Overview of SSO Integration
Wootric offers seamless SSO integration with Azure AD, allowing users to access Wootric through their Microsoft 365 accounts. To set up a button in Microsoft 365 for Wootric, visit https://myapplications.microsoft.com and follow the steps to create a new application button as shown in the screenshot below.
Wootric's SSO integration works within Azure Active Directory, not via a button on the Wootric login page.
Common Issues
Troubleshooting is usually the result of one of these (3) problems:
A bad configuration of the enterprise application in the Azure AD page.
A bad link in the Office365 button is used to access Wootric.
A bad configuration of the integration in the Wootric Admin Panel (Integrations -> Authentication -> Enable Single Sign On with Azure Active Directory).
If the Azure AD enterprise application is configured correctly---the button used in Office365 uses the right URL and the integration has been set correctly in the Wootric admin panel---then the integration should work as expected for all zones, apps, and servers.
Troubleshooting Steps
Verify Azure AD Enterprise Application Configuration
Go to Azure AD Enterprise Applications:
Navigate to Azure -> Azure Active Directory -> Enterprise Applications.
Select the application used for Wootric. (choose a non-CXI account, as CXI doesn't have a UI to edit integration details)
Check Single Sign-On Settings:
Go to "Single Sign On".
Basic SAML Configuration:
Ensure the following settings are correct:
Identifier (Entity ID):
https://app.wootric.com/session/sso_login
(This will be the Audience of the SAML response)Reply URL (Assertion Consumer Service URL):
https://app.wootric.com/session/sso_login
(This will be used as the SAML ACS)Sign-on URL: Leave this blank (used only for SP-initiated SSO).
NOTE for the above. If you're in the EU or AU, you may need to use Region-Specific URLs:
EUC1 (Europe):
ACS/SSO URL:
https://app.wootric.eu/session/sso_login
Audience URL:
https://app.wootric.eu/session/sso_login
APSE2 (Australia):
ACS/SSO URL:
https://app.wootric.au/session/sso_login
Audience URL:
https://app.wootric.au/session/sso_login
US (United States):
ACS/SSO URL:
https://app.wootric.com/session/sso_login
Audience URL:
https://app.wootric.com/session/sso_login
Under Attributes and Claims:
Make sure that you are at least including
emailaddress: user.mail
.
SAML Certificates:
Verify the Token Signing Certificate is valid, has not expired, and matches the one configured in Wootric.
Download the certificate (Base64 version) and copy the value.
Go to Wootric -> Admin Panel -> Integrations -> Authentication -> Azure Active Directory. Make sure the certificate is the same.
Edit the value for "X.509 Certificate" and paste the certificate that you copied before
Click on the "edit" button of "Token signing certificate" to see advanced settings
Make sure that the certificate's state is "Active" and it's not expired
Make sure that "Signing Option" is set to "Sign SAML Assertion"
Under "Verification certificates (optional)"
Make sure that "Required" is set to "No"
Set up Wootric (the name Wootric depends on the name of the enterprise application)
Verify the following values match those on Wootric's Azure integration page:
The value of "Login URL" should be used as "Identity Provider Single Sign-On URL"
The value of "Azure AD Identifier" should be used as "Identity Provider Issuer"
Test the Configuration:
Click on the "Test" button at the very bottom of the page, that should start a testing SAML request using the current user on Azure.
Verify Office365 Button Configuration: Go to "Properties" and copy the value of "User access URL", make sure that the Wootric button that you're using on Office365 matches this value, if not then:
Go to Office365 -> MyApps (https://myapplications.microsoft.com).
Click "Add apps" -> "Add a site".
Name the app (e.g., "Wootric New") and paste the "User access URL" in the URL field.
Save and test the button.
Other Considerations
The enterprise application on Azure AD can be configured to require prior assignment for users before they can use it for SSO, you can see that under "Properties" as "Assignment required?", try setting that option to "No" and test the SSO button.
It is not necessary to send invitations for users that already have access to your Azure Active Directory, the integration should pick up the correct account and correct user based on the SAML response and give access accordingly (creating the user in our system if it doesn't exist)
Granting Access to New Users
There are two methods to grant access to new users in Wootric:
Automatically Grant Access:
Manually Grant Access:
If the automatic access option is not enabled, you must manually grant access.
Add new users to your SSO provider (Azure AD).
Then, log into Wootric and assign the appropriate access level to these new users within the Wootric Admin Panel (Settings > Manage Users).
Once SSO is configured, direct users to use the button you configured in your SSO app for accessing Wootric. The SSO integration works within Azure Active Directory, not via a button on the Wootric login page.
For further assistance or questions with SSO, please create a support ticket for our team to review.