Articles in this section

Limeade ONE Single Sign-On (SSO) Guide

Avatar
Joe Maubach
  • Updated
Follow

Overview:

Limeade ONE allows third-party authentication partners for Single Sign-On (SSO) capabilities for our Well-Being and Engagement solutions. This allows customers to use their existing security and identity management infrastructure to authenticate users into the Limeade platform, both on the web and in the Limeade app. Using this mode, a lot of access and identity management can be simplified: instead of having to remember another username and password, users can sign in with the same credentials as their corporate network, benefits administrator, etc.

Additionally, Limeade ONE allows what we call “Multi-Auth” – where different portions of the population can use a different Identity Providers, including multiple SSO Identity Providers, or our in-house authentication system, Limeade Auth.

 

Supported Protocols and Platforms:

Limeade is built to work with many modern authentication protocols, including:

  • WS-FED
  • SAML 2.0
  • Open ID Connect

Our customers are already using many of the major identity platforms to connect to Limeade, including:

  • ADFS
  • Azure AD/Office 365
  • Okta
  • Ping Federate
  • And more!

As long as your solution supports one of the above protocols, we can work with you to authenticate your users into Limeade.

 

Connecting to Limeade

To set up SSO for Limeade ONE, we've made the process as easy and streamlined as possible and can be done in a few steps:

Set up a new Connection/Application in your Identity Provider

  • Your local IT or Networking team can work with you to create a new connection in your Identity Provider.
    • Note: For customers upgrading from our Legacy Well-Being product, we recommend creating a separate application/connection for your upgrade. This will allow you to set up the new connection without affecting your users’ ability to log into the Limeade they know and love.
  • There will be some unknowns/gaps in this setup – this is expected! All you have to do for now is create the connection, so new metadata can be created and provided to Limeade.

Provide Limeade with XML Metadata

  • Your contact at Limeade, typically on the Implementation team or your Strategic Account Executive (SAE), will need the metadata you created for the new connection to Limeade.
  • We prefer a hosted link to the metdata if possible, but can accept a file if necessary.
    • Having you host the metadata makes a lot of the tedious problems with SSO a thing of the past!
    • When it’s time for updates to the configuration (certificate updates, etc), simply update the metadata in the hosted URL and Limeade will be able to dynamically pick up the new information.
    • If you can’t host your metadata due to company policy, no worries! You can provide us the file and we can host it internally. Your data will not be publicly exposed.
  • The Limeade team will then send that metadata to our teams to create the connection on our end, configuring with your metadata and make a few tweaks on our end.

Configure Assertion and Claims

  • With Limeade, configuring claims is simple.
  • The only claim required for SSO is the UPN – User Principal Name.
    • This is a unique identifier from your Identity Provider to confirm the user is who they say they are.
    • The UPN can be an existing data point in your system – Employee ID, email, sAMAccountName, GUID, etc.
    • The UPN needs to be on the Limeade eligibility file – and if you’re already providing the value, you don’t need to worry about including it twice.
      • Note for our Multi-Auth customers: We will also need an identifying value on the Eligibility File that determines SSO users and non-SSO users. Our team will be happy to work with you on this!
    • We accept multiple claim names, so if your system is built to use one of these by default, we’ll pick it up:
Claim Description

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

or

upn

or

userprincipalname

or

Sub

or

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

or

name

This is the claim that handle user id. It is required to be unique.

 

We check all claims in the order specified. If none of these claims are found the user will not be granted access. 

 

**“sub” is used for Azure AD configuration

 

  • The only other requirement we have is that the assertion in the response is not encrypted.

Configure Application with Limeade Metadata

  • Once the Limeade team has finished configuration, we will supply you with a link to our metadata. You can then use that metadata to finish configuring your SSO connection.
  • With that, everything should now be good to go for testing!

Test

  • First, we’ll need a test user to put into the Limeade platform. Provide your Limeade contact with user information for any users you want to test with.
    • Note: You can use dummy users/service accounts, or actual user accounts to test!
  • The Limeade team will add those users into the Limeade platform.
  • Once that’s done they will provide instructions for you to sign in and test the SSO Connection
    • The site will be a Work In Process – this is just an SSO test, it’s perfectly normal for things to look a bit barebones!

If you are unsure of what authentication method is right for your organization, you can check our our Limeade ONE SSO Questionnaire for help, as well as kick start your SSO or Multi-Auth workflow if that's the route that is chosen. If you have any other questions, please reach out to your Limeade contact and we'll be happy to help.

Was this article helpful?
4 out of 6 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.