Set up single sign-on (SSO)

Streamline the user setup and login process by setting up SSO in Life QI

Single sign-on (SSO) allows you to give your team members one account for all of the systems your organisation uses. If you have SSO set up for your organisation (or wish to set it up), you can require users to log in to Life QI using their SSO credentials.

Please note: this setup process should be done by an IT administrator with experience creating applications in your identity provider account.

This article covers:

• General setup
• Instructions for Azure Active Directory
• FAQs

General setup

• Log in to your identity provider account.
• Navigate to your applications.
• Create a new application for Life QI.
  • The SSO Sign on URL will be https://<countryCode>.lifeqisystem.com/login/sso/
    - countryCode is the ISO 3166-1 alpha-2 code for your country( us, uk, nl etc. )
  • If prompted, set the username format/name ID to Email.
• Copy the identifier or issuer URL, the single-sign on URL, and the certificate from your identity provider.
• Navigate to /admin/subscriptions in Life QI and click on the subscription that you want to license your SSO users from.
• Go to Settings at the top of the page.
• Under 'SAML Configuration' enter the details that you copied from the identity provider.
• Click Verify.

Instructions for Azure Active Directory

For Azure Active Directory users, a private "Enterprise Application" needs to be created in Azure AD.

To configure Azure AD integration with Life QI, you need the following items:

• An Azure AD subscription. If you don't have an Azure AD subscription, create a free account before you begin.
• An Enterprise Application registered on your organisation's Azure AD.
• A Life QI subscription with single sign-on enabled.

Life QI supports the following features:

• SP-initiated single sign-on
• IDP-initiated single sign-on

Add Life QI in the Azure portal

To integrate Life QI with Azure AD, you must create a "Life QI" Enterprise Application

in Azure AD:

1. Sign in to the Azure portal.

2. In the left menu, select Azure Active Directory.

   

3. Navigate to Enterprise applications
   
4. Select New application
5. Select Create your own application
   
6. Enter Life QI as the name of the app and click Create
   
7. You will now see the Life QI Enterprise application Overview page
   

8. Return to the Azure Active Directory home.

   

9. Select App registrations > All applications.

   

10. To add an application, select New registration.

    

11. On the Register an application page, enter the following:

    

    

    Enter the URI as https://<countryCode>.lifeqisystem.com/login/sso/, where countryCode is the iso code of your region( uk, us, nl... ).
12. Click Register and you will be taken to the App Registration page.
13. Navigate to Authentication
    
14. Add https://<countryCode>.lifeqisystem.com/login/sso/ to the list of redirect URIs
    
15. Enter https://<countryCode>.lifeqisystem.com/logout/ in the Front-channel logout URL field.
16. Click Save.
17. Now navigate back to the Active Directory Overview and select Enterprise applications.
    
18. Type Life QI into the Search bar and select the result.
19. You will now be on the Enterprise Application page for your Life QI app.

Configure Azure AD single sign-on

In this section, you configure Azure AD single sign-on with Life QI in the Azure portal.

1. In the Azure portal, in the Life QI application integration pane, select Single sign-on.

   

2. In the Select a single sign-on method pane, select SAML or SAML/WS-Fed mode to enable single sign-on.

   

3. In the Set up Single Sign-On with SAML pane, select Edit (the pencil icon) to open the Basic SAML Configuration pane.

   

4. In the Basic SAML Configuration pane, to configure IDP-initiated mode, complete the following steps:

   1. In the Identifier box, enter a URL that has the following pattern: https://<countryCode>.lifeqisystem.com/login/sso/

   2. In the Reply URL box, enter a URL that has the following pattern: https://<countryCode>.lifeqisystem.com/login/sso/

   

5. To configure the application in SP-initiated mode:

    In the Sign on URL field, enter https://<countryCode>.lifeqisystem.com/login/sso/.

   

   In the Logout URL field enter https://<countryCode>.lifeqisystem.com/logout/
6. Click Save.

7. In the Set up Single Sign-On with SAML pane, in the SAML Signing Certificate section, select Download next to Certificate (Base64). Select a download option based on your requirements. Save the certificate on your computer.

   

8. In the Set up Life QI section, copy the following URLs based on your requirements:

   • Login URL
   • Azure AD Identifier
   • Logout URL

   

Configure Life QI single sign-on

In this section we will populate Life QI with the information we have just created.

1. Open a new tab in your browser and sign in to your Life QI administrator account.
2. Click on Admin on the left-side navigation menu and then click on Subscriptions.
3. Click on the subscription that you want to enable for SSO login.
4. Under the SAML Configuration header you will see the Issuer, Single Sign On (SSO) URL and Identity Provider Public Certificate fields along with the Subscription ID.
   
   
5. Insert the values that you copied from Azure AD into these fields.
6. Click Save.

Now, navigate to https://<countryCode>.lifeqisystem.com/login/sso/ and enter your email address. Life QI will look up your subscription's single sign-on configuration and send you to your SSO provider to sign in. You’ll also see a Log in with SSO button on the main login page.