User authentication setup
Enterprise admins configure SSO (Google, Microsoft, Okta, Duo), organization-wide two-factor authentication (2FA) or passkey setup .
Enterprise admins control how users sign in to Contracts AI: SSO (Google, Microsoft, Okta or Duo), email and one-time-password, or a passkey. Admins can also enable require 2FA for everyone.
Where to configure: Admin → Security → Authentication Options (requires permission to manage user authentication).
Authentication options (admin)
Single Sign-On (SSO)
Admins can enable one or more of:
- Google — Users see Sign in with Google on the login page.
- Microsoft — Users sign in with their Microsoft / Entra ID account.
- Okta — Users sign in through Okta. When Okta is enabled, admins enter:
- Okta Org URL (for example
https://your-org.okta.com) - Okta Client ID from the Okta application
Then save the Okta configuration.
- Okta Org URL (for example
- Duo — Users sign in through Duo. When Duo is enabled, admins enter:
- Duo Issuer URL
- Duo Client ID from the Duo application
- Duo Client Secret from the Duo application
Then save the Duo configuration.
SSO users authenticate with their identity provider. Organization policy (MFA at Google, Microsoft, Okta or Duo) is handled by that provider, not by Contracts AI’s password 2FA settings.
Mandate 2FA for all users
How it works:
- Applies to all users of the organization.
- After entering their email and a one-time password sent to the user's email, users who have 2FA enabled must complete a second step (authenticator code, backup code, or passkey—depending on what they registered).
- Users who are required to use 2FA but have not set it up yet are prompted to complete 2FA setup before they can use the app.
How end users set up 2FA
Users add a second factor after password login. The product supports TOTP (authenticator app) and passkeys (device / security key), with backup codes issued when TOTP setup completes (for account recovery).
Typical flow:
- Sign in with email and password (when your org allows it and 2FA is required or optional).
- If the organization mandates 2FA and the account has no 2FA yet, the user is guided through setup (authenticator or passkey).
- For TOTP:
- Enter a device name (for example “Work phone”).
- Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.), or enter the secret manually if needed.
- Enter the 6-digit verification code to confirm.
- Save backup codes in a safe place—they can be used if the phone is lost.
- For passkey:
- Follow the browser or OS prompts to register a passkey (device biometrics or security key).
Users who already have 2FA sign in with password, then enter a one-time code from the authenticator app, a backup code, or use their passkey, depending on what they configured.
User settings — If your organization mandates 2FA, users may also see a reminder in Settings that 2FA is required and should manage 2FA from their account flow as your deployment exposes it.
SSO setup details (reference)
Google SSO
Contact Contracts AI support at hello@contracts.ai to request Google SSO enablement for your organization. Admins can then enable Google under Authentication Options once it is configured for your tenant.
Microsoft Entra ID (Azure AD)
Depending on your Entra ID configuration:
- A Microsoft admin may need to grant admin consent for the Contracts AI application in the Entra ID (Azure AD) portal.
- If user consent is disabled, an admin may need to allow the Contracts AI app or approve a user’s access request.
Okta SSO
In Contracts AI (Admin → Authentication Options → Okta):
- Enable Okta.
- Enter Okta Org URL and Okta Client ID, then Save Okta Configuration.
In Okta Admin (create an OIDC app):
- Sign in to Okta Admin and note your org URL (for example
your-organization-name.okta.com). - Go to Applications → Create App Integration.
- Choose OIDC – OpenID Connect → Single-Page Application.
- Set Sign-in redirect URI to:
https://your-organization-name.contracts.ai/auth/callback
(use your actual Contracts AI hostname.) - Set Sign-out redirect URI to:
https://your-organization-name.contracts.ai - Under Assignments, assign users or groups as required.
- Save the app and copy the Client ID into Contracts AI.
Duo SSO
In Contracts AI (Admin → Authentication Options → Duo):
- Enable Duo.
- Enter Duo Issuer URL, Duo Client ID and Duo Client Secret then Save Duo Configuration from your Duo Admin.
In Duo Admin Panel (create a Generic OIDC Relying Party - Single Sign-On app):
- Sign in to Duo Admin
- Go to Applications → Application Catalog.
- Search for Generic OIDC Relying Party and click Add.
- On the app's General tab, set Sign-in redirect URI to:
https://your-organization-name.contracts.ai/auth/callback(use your actual Contracts AI hostname.) - On the app's Scopes tab, enable
openid,emailandprofile. - In the User access field, grant access to specific users or enable for all users.
- Save the app and copy the Issuer, Client ID and Client Secret from the Metadata tab into Contracts AI (Admin → Authentication Options → Duo).
For tenant-specific SSO or Google enablement, email hello@contracts.ai.
Did this answer your question?