Contracts AI

User authentication setup

Enterprise admins configure SSO (Google, Microsoft, Okta), password sign-in, and optional organization-wide two-factor authentication (2FA). End users complete 2FA setup with an authenticator app or passkey.

Enterprise admins control how users sign in to Contracts AI: SSO (Google, Microsoft, or Okta), email and password, or a combination. Admins can also require 2FA for everyone who signs in with a password.

Where to configure: AdminSecurityAuthentication Options (requires permission to manage user authentication).

Authentication options (admin)

Single Sign-On (SSO)

Admins can enable one or more of:

  • Google — Users see Sign in with Google on the login page.
  • Microsoft — Users sign in with their Microsoft / Entra ID account.
  • Okta — Users sign in through Okta. When Okta is enabled, admins enter:
    • Okta Org URL (for example https://your-org.okta.com)
    • Okta Client ID from the Okta application
      Then save the Okta configuration.

SSO users authenticate with their identity provider. Organization policy (MFA at Google, Microsoft, or Okta) is handled by that provider, not by Contracts AI’s password 2FA settings.

Password authentication

  • Enable password-based authentication — When on, users can sign in with email and password on the login page (in addition to any enabled SSO options).
  • When password login is off, the login page relies on the enabled SSO methods (and any other flows your deployment supports).

Password rules — New passwords must satisfy your organization’s password policy (enforced on the server when users set or change passwords).

Mandate 2FA for all users (password login only)

When password-based authentication is enabled, admins can turn on Mandate 2FA for all users.

How it works:

  • Applies to users who sign in with email and password.
  • After a correct password, users who have 2FA enabled must complete a second step (authenticator code, backup code, or passkey—depending on what they registered).
  • Users who are required to use 2FA but have not set it up yet are prompted to complete 2FA setup before they can use the app.

Important:

  • 2FA cannot be mandated if password authentication is disabled. Password login must stay on for this org-wide 2FA mandate.
  • If an admin disables password authentication, Mandate 2FA is turned off automatically (2FA mandate is tied to password login in the product).

How end users set up 2FA

Users add a second factor after password login. The product supports TOTP (authenticator app) and passkeys (device / security key), with backup codes issued when TOTP setup completes (for account recovery).

Typical flow:

  1. Sign in with email and password (when your org allows it and 2FA is required or optional).
  2. If the organization mandates 2FA and the account has no 2FA yet, the user is guided through setup (authenticator or passkey).
  3. For TOTP:
    • Enter a device name (for example “Work phone”).
    • Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.), or enter the secret manually if needed.
    • Enter the 6-digit verification code to confirm.
    • Save backup codes in a safe place—they can be used if the phone is lost.
  4. For passkey:
    • Follow the browser or OS prompts to register a passkey (device biometrics or security key).

Users who already have 2FA sign in with password, then enter a one-time code from the authenticator app, a backup code, or use their passkey, depending on what they configured.

User settings — If your organization mandates 2FA, users may also see a reminder in Settings that 2FA is required and should manage 2FA from their account flow as your deployment exposes it.

SSO setup details (reference)

Google SSO

Contact Contracts AI support at hello@contracts.ai to request Google SSO enablement for your organization. Admins can then enable Google under Authentication Options once it is configured for your tenant.

Microsoft Entra ID (Azure AD)

Depending on your Entra ID configuration:

  • A Microsoft admin may need to grant admin consent for the Contracts AI application in the Entra ID (Azure AD) portal.
  • If user consent is disabled, an admin may need to allow the Contracts AI app or approve a user’s access request.

Okta SSO

In Contracts AI (Admin → Authentication Options → Okta):

  1. Enable Okta.
  2. Enter Okta Org URL and Okta Client ID, then Save Okta Configuration.

In Okta Admin (create an OIDC app):

  1. Sign in to Okta Admin and note your org URL (for example your-organization-name.okta.com).
  2. Go to ApplicationsCreate App Integration.
  3. Choose OIDC – OpenID ConnectSingle-Page Application.
  4. Set Sign-in redirect URI to:
    https://your-organization-name.contracts.ai/auth/callback
    (use your actual Contracts AI hostname.)
  5. Set Sign-out redirect URI to:
    https://your-organization-name.contracts.ai
  6. Under Assignments, assign users or groups as required.
  7. Save the app and copy the Client ID into Contracts AI.

For tenant-specific SSO or Google enablement, email hello@contracts.ai.

Did this answer your question?