Service Principals Overview

Customers can now authenticate their integrations by creating a Service Principals account in Laserfiche Cloud.

 Service principals behave similarly to normal users with the following exceptions: 

  • Authenticate using a rotatable API key instead of a user-selected password
  • Cannot use Multi-Factor Authentication (MFA)
  • Cannot sign in to the Laserfiche suite through the sign-in portal. This restriction includes desktop applications like the Windows Client and Quick Fields.
  • Single sign-on is unavailable

See Service Principal Key Expiration.

Create Service Principal

In Laserfiche Account Administration, service principals can be created by following the steps below: 

  1. In Laserfiche Account Administration, click the Users tab.
  2. Click the Service Principals tab.
  3. Click the Add Service Principal button.
  4. Specify a Username and Display name.

    Note: Username and Display name are required. Groups and Note are optional fields.

  5. Choose the User License Type.
  6. Select Access Rights.
  7. Click Create to finish creating a service principal.

Edit Service Principal

After creating a Service Principal, you can create Service Principal keys by following the steps below: 

  1. In Laserfiche Account Administration, navigate to the Service Principals tab.
  2. Click the name of the Service Principal user you want to edit.

    Note: By default, new service principal keys expire after 90 days. Once created, the expiration date cannot be modified. To disable or change the expiration date, click Settings. Then, click Integration Configuration. Under the Service Principals section, modify the value in Number of days before service principal key expires. Alternatively, you can disable key expiration by clearing the checkbox for Enable service principal key expiration.

  3. Click the Create Service Principal Key(s) button.
  4. In the Create Service Principal Key(s) for ServicePrincipalUsername dialog box, two keys are automatically created. To save these keys, click Download .txt file or Copy all key(s) to the clipboard. You may use either of these keys for authentication.

    Note: Once you open the Create Service Principal Key(s) for ServicePrincipalUsername box, you can only view the keys once. You cannot recover the authentication keys later. However, you can recreate or rotate the key(s) at any time.

  5. Under the Service Principal Key section, you will see the following columns:
    • Status: Shows the status of the key as Active, Deactivated, or Expired.
    • Created Date: Shows the date and time for when the key was created.
    • Expiration Date: Shows the date and time for when the key will expire.

      Note: By default, new service principal keys expire after 90 days. Once created, the expiration date cannot be modified.

    • Last Invoked: Shows the last date and time for when the key was used for authentication.
    • Actions: Allows administrators to rotate, disable, or enable the authentication keys. Once a key is rotated, a new Service Principal Key will be provided. The old key cannot be used or recovered.
    • Notes: Allows administrators to save notes of their choice by clicking Edit to get started.

Delete or Disable a Service Principal

If you no longer need a service principal, you may delete or disable the user by following the steps below: 

  1. In Laserfiche Account Administration, click the Service Principals tab.
  2. Check the check-box next to the name of the service principal user.
  3. Click More to view the drop-down menu. Click Delete or Disable.

    Note: Alternatively, you can click the name of the service principal user and check the check-box for Disable this service principal user.

    Note: To disable Service Principal key, please see the Edit Service Principal section above.