This step-by-step guide explains how to set up SINGLE SIGN-ON (SSO) in the Wellness360 admin portal with Microsoft Azure Active Directory (AD) as your SAML 2.0 Identity Provider (IdP).


Step I. Configuring Wellness360 portal in Microsoft Azure AD

Note: You need to be a Microsoft Azure AD administrator to complete the steps below. 


1. To configure the integration of the Wellness360 into Microsoft Azure AD, you need to add the Wellness360 portal. For this, go to the Microsoft Azure portal, and click on the Azure Active Directory tab.

 

2. Click on Enterprise Applications on the left panel, and click on + New application on the top.

 


3. Click on the Non-gallery application to create a new application that is not already present in the gallery.

 


4. Provide a name to your app, for example, “test-sso,” and click on Add.

 


5. This will lead you to the Overview page where you will see the overview details of your application. Under the Getting Started section, click on the 2. Set up Single Sign On tab.

 


6. On the Select a single sign-on method page, select the SAML mode to enable single sign-on.

 


7. You will be led to the Set Up Single Sign-On with SAML page where you can perform the further steps after creating your app.

 


8. Click on the “Edit” (pencil) icon beside the Basic SAML Configuration section, add the following details:

 


9. Once you have the correct URLs in the Basic SAML Configuration section, navigate to the User Attributes & Claims section. 

 

10. By default, Azure recommends using User Principal Name (UPN) as the unique identifier for users. If you use UPN for uniquely identifying users in your SSO environment, then no updates are needed to this section.

 

Note: The default Azure setup uses 5 claims. The Unique User Identifier claim will come through the header of the SAML assertion to identify what user is signing in to the platform. The Additional claims are used to assign user attributes in the Wellness360 portal. 

 

Note: If you need a different unique identifier for users, then update the Unique User Identifier claim to the attribute that uniquely identifies users in your SSO environment. You should also remove the user.userprincipalname from the Additional claims section and add an additional claim for the attribute used for uniquely identifying users.

 



Note: By default, the Wellness360 portal uses email addresses as the unique identifier for users. If you are not going to use an email address as the User Identifier, follow the instructions in step 14 to update the unique identifier (screenshot example follows Azure default setup and uses UPN as the unique identifier).

 


11. Once you complete the User Attributes & Claims section, proceed to the 3. SAML Signing Certificate section. Export/download metadata from the Azure application to configure SSO settings in the Wellness360 portal. You can find the SSO metadata from your Azure application by opening the App Federation Metadata Url in a browser window or downloading the Federation Metadata XML.

 


 

12. In the SAML Signing Certificate section, click the Download link beside Federation Metadata XML. This will download and save the Base64 version of the certificate for your Wellness360 portal. 



13. Under the Set up <app_name> section, you will find important data, such as Login URLAzure AD Identifier, and Logout URL of your Microsoft Azure AD app. This data is required when configuring the Microsoft Azure AD details in the Wellness360 admin portal.


Step II. Add configuration from Active directory into Wellness360 Admin Portal


Note: Only the wellness program administrator will be able to perform the steps discussed below.


1. Log in to your Wellness360 portal admin account. Click on the SSO Settings tab on the left menu bar. SINGLE SIGN-ON tab.

 


2. Enter the Entity ID (IDP), Identifier (IDP), SP URL, and choose the IDP Metadata file in .xml format. Click on 'Update' after entering all the details.



 



Step III - Set up SSO with Microsoft Azure AD


1. Navigate to Azure Active Directory, select Enterprise Applications, select All applications, then select your application.


2. Under the Getting Started section, click on the 1. Assign users and groups tab.



3. Click on the + Add user button.



4. Click on Users and groups. You will find a list of users whom you can add into your application.


You can either select from the given list of users or you can invite and add new users by inviting them.

 

Step IV - Test and Enable SSO

  • Once all the above steps have been completed, save all settings.
  • Next, you can try out the “Test SSO' from the Active Directory.