This step-by-step guide explains how to set up SINGLE SIGN-ON (SSO) in the Wellness360 admin portal with OneLogin as your SAML 2.0 Identity Provider (IdP).
SSO-SAML with OneLogin can be -
Service Provider Initiated SSO (SP-initiated): Users can log in to the Wellness360 user portal, and OneLogin will authenticate the user.
Identity Provider Initiated SSO (IdP-initiated): Users can log in to OneLogin and select the Wellness360 portal and app.
- To configure SSO and to create a SAML application for Wellness360 with OneLogin, you must have administrative access to the admin portal.
- The same login credentials must be used for Wellness360 and OneLogin.
Steps to Configure SSO with OneLogin:
I. Open the Wellness360 admin portal to find SSO Settings in the left menu panel.
II. Add Wellness360 as an application for OneLogin
Open OneLogin in a new browser window.
Go to Applications and find another tab as 'Applications'.
Click on 'Add App'.
Look for Wellness360 with SAML 2.0 provisioning label and select it.
Click on 'Save'.
III. Configuring in OneLogin
In OneLogin, find 'Configuration' on the left sidebar and click on it.
In the SCIM Base URL field, enter "https://api.wellness360.com". This is only a temporary value to avoid any error while configuring the SSO. You can change this value later.
Click on 'Save'.
IV. Adding Identity Provider details to Wellness360 in OneLogin
In OneLogin, find SSO on the left sidebar and click on it. Copy the values from the SSO section and add them to Identity Provider information in Wellness360.
Copy the Issuer URL from OneLogin by selecting the 'Copy to Clipboard' icon. Paste the value in Entity ID in Wellness360's SSO Settings page.
Copy the SAML 2.0 Endpoint (HTTP) from OneLogin, by selecting the ‘Copy to Clipboard' icon. Paste the value in Wellness360 in the Identity provider’s SAML HTTP Request URL.
Under X.509 Certificate in OneLogin, right-click on ‘View Details’ and select ‘Open link in the new tab’.
Select 'Copy to Clipboard' in OneLogin to copy the X.509 Certificate value into the X.509 certificate for SAML authentication in Wellness360. Note: You can include -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in your selection.
Close the OneLogin certificate tab, and return to the OneLogin SSO tab.
Change the SAML Signature Algorithm in OneLogin from SHA-1 to SHA-256. Click on Save.
In Wellness360, select your preferred Session Duration. Click on Save & continue.
SAML 2.0 Endpoint (HTTP)
Identity provider's SAML HTTP Request URL
X.509 certificate (in view details)
X.509 certificate for SAML authentication
V. Adding details to OneLogin
Select Configuration in the left sidebar in OneLogin.
Select Copy Audience URL from Wellness360 and paste the value in OneLogin in SAML Audience URL.
Select Copy ACS URL from Wellness360 and paste the value in OneLogin in SAML Consumer URL.
Select Default Relay State in Wellness360 and paste the value in OneLogin in RelayState.
Click on ‘Save’ after entering all the details.
SAML Audience URL
SAML Consumer URL
VI. Adding parameters in OneLogin
Select Parameters from the left sidebar in OneLogin.
Select the SAML NameID (Subject) row.
Set Value to ‘Email’.
Click on 'Save'.
VII. Assign the Wellness360 portal and app to a test user
Select Users in OneLogin.
Select the user with an email that matches the Wellness360 account you’re logged into.
Select 'Applications' on the left.
Select the '+' button and select Wellness360.
Click on 'Continue'.
VIII. Test the connection
Select 'Test Connection' in the Wellness360 portal. If successful, you will see a confirmation message and can execute SAML SSO for all members. If unsuccessful, you will receive an error notification in the Wellness360 portal.
IX. Enforce SSO for your organization
In OneLogin, assign Wellness360 to all users. All the users must have the same email addresses for Wellness360 and OneLogin.
In the Wellness360 portal, select 'Enforce SAML SSO for my organization'.
When SAML SSO is enforced, all the users will be logged out of their accounts. When they sign in again into their Wellness360 portal, they will be required to use SSO to log in.
Note: The organization owner can choose to log in to the portal using their original login method by selecting 'Login using another method' on the login page.