For efficient use of our services, we recommend that end users are onboarded
with Single Sign-On (SSO) via either Microsoft Azure (AD, Active Directory) or
Google Workspace (Cloud Identity) as the Identity Provider (IdP). In order for
end users to log in, an IT administrator must approve (consent) the solution to
be interconnected.
Method used for SSO
The welcome login is easiest when using SSO. When this is done, industry
standards OpenID Connect and OAuth2 are used. This means that we never have
access to passwords or participate in the authentication process. It is carried
out entirely by the IdP, and we receive a so-called token containing user
information needed to use the service.
Data used
Upon logging in for the first time as a new SSO user, the following data is sent
from your IdP to us:
Username
Email address
Mobile phone number (if provided)
If not provided, the user must provide a phone number upon first login. This is used to receive SMS messages from the platform for time-critical events (e.g. visitor notices). No other user data is transferred.
Setup instructions
There are two things that need to be done to register and use SSO:
We need to set up your company to use SSO for login.
For this, we need to know which domain(s) users use for login, and which IdP provider is used (Google or Microsoft supported).
For example, the company Welcome Workdays will have the domain welcomeworkdays.com and use Microsoft as its IdP provider.The IT administrator in the company must log in to the Welcome solution and approve our application on behalf of the company.
The steps you have to do to accomplish this are described below.
Steps for IT administrator
Requirements for updating the organizations catalogue service
Before you follow the steps below, make sure that you have the appropriate level of access to be able to approve an application on behalf of your organization.
For Microsoft Entra, you need one of these roles:
Global Administrator or Privileged Role Administrator.
Cloud Application Administrator or Application Administrator.
For Google Workspace you need this role:
Super Admin
Follow these steps
Go to our login page: login.wlcm.work, and enter your email address (UPN) with the necessary rights. Click Next.
Log in via your IdP with a user account that has the necessary access to approve applications on behalf of the organization. During the process, you will see a screen that allows you to check the box for "Consent on behalf of your organization" or similar text. Check the box and approve. By doing this, you confirm that your employees can be allowed to use their IdP for authentication through Welcome, so that we do not store password information with us.
You will return to our login page, with filled information about your name and email in the form. Optionally, add your mobile number and select Complete.
If you want all your employees to be able to log in via SSO to Welcome, you do
not need to do anything further.
This is what you can do to restrict who has access to our application
This is specifically for restricting rights through Microsoft Azure AD.
If you want to restrict access to the application in your organization according
to your organization's security policy, you can do the following:
Log in to the Microsoft 365 / Azure AD console, and go to Applications ➔ Enterprise applications.
You will see a list of all the organization's applications. Search for Welcome if the list is long to find our app, and click on the app's name.
On the left side, click on Manage ➔ Properties.
Change "Assignment required" to "Yes". This allows for managing which users and groups have access to this app for login purposes. Click Save when you are done.
After saving, choose Manage ➔ Users and groups, and add the users or groups you want to grant access to the application.