + Client Secret (no other identifier needed) |
| Okta | Your Okta domain + Client ID + Client Secret |
| Generic OpenID Connect | The provider's discovery URL (.../.well-known/openid-configuration) + Client ID + Client Secret |
The rest of the flow is identical: Save (LeapFILE validates the connection), register the displayed Redirect URI in your provider, choose provisioning, test, and enable. Whatever the provider, register the Redirect URI that LeapFILE shows you and make sure your users' provider email addresses match their LeapFILE accounts. The requested scopes are always openid profile email.
After Setup¶
How Your Users Sign In¶
The simplest path is for users to go directly to your company's LeapFILE site (e.g., https://yourcompany.leapfile.com) and choose the sign-in option, which redirects them to your provider:
- If they already have an active session with your provider (e.g., signed in to Microsoft 365), they're signed in to LeapFILE with no extra steps.
- Otherwise they see your provider's standard login screen, including any MFA prompts your organization requires.
A user who has already been provisioned can also enter their email on the main LeapFILE login page — LeapFILE recognizes them and redirects to SSO automatically. New, not-yet-provisioned users should always start from your company's LeapFILE site.
Tell your users: "To access LeapFILE, go to yourcompany.leapfile.com and sign in with your company credentials."
Managing Access¶
- Grant access: assign the user to the LeapFILE app in your provider. With automatic provisioning, their LeapFILE account is created on first sign-in.
- Revoke access: unassign them in your provider. They can no longer sign in via SSO; their LeapFILE account and data remain intact.
- Restore access: re-assign them — they sign in and resume where they left off.
What Your Provider Controls vs. What LeapFILE Controls¶
| Your identity provider controls | LeapFILE controls |
|---|---|
| Who can sign in (app assignment) | How many users can have accounts (subscription seats) |
| Authentication method (password, MFA, conditional access) | What users can do once signed in (permissions, storage, features) |
| Session policies (sign-in frequency, token lifetime) | LeapFILE session duration |
Renewing the Client Secret¶
Client secrets expire. When yours does, SSO stops working and users see an error on sign-in — but no data is lost; accounts, files, and settings are unaffected. To fix it, create a new client secret in your provider and update it at Account Settings → Security → SSO. LeapFILE reminds the account administrator 30 days before expiry.
Troubleshooting¶
| Issue | Likely cause | Solution |
|---|---|---|
| "SSO configuration error" on sign-in | Client secret expired | Create a new secret in your provider and update it in LeapFILE |
| User sees "You don't have access" at the provider | User not assigned to the LeapFILE app | Assign them in your provider's app/users settings |
| User signs in but gets "account not found" | Manual provisioning and no pre-existing account | Switch to automatic provisioning, or create the account first |
| User gets a new empty account instead of their existing one | Email mismatch between LeapFILE and the provider | Update the LeapFILE email to match, then contact support to merge the duplicate |
| "Subscription full" on first sign-in | All seats in use | Upgrade your subscription or remove inactive users |
| SSO works for some users but not others | Conditional-access policy blocking certain users | Review your provider's conditional-access policies |
| "Your sign-in session expired" mid-login | Started SSO from a different site address than the one your account uses | Start from your company's LeapFILE site URL; if it persists, contact support |
When contacting support, include your Tenant ID (never your client secret), the affected user's email, the error message, and roughly when it happened.