Gå til hovedinnhold
Alle samlingerOppsett og onboarding
Oppsett av Single Sign-On With Microsoft(SSO) English only)
Oppsett av Single Sign-On With Microsoft(SSO) English only)

Beskrivelse beregnet på IT administratorer hos leietakere

Oppdatert for over en måned siden

Rationale

Welcome Workdays offers single sign-on (SSO) as the preferred way for on-boarding and maintaining verified users. In the case of our application, SSO is implemented using the OIDC protocol:

OpenID Connect (OIDC) is an identity authentication protocol that is an extension of open authorization (OAuth) 2.0 to standardize the process for authenticating and authorizing users when they sign in to access digital services. OIDC provides authentication, which means verifying that users are who they say they are. OAuth 2.0 authorizes which systems those users are allowed to access. OAuth 2.0 is typically used for enabling different trust domains to securely share information without compromising user data.

Microsoft SSO

Welcome Workdays maintains an SSO application which is deployed to our tenant / subscription through the Azure Portal. In order for end users to be able to authenticate with their corporate credentials, consent must be given either by the user or an IT administrator at the user’s employer. This consent flow depends entirely on how a company has configured the following workflows within Microsoft Entra (not to be confused with Entra ASA) Admin Center:

Configure how users consent to applications

Configure the admin consent workflow

When facing restrictive policy combinations which enforce an admin consent on behalf of users, it is possible to streamline the process via a “magic link” based on Microsoft standards:

Construct the URL for granting tenant-wide admin consent

This is the URL which can be used in order to grant admin consent for Welcome

Workdays SSO:

[https://login.microsoftonline.com/<corporate domain>/adminconsent?client_id=7f37f2d6-f31d-491a-83a8-ff2f42cc600b](https://login.microsoftonline.com/<corporate)

Where corporate domain usually equals the domain used by corporate email addresses, which is linked to a valid Microsoft tenant, for example: ola@storebrand.no (corporate domain being “storebrand.no”).

When the link is used, it will trigger the following workflow:

Once consent is given, the specific permissions and scopes granted to Welcome Workdays should look as following:

Application Details:

SSO Type: OIDC

  1. Application Name: Welcome Workdays

  2. Client ID: 7f37f2d6-f31d-491a-83a8-ff2f42cc600b

  3. Scopes: opened, profile, email, user.read

  4. Redirect URI: https://www.welcomeworkdays.com

Relaterte artikler
GDPR, databehandleravtale (DBA) og Welcome Workdays sine underdatabehandlere
Single Sign-On (SSO) med Microsoft Entra ID (Azure AD)
Svarte dette på spørsmålet?