Setting up Single Sign-On (SSO)

In this article, we'll walk through:

• What prerequisites are required for SSO
• Key steps to setting up SSO for Welkin’s Workshop + Care Delivery (Coach) Portal

Prerequisites:

To enable the Welkin's Single Sign-On, please reach out to your Welkin Customer Success Manager or submit a ticket to our Welkin Technical Support Team requesting SSO.

1. You must have a Welkin super-admin account.
2. Your Identity Provider (IdP) supports SAML 2.0 and you have access to configure a new application within your IdP
3. All of your coaches who sign into Welkin have an account with your IdP and they know how to log in to that IdP
• Important Note:  In order to use SSO, your Welkin accounts must be associated with an email address that exists in your IdP. You can't use name+welkin@customer.com as an account email address if name@customer.com is the actual email address in your IdP.  If the emails do not match your users will not be able to log in. 
4. Please inform your CSM if you have various Welkin environments or organizations that are associated with more than one IDP, as additional configuration steps may be required to ensure that SSO works properly for your teams.

Key Steps to Setting up Single Sign-On

These steps only need to be completed once when you set up a new SSO provider. Once set up, all new worker accounts will be automatically opted into SSO.

Adding your IdP to Welkin

1. Log into Welkin with your Admin account https://accounts.welkinhealth.com/admin/
2. Click Settings > Authentication in the left-hand navigation.
• The default Authentication method is Email & Password
3. Take note of the Welkin ACS URL and Welkin Entity ID as you'll need these when configuring your IdP
• Entity ID: https://accounts.welkinhealth.com/saml
• ACS URL: https://accounts.welkinhealth.com/api/acs 
4. In the Add Identity Provider form enter a Friendly Name for your IdP (this can be anything you want but we suggest using something that your coaches will recognize as this will be shown when they sign in to Welkin.)
5. Log into your IdP and configure a new SAML 2.0 application to integrate with Welkin. (This process is unique to the IdP your organization uses. If you need help, contact Welkin support and we'll do our best to help.)
• This is where you'll obtain the Welkin ACS URL, Welkin Entity ID, and Certificate
6. In the Entity ID or Identity Provider Issuer URL field enter this data from your IdP.
7. In the SSO URL or Identity Provider SAML 2.0 URL field enter this data from your IdP.
8. From your IdP you will need to get the Public Certificate which is used to sign the authentication requests between your IdP and Welkin.
9. Once your Public Certificate has been obtained you can either upload it by clicking Attach Public Certificate File or by copying and pasting the certificate content into the box provided.
10. Once you have filled out all the fields, click Add Identity Provider
• If you'd like to edit any of the IdPs that you've added to Welkin you can click on them in the table at the top of this page. Be careful editing these settings because if SSO is not configured correctly your coaches might not be able to log in.

Enabling SSO for an individual coach account

You can enable SSO per coach account or make it the default for your entire organization (see “Enabling SSO as the default login method”).

Welkin strongly recommends that you enable SSO first for one user and test the configuration before you roll it out for all of your coaches.

1. Log into Welkin with your Admin account https://coach.welkinhealth.com/admin/
2. In the left-hand navigation, click on Coaches. 
3. Click on the coach account that you would like to enable SSO for.
4. Click Edit Account. 
5. Select the Authentication Methods which you'd like that coach to be able to use to login to Welkin.
6. Click Save.
7. Repeat steps 3 through 6 for all the coaches for whom you want to enable SSO.

Testing an SSO login

1. Log out from the admin portal and go to https://coach.welkinhealth.com
• Welkin will redirect you to https://accounts.welkinhealth.com
2. Select the account you want to sign-in to
3. Click the SSO method you want to use
4. Verify that after you finish the login flow that you are sent back to https://coach.welkinhealth.com and are signed in and able to view patients.

Enabling SSO as the default login method

You can enable SSO per coach account or make it the default for your entire organization.

Welkin strongly recommends that you enable SSO first for one coach and test the configuration before you roll it out for all coaches.

• For instructions on how to enable SSO for one coach, see the “Enabling SSO for an individual worker” section.

1. Log into Welkin with your Admin account https://coach.welkinhealth.com/admin/
2. Click Settings > Authentication in the left-hand navigation
3. In the table of sign-in methods at the top of the page, click Make Default on the SSO method you want all coaches to use when signing in to Welkin.

• If you'd like a few coaches to still be able to use Password as a login method, navigate to the Coaches list and edit the specific coaches who should still be able to use their password to log in.
• This will remove your coaches' ability to sign in with username and password and require them to use the default SSO
• If you update the default SSO provider then you will have to go back and update any per-coach overrides.

• Important Note:  You must leave password on as an available login option for one or more Super Admin coaches so that if SSO stops working a Super Admin on your team is able to log in and diagnose the issue. 

 Related articles: 

• Workshop Access Overview
• Feature Overview: Single Sign-On (SSO)