Overview of SSO Integration

Wootric offers seamless SSO integration with Azure AD, allowing users to access Wootric through their Microsoft 365 accounts. To set up a button in Microsoft 365 for Wootric, visit https://myapplications.microsoft.com and follow the steps to create a new application button as shown in the screenshot below.

Wootric's SSO integration works within Azure Active Directory, not via a button on the Wootric login page.

Common Issues

Troubleshooting is usually the result of one of these (3) problems:

A bad configuration of the enterprise application in the Azure AD page.
A bad link in the Office365 button is used to access Wootric.
A bad configuration of the integration in the Wootric Admin Panel (Integrations -> Authentication -> Enable Single Sign On with Azure Active Directory).

If the Azure AD enterprise application is configured correctly---the button used in Office365 uses the right URL and the integration has been set correctly in the Wootric admin panel---then the integration should work as expected for all zones, apps, and servers.

Troubleshooting Steps

Verify Azure AD Enterprise Application Configuration

Go to Azure AD Enterprise Applications:
1. Navigate to Azure -> Azure Active Directory -> Enterprise Applications.
2. Select the application used for Wootric. (choose a non-CXI account, as CXI doesn't have a UI to edit integration details)
Check Single Sign-On Settings:
1. Go to "Single Sign On".
Basic SAML Configuration:
1. Ensure the following settings are correct:
  1. Identifier (Entity ID): https://app.wootric.com/session/sso_login (This will be the Audience of the SAML response)
  2. Reply URL (Assertion Consumer Service URL): https://app.wootric.com/session/sso_login (This will be used as the SAML ACS)
  3. Sign-on URL: Leave this blank (used only for SP-initiated SSO).
  4. NOTE for the above. If you're in the EU or AU, you may need to use Region-Specific URLs:
    EUC1 (Europe):
    ACS/SSO URL: https://app.wootric.eu/session/sso_login
    Audience URL: https://app.wootric.eu/session/sso_login
    APSE2 (Australia):
    ACS/SSO URL: https://app.wootric.au/session/sso_login
    Audience URL: https://app.wootric.au/session/sso_login
    US (United States):
    ACS/SSO URL: https://app.wootric.com/session/sso_login
    Audience URL: https://app.wootric.com/session/sso_login
Under Attributes and Claims:
1. Make sure that you are at least including emailaddress: user.mail.
SAML Certificates:
1. Verify the Token Signing Certificate is valid, has not expired, and matches the one configured in Wootric.
  - Download the certificate (Base64 version) and copy the value.
    Go to Wootric -> Admin Panel -> Integrations -> Authentication -> Azure Active Directory. Make sure the certificate is the same.
    Edit the value for "X.509 Certificate" and paste the certificate that you copied before
  1. Click on the "edit" button of "Token signing certificate" to see advanced settings
    Make sure that the certificate's state is "Active" and it's not expired
    Make sure that "Signing Option" is set to "Sign SAML Assertion"
    Under "Verification certificates (optional)"
    Make sure that "Required" is set to "No"
Set up Wootric (the name Wootric depends on the name of the enterprise application)
1. Verify the following values match those on Wootric's Azure integration page:
  1. The value of "Login URL" should be used as "Identity Provider Single Sign-On URL"
  2. The value of "Azure AD Identifier" should be used as "Identity Provider Issuer"
Test the Configuration:
1. Click on the "Test" button at the very bottom of the page, that should start a testing SAML request using the current user on Azure.
Verify Office365 Button Configuration: Go to "Properties" and copy the value of "User access URL", make sure that the Wootric button that you're using on Office365 matches this value, if not then:
1. Go to Office365 -> MyApps (https://myapplications.microsoft.com).
2. Click "Add apps" -> "Add a site".
3. Name the app (e.g., "Wootric New") and paste the "User access URL" in the URL field.
4. Save and test the button.

Other Considerations

The enterprise application on Azure AD can be configured to require prior assignment for users before they can use it for SSO, you can see that under "Properties" as "Assignment required?", try setting that option to "No" and test the SSO button.

It is not necessary to send invitations for users that already have access to your Azure Active Directory, the integration should pick up the correct account and correct user based on the SAML response and give access accordingly (creating the user in our system if it doesn't exist)

Granting Access to New Users

There are two methods to grant access to new users in Wootric:

Automatically Grant Access:
1. Enable the Wootric SSO Integration page option to "automatically grant access to new users".
2. Set the default permission level for new users.
3. This allows new users added to Wootric within Azure AD to gain access to Wootric with the predefined permission level automatically.
Manually Grant Access:
1. If the automatic access option is not enabled, you must manually grant access.
2. Add new users to your SSO provider (Azure AD).
3. Then, log into Wootric and assign the appropriate access level to these new users within the Wootric Admin Panel (Settings > Manage Users).

Once SSO is configured, direct users to use the button you configured in your SSO app for accessing Wootric. The SSO integration works within Azure Active Directory, not via a button on the Wootric login page.

For further assistance or questions with SSO, please create a support ticket for our team to review.

Configuring SSO with your custom authentication provider

Wootric Getting Started Guide