Setting Up AZURE SSO & SCIM Guide

Step 2: New Application .

On the top tabs, click New Application.

Step 3. Create Your Own Application. 

Click 'Create your own application', name it ‘Wellness Coach', select Non-gallery, and click Create.

Step 4. Set Up Single Sign-On

Select option '2. Set up single sign on' from the application overview.

Step 5: Select SAML. 

Choose SAML as the single sign-on method.

Step 6. Basic SAML Configuration

Click Edit on 'Basic SAML Configuration'. Add Identifier, Reply URL, and Relay State.

Single Sign-on URL: https://api.meditation.live/auth/sso/callback

Identifier(Entity ID): WellnessCoach

Relay State: [Get from https://portal.wellnesscoach.live/enterprises/config/sso-scim]

Click Edit on 'Attributes & Claims' to configure user attribute mappings.

Step 8. Map Email Claim

Click on each claim under Additional Claims. Set Name: email, Source Attribute: user.mail.

Step 9. Map Name Claims

Set firstName = user.givenname, lastName = user.surname, name = user.userprincipalname.

Save all 3 claims

Step 10. Advanced SAML Options

Under Advanced Settings, click Edit and enable 'Include attribute name format', then Save.

Step 11. Assign users and groups

Select Assign users and groups and proceed with assignment.

Grant access to the Wellness Coach application by assigning Users or Groups.

Group Assigment:

User Assignment:

Step 13. Copy SSO Metadata

Return to the Sign On tab. Copy App Federation Metadata or Download the XML and upload to Wellness Coach Portal.

Step 14. Configure Wellness Coach Portal

Enable SSO in the Wellness Coach Admin Portal, enter the IdP metadata link, and click fetch to prefill the values, then save.
Alternatively, you can upload the IdP metadata XML file to prefill the values, then save.

Step 15. Configure Wellness Coach Portal

If the upload or fetch from URL does not work, you can copy and manually fill in the three required parameters from Copy SSO Metadata Slide. And then Save SSO Configuration

PART 2: Azure SCIM Setup with Wellness Coach

Technical steps to configure automated user provisioning via Microsoft Entra ID

Step 1. Find Enterprise Application

Select Enterprise Applications and find the Wellness Coach app (WC-SSO) and select Provisioning.

Step 2. Connect Application

Select Connect your application.

Step 3. Configure SCIM Settings

Select Bearer authentication. Enter the Tenant URL and Secret Token, then click Test Connection.

Tenant URL: https://ed.wellnesscoach.live/scim

Secret Token: [Get from https://portal.wellnesscoach.live/enterprises/config/employee-verification-template#scim-config]

When the test is successful, click Create

Step 4. Start Provisioning

Return to the Provisioning tab and click Start Provisioning to activate SCIM sync.

SSO & SCIM Overview 

Background information on Single Sign-On and SCIM

What is Single Sign-On (SSO)? 

SSO allows users to authenticate once and gain access to multiple applications without re-entering credentials. 

Instead of maintaining separate usernames and passwords for each app, employees log in once through an Identity Provider (IdP) like Microsoft Entra ID and get automatic access to all connected services.

How SSO Works

1. User visits Wellness Coach

2. Redirected to Azure AD (IdP)

3. User authenticates once

4. Azure sends SAML assertion

5. Access granted automatically

Why SSO with Wellness Coach?

• Single Sign-On: 

  Access Wellness Coach with one set of login credentials from any device or application, whether cloud or on-premise.

• Employee Access Management: 

  New hires automatically get access on their start date. Terminated employees' access is revoked on their last day.

• Fraud Prevention: 

  Azure AD's Conditional Access policies detect and block fraud in real-time using Device ID, Location, and risk-based authentication.

• Seamless Experience: 

  Employees enjoy frictionless access to wellness resources without managing multiple passwords or separate logins.