Skip to main content

Setting Up Single Sign-On (SSO) With Microsoft

This article is for all IT administrators who want to know more about how to set up and configure Single Sign-On (SSO) with Microsoft in Welcome Workdays

For efficient use of our services, we recommend that end users are onboarded with Single Sign-On (SSO) via either Microsoft Azure (AD, Active Directory) or Google

Workspace (Cloud Identity) as the Identity Provider (IdP). In order for end users to log in, an IT administrator must approve (consent) the solution to be interconnected.

How SSO Works

SSO login uses the industry standards OpenID Connect (OIDC) and OAuth 2.0. OIDC is an identity authentication protocol that verifies users are who they say they are.

OAuth 2.0 authorises which systems those users are allowed to access, enabling different trust domains to securely share information without compromising user data.

This means that we never have access to passwords or participate in the authentication process. Authentication is carried out entirely by the IdP, and we receive a token containing the user information needed to use the service.


Data Used

Upon logging in for the first time as a new SSO user, the following data is sent from your IdP to us:

  • Username

  • Email address

  • Mobile phone number (if provided)

If a mobile number is not provided, the user must supply one upon first login. This is used to receive SMS messages from the platform for time-critical events (e.g.

visitor notices). No other user data is transferred.


Setup Instructions

There are two things that need to be done to register and use SSO:

  1. We need to set up your company to use SSO for login. For this, we need to know which domain(s) users use for login, and which IdP provider is used (Google or Microsoft supported). For example, the company Welcome Workdays will have the domain welcomeworkdays.com and use Microsoft as its IdP provider.

  2. The IT administrator in the company must log in to the Welcome solution and approve our application on behalf of the company. The steps required to accomplish this are described below.


Steps for IT Administrator

Requirements

Before following the steps below, make sure you have the appropriate level of access to approve an application on behalf of your organisation.

For Microsoft Entra, you need one of these roles:

  • Global Administrator or Privileged Role Administrator

  • Cloud Application Administrator or Application Administrator

For Google Workspace you need:

  • Super Admin

Follow These Steps

  1. Go to our login page: login.wlcm.work, and enter your email address (UPN) with the necessary rights. Click Next.

  2. Log in via your IdP with a user account that has the necessary access to approve applications on behalf of the organisation. During the process, you will see a screen that allows you to check the box for "Consent on behalf of your organization" or similar text. Check the box and approve. By doing this, you confirm that your employees can use their IdP for authentication through Welcome, so that we do not store password information.

  3. You will return to our login page with your name and email pre-filled in the form. Optionally, add your mobile number and select Complete.

If you want all your employees to be able to log in via SSO to Welcome, no further action is required.


Microsoft SSO

This consent flow depends entirely on how a company has configured the following workflows within Microsoft Entra (not to be confused with Entra ASA) Admin Center:

When facing restrictive policy combinations that enforce admin consent on behalf of users, it is possible to streamline the process using the following Microsoft

standard:

This is the URL which can be used to grant admin consent for Welcome Workdays SSO:

Where corporate domain usually equals the domain used by corporate email addresses, which is linked to a valid Microsoft tenant, for example: ola@storebrand.no (corporate domain being “storebrand.no”).

When the link is used, it will trigger the following workflow:

Once consent is given, the permissions granted to Welcome Workdays will be as follows:


Application Details

SSO Type: OIDC

  1. Application Name: Welcome Workdays

  2. Client ID: 7f37f2d6-f31d-491a-83a8-ff2f42cc600b

  3. Scopes: opened, profile, email, user.read


Restricting Access (Microsoft Azure AD)

If you want to restrict access to the application according to your organisation's security policy:

  1. Log in to the Microsoft 365 / Azure AD console and go to Applications → Enterprise applications.

  2. Search for Welcome in the list and click on the app name.

  3. On the left side, click Manage → Properties.

  4. Change "Assignment required" to "Yes". Click Save.

  5. Go to Manage → Users and groups, and add the users or groups you want to grant access to the application.


Do you need help?

Chat with us via the AI chatbot at the bottom right of the screen, or send an email to support@welcomeworkdays.com.

Did this answer your question?