Single Sign-On Documentation

WellSaid now supports Single Sign-On! Instead of needing a separate username and password to access your WellSaid account, enable SSO to enhance security and efficiency by reducing the need to manage multiple logins.

Getting Started

Once SSO is added to your contract, follow the steps below to get started:

1. Identify who on your team can help configure the SSO connection (typically IT or another technical resource).
2. Connect your technical contact with the technical contact at WellSaid (your Customer Success Manager will loop in the contact at WellSaid). 

Your technical contact will then need to follow the steps below to enable SSO:

1. Notify the WellSaid contact of your team’s protocol. We prefer SAML or OIDC.
2. Exchange the necessary values that the WellSaid contact identifies to configure the initial connection.
3. Set up the connection on both ends.
4. Schedule a 30-minute call with both technical contacts to test the connection. Ideally, this call will conclude with SSO successfully enabled.

SAML

Below are the values needed to set up the initial connection.

The values we request from your team:

1. Sign-in URL - Example: https://samlp.example.com/login
2. Sign-out URL (if sign-out enabled) - Example: https://samlp.example.com/logout
3. X.509 signing certificate
4. Provider domain - Example: wellsaid.io

The values provided by us to configure on your end:

1. Entity ID : urn:auth0:wellsaidlabs:XXX-saml
2. ACS URL : https://auth.wellsaidlabs.com/login/callback?connection=XXX-saml
3. SP initiated - true
4. SP Certificate - https://auth.wellsaidlabs.com/pem
5. Attributes - firstname, lastname, email (SAML attributes must be included in the SAML response.)

Note: XXX will be replaced with specific values assigned to your team. 

Open ID Connect (OIDC)

Below are the values needed to set up the initial connection.

The values we request from your team:

1. Issuer URL
2. Client ID
3. Provider domain - Example: wellsaid.io

The values provided by us to configure on your end:

1. Redirect URL: https://auth.wellsaidlabs.com/login/callback
2. Initiative login URL: https://studio.wellsaidlabs.com/auth/sso?connection=XXX-openid
3. Logout URL: https://auth.wellsaidlabs.com/logout

Note: XXX will be replaced with specific values assigned to your team.

FAQs

Q: How long does the SSO implementation process take?
A: Once the above values have been exchanged, setting up the initial connection will take a few days. Then, there is generally a 30-minute call to test the connection before SSO is successfully enabled. 

Q: Will there be a service disruption while SSO is configured?
A: Access to WellSaid will only be temporarily disrupted during the testing call. 

Q: Is SSO included in my contract?
A: SSO is an add-on to your contract. To discuss adding this service, please contact your dedicated Account Executive, Customer Success Manager, or Support.

Q: What protocols are supported?
A: SAML 2.0 or Open ID Connect. Other protocols are possible, but please check with us beforehand.

Q: Is IdP initiated supported using SAML?
A: We only support SP Initiated at this time.

Q: What is the idle timeout for users?
A: 24-hour – Idle timeout
     7-day – Session timeout

Q: What SAML bindings are supported?
A: Binding is automatically set up to support Redirect, but POST is possible.

Q: Is the Assertion Consumer Service URL included in the SAML request?
A: Yes, via the AssertionConsumerServiceURL attribute.

Troubleshooting

Ensure that you're approved to access WellSaid through your SSO provider.

For any other concerns, please contact your Customer Success Manager or Support for assistance.