For efficient use of our services, we recommend that end users are onboarded with Single Sign-On (SSO) via either Microsoft Azure (AD, Active Directory) or Google
Workspace (Cloud Identity) as the Identity Provider (IdP). In order for end users to log in, an IT administrator must approve (consent) the solution to be interconnected.
How SSO Works
SSO login uses the industry standards OpenID Connect (OIDC) and OAuth 2.0. OIDC is an identity authentication protocol that verifies users are who they say they are.
OAuth 2.0 authorises which systems those users are allowed to access, enabling different trust domains to securely share information without compromising user data.
This means that we never have access to passwords or participate in the authentication process. Authentication is carried out entirely by the IdP, and we receive a token containing the user information needed to use the service.
Data Used
Upon logging in for the first time as a new SSO user, the following data is sent from your IdP to us:
Username
Email address
Mobile phone number (if provided)
If a mobile number is not provided, the user must supply one upon first login. This is used to receive SMS messages from the platform for time-critical events (e.g.
visitor notices). No other user data is transferred.
Setup Instructions
There are two things that need to be done to register and use SSO:
We need to set up your company to use SSO for login. For this, we need to know which domain(s) users use for login, and which IdP provider is used (Google or Microsoft supported). For example, the company Welcome Workdays will have the domain welcomeworkdays.com and use Microsoft as its IdP provider.
The IT administrator in the company must log in to the Welcome solution and approve our application on behalf of the company. The steps required to accomplish this are described below.
Steps for IT Administrator
Requirements
Before following the steps below, make sure you have the appropriate level of access to approve an application on behalf of your organisation.
For Microsoft Entra, you need one of these roles:
Global Administrator or Privileged Role Administrator
Cloud Application Administrator or Application Administrator
For Google Workspace you need:
Super Admin
Follow These Steps
Go to our login page: login.wlcm.work, and enter your email address (UPN) with the necessary rights. Click Next.
Log in via your IdP with a user account that has the necessary access to approve applications on behalf of the organisation. During the process, you will see a screen that allows you to check the box for "Consent on behalf of your organization" or similar text. Check the box and approve. By doing this, you confirm that your employees can use their IdP for authentication through Welcome, so that we do not store password information.
You will return to our login page with your name and email pre-filled in the form. Optionally, add your mobile number and select Complete.
If you want all your employees to be able to log in via SSO to Welcome, no further action is required.
Microsoft SSO
This consent flow depends entirely on how a company has configured the following workflows within Microsoft Entra (not to be confused with Entra ASA) Admin Center:
When facing restrictive policy combinations that enforce admin consent on behalf of users, it is possible to streamline the process using the following Microsoft
standard:
This is the URL which can be used to grant admin consent for Welcome Workdays SSO:
[https://login.microsoftonline.com/<corporate domain>/adminconsent?client_id=7f37f2d6-f31d-491a-83a8-ff2f42cc600b]
(https://login.microsoftonline.com/<corporate)
Where corporate domain usually equals the domain used by corporate email addresses, which is linked to a valid Microsoft tenant, for example: ola@storebrand.no (corporate domain being “storebrand.no”).
When the link is used, it will trigger the following workflow:
Once consent is given, the permissions granted to Welcome Workdays will be as follows:
Application Details
SSO Type: OIDC
Application Name: Welcome Workdays
Client ID: 7f37f2d6-f31d-491a-83a8-ff2f42cc600b
Scopes: opened, profile, email, user.read
Redirect URI: https://www.welcomeworkdays.com
Restricting Access (Microsoft Azure AD)
If you want to restrict access to the application according to your organisation's security policy:
Log in to the Microsoft 365 / Azure AD console and go to Applications → Enterprise applications.
Search for Welcome in the list and click on the app name.
On the left side, click Manage → Properties.
Change "Assignment required" to "Yes". Click Save.
Go to Manage → Users and groups, and add the users or groups you want to grant access to the application.
Do you need help?
Chat with us via the AI chatbot at the bottom right of the screen, or send an email to support@welcomeworkdays.com.



