Single Sign-On Documentation

WellSaid now supports Single Sign-On! Instead of needing a separate username and password to access your WellSaid account, enable SSO to enhance security and efficiency by reducing the need to manage multiple logins.

In this article:
Getting Started
SAML
Open ID Connect (OIDC)
FAQs
Troubleshooting

Getting Started

Once SSO is added to your contract, follow the below steps to get started:

1. Identify who on your team can help configure the SSO connection (typically IT or another technical resource).
2. Connect your technical contact with the technical contact at WellSaid (your Customer Success Manager will loop in the contact at WellSaid). 

Your technical contact will then need to follow the below steps to enable SSO:

1. Notify the WellSaid contact with your team’s protocol. We prefer SAML or OIDC.
2. Exchange the necessary values the WellSaid contact identifies to configure the initial connection.
3. Set up the connection on both ends.
4. Schedule a 30-minute call with both technical contacts to test the connection. Ideally, this call will conclude with SSO successfully enabled.

SAML

Below are the values needed to set up the initial connection.

The values we request from your team:

1. Sign-in URL - Example: https://samlp.example.com/login
2. Sign-out URL (if sign-out enabled) - Example: https://samlp.example.com/logout
3. X.509 signing certificate
4. Provider domain - Example: wellsaidlabs.com

The values provided by us to configure on your end:

1. Entity ID : urn:auth0:wellsaidlabs:XXX-saml
2. ACS URL : https://auth.wellsaidlabs.com/login/callback?connection=XXX-saml
3. SP initiated - true
4. SP Certificate - https://auth.wellsaidlabs.com/pem
5. Attributes - firstname, lastname, email (SAML attributes must be included in the SAML response.)

Note: XXX will be replaced with values specific to your team. 

Open ID Connect (OIDC)

Below are the values needed to set up the initial connection.

The values we request from your team:

1. Issuer URL
2. Client ID
3. Provider domain - Example: XXX.com

The values provided by us to configure on your end:

1. Redirect URL: https://auth.wellsaidlabs.com/login/callback
2. Initiative login URL: https://studio.wellsaidlabs.com/auth/sso?connection=XXX-openid
3. Logout URL: https://auth.wellsaidlabs.com/logout

Note: XXX will be replaced with values specific to your team.

FAQs

Q: How long does the SSO implementation process take? 

A: On average, roughly a week. Once the above values have been exchanged, setting up the initial connection will take a few days. Then, there is generally a 30-minute call to test the connection before SSO is successfully enabled. We’re happy to move as quickly as your team can!

Q: Will there be service disruption while SSO is configured? 

A: Your team can access their WellSaid account using standard usernames and passwords while the SSO implementation process is underway. However, access to WellSaid will be temporarily disrupted during the testing call. 

Q: Is SSO included in my contract? 

A: SSO is an add-on to your contract. To discuss adding this service, please contact your dedicated account executive, customer success manager, or support@wellsaidlabs.com.

Q: What protocols are supported? 

A: SAML or Open ID Connect. Other protocols are possible, but please check with us beforehand.

Q: Is IdP initiated supported using SAML? 

A: We only support SP Initiated at this time.

Troubleshooting

(coming soon)

Please contact support@wellsaidlabs.com for assistance.