Set up single sign-on (SSO)

Streamline the user setup and login process by setting up SSO in Life QI

Single sign-on (SSO) allows you to give your team members one account for all of the systems your organisation uses. If you have SSO set up for your organisation (or wish to set it up), you can require users to log in to Life QI using their SSO credentials.

Please note: this setup process should be done by an IT administrator with experience creating applications in your identity provider account.

This article covers:




General setup

  • Log in to your identity provider account.
  • Navigate to your applications.
  • Create a new application for Life QI.
    • The SSO Sign on URL will be https://<countryCode>
      - countryCode is the ISO 3166-1 alpha-2 code for your country( us, uk, nl etc. )
    • If prompted, set the username format/name ID to Email.
  • Copy the identifier or issuer URL, the single-sign on URL, and the certificate from your identity provider.
  • Navigate to /admin/subscriptions in Life QI and click on the subscription that you want to license your SSO users from.
  • Go to Settings at the top of the page.
  • Under 'SAML Configuration' enter the details that you copied from the identity provider.
  • Click Verify.
The navigation instructions and field names above may differ across identity providers. You can find more specific instructions for setting up applications in commonly used identity providers below.

Instructions for Azure Active Directory

For Azure Active Directory users, a private "Enterprise Application" needs to be created in Azure AD.

To configure Azure AD integration with Life QI, you need the following items:

  • An Azure AD subscription. If you don't have an Azure AD subscription, create a free account before you begin.
  • An Enterprise Application registered on your organisation's Azure AD.
  • A Life QI subscription with single sign-on enabled.

Life QI supports the following features:

  • SP-initiated single sign-on
  • IDP-initiated single sign-on

Add Life QI in the Azure portal

To integrate Life QI with Azure AD, you must create a "Life QI" Enterprise Application

in Azure AD:

  1. Sign in to the Azure portal.

  2. In the left menu, select Azure Active Directory.

    The Azure Active Directory option

  3. Navigate to Enterprise applications
  4. Select New application
  5. Select Create your own application
  6. Enter Life QI as the name of the app and click Create
  7. You will now see the Life QI Enterprise application Overview page
  8. Return to the Azure Active Directory home.

    The Azure Active Directory option

  9. Select App registrations > All applications.

  10. To add an application, select New registration.

  11. On the Register an application page, enter the following:

    Enter the URI as https://<countryCode>, where countryCode is the iso code of your region( uk, us, nl... ).
  12. Click Register and you will be taken to the App Registration page.
  13. Navigate to Authentication
  14. Add https://<countryCode> to the list of redirect URIs
  15. Enter https://<countryCode> in the Front-channel logout URL field.
  16. Click Save.
  17. Now navigate back to the Active Directory Overview and select Enterprise applications.
  18. Type Life QI into the Search bar and select the result.
  19. You will now be on the Enterprise Application page for your Life QI app.

Configure Azure AD single sign-on

In this section, you configure Azure AD single sign-on with Life QI in the Azure portal.

  1. In the Azure portal, in the Life QI application integration pane, select Single sign-on.

    Configure single sign-on option

  2. In the Select a single sign-on method pane, select SAML or SAML/WS-Fed mode to enable single sign-on.

    Single sign-on select mode

  3. In the Set up Single Sign-On with SAML pane, select Edit (the pencil icon) to open the Basic SAML Configuration pane.

    Edit Basic SAML Configuration

  4. In the Basic SAML Configuration pane, to configure IDP-initiated mode, complete the following steps:

    1. In the Identifier box, enter a URL that has the following pattern: https://<countryCode>

    2. In the Reply URL box, enter a URL that has the following pattern: https://<countryCode>

  5. To configure the application in SP-initiated mode:

     In the Sign on URL field, enter https://<countryCode>

      In the Logout URL field enter https://<countryCode>
    1. Click Save.
    2. In the Set up Single Sign-On with SAML pane, in the SAML Signing Certificate section, select Download next to Certificate (Base64). Select a download option based on your requirements. Save the certificate on your computer.

      The Certificate (Base64) download option

    3. In the Set up Life QI section, copy the following URLs based on your requirements:

      • Login URL
      • Azure AD Identifier
      • Logout URL

      Copy configuration URLs

    Configure Life QI single sign-on

    In this section we will populate Life QI with the information we have just created.

    1. Open a new tab in your browser and sign in to your Life QI administrator account.
    2. Click on Admin on the left-side navigation menu and then click on Subscriptions.
    3. Click on the subscription that you want to enable for SSO login.
    4. Under the SAML Configuration header you will see the IssuerSingle Sign On (SSO) URL and Identity Provider Public Certificate fields along with the Subscription ID.

    5. Insert the values that you copied from Azure AD into these fields.
    6. Click Save.

    Now, navigate to https://<countryCode> and enter your email address. Life QI will look up your subscription's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button on the main login page.



    Which signing algorithm does Life QI support?

    Life QI supports SHA-256.

    Which format should I provide my x509 certificate in?

    Life QI requires a PEM format x509 certificate.

    You should copy the text contents of the PEM file into the "Identity Provider Public Certificate" field in Life QI.

    The value should also include the

    -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.