Switching over from Wonde Single Sign-On to MyLogin?
If you are switching over from the now deprecated Wonde Single Sign-On product, please remember the following:-
- You will need to inform Wonde when you begin your set up of MyLogin so that we can switchover your Wonde School Portal to v2, which is required to allow access to the MyLogin setup wizard.
- Once switched over Wonde School Portal v2, schools will not be able to utilise their Wonde Single Sign-On credentials.
-
You will need to redistribute credentials when you've switched over to MyLogin.
If you previously used Wonde Single Sign-On as the identity provider for Google Workspace and ChromeOS devices, you will need to change the URLs in your SAML profiles or create new ones. This is covered later on in this guide. This guide is specifically for setting up MyLogin as the IdP for a Microsoft environment but you may also previously have set up Wonde SSO for your Google environment in a hybrid ecosystem. - You will need to add your apps again in MyLogin.
- Do not revoke Wonde Single Sign-On from your Wonde School Portal until the end of your MyLogin setup. This is to allow the sharing of credentials for saved password applications between the old and new platforms
- You will still need the Wonde Chrome extension for saved password apps.
Prerequisites
To configure MyLogin as an identity provider (IdP) for Microsoft Entra ID, the following prerequisites must be met:
- You must have a Microsoft Entra ID tenant, with one or multiple custom domains (domains that are not in the format *.onmicrosoft.com)
- If the federated domain hasn't yet been added to Microsoft Entra ID, you will need to have access to the DNS domain to create a DNS record. This is required to verify the ownership of the DNS namespace.
- Head here to learn how to add your custom domain name using the Microsoft Entra ID portal.
- Access the Microsoft Entra ID tenant with the Global Administrator role for your tenant.
- Existing accounts in your Microsoft Entra ID are associated with your custom domain.
-
Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.
- The devices you wish to utilise the MyLogin service on will be required to be Windows 11 devices.
- Devices will need to be managed via Intune.
- When federating the domain for MyLogin to be the IdP this will impact any users in the federated domain. If you wish to limit the impact on your users please consider creating a subdomain and see below for more details.
- You should also make sure that all of your devices have been updated to the latest build of Windows 11. If you do not ensure that updates are maintained, you may experience difficulty distributing MyLogin's Web-Sign in capabilities to devices, and loss of service on devices where the solution has already been deployed.
Subdomains
It is also possible to federate subdomains. However, they will first need to be promoted to be recognised by Entra as a root domain, before federating the subdomain with MyLogin as the identity provider using the instructions above. This process is laid out by Microsoft here.
Note: Make sure that the domain.readwrite.all permission is consented under the "Modify permissions" tab on Graph Explorer, before attempting subdomain promotion.
It is not possible to promote a subdomain without first migrating any users out of the domain. Please bear this in mind if any of the users currently attached to the subdomain have not had an Immutable ID set, as this will first need to be actioned before migrating users out if you want to avoid upheaval in the long run. The best way to set an Immutable ID is to sync your domain with MyLogin first, as we set Immutable IDs where they are not yet set; as these IDs are required to be set for users in a federated domain.
Complete the MyLogin Device setup wizard
- Navigate to school.wonde.com and log into your school's Wonde School Portal.
-
Hover over the MyLogin Device tile and click Launch (click on the tile and approve the permissions for MyLogin to access the required data via Wonde first if you haven't yet done so).
- Create a password for your MyLogin admin account.
- Confirm you want to use Wonde as the source of truth for user creation.
- Your new MyLogin users will begin to import from your MIS via Wonde.
- When your users finish importing, click Lets go! to move to the final stage of the setup wizard.
- Select Connect with Microsoft and connect the tenant that you would like to connect with for the purpose of matching Microsoft users with your new MyLogin users. If you'd like to connect both Microsoft and Google, then you will be able to add Google in Settings once the setup wizard is complete.
Note: You will need to ensure app.mylogin.com is allowed on your network.
- Update your tenant ID.
- Save settings, and then go to Manage connection and Sync users from Microsoft.
- After you have linked the Microsoft tenant on step 9 you will need to go to Users > User matching and match the Microsoft users to the Wonde data. You can filter the list along the top. We suggest filtering via "suggestion confidence" and then "strong". Look through the list to ensure all users match and then you can toggle the top left box to select all filtered users and select "accept suggestions for Microsoft". Do the same for Medium and Weak but please ensure that you carefully look through to make sure MyLogin is matching them correctly.
- Once all users are matched you may wish to consider distributing the credentials out to users before proceeding to make MyLogin the IDP for the Microsoft environment. To do this head to Users > Overview and you can use the filters to narrow down the list where you can toggle the top left box to select all the currently filtered users and then choose which credentials to download (Press the "download" button). This will provide you with a PDF which you can rename to suit. Repeat this for all groups as necessary
Setup Windows 11 devices to use MyLogin as the Identity Provider
Please note: When you federate a Microsoft Entra ID domain, you will not be able to manually create users to that domain, as newly created accounts require an immutable ID. An immutable ID is not set when manually creating accounts in Entra ID.
Some third-party Entra ID provisioning services, such as Wonde's Edusync, will automatically apply an immutable ID to users that it creates.
If however, you do not have access to a user creation service you can create users in a different domain within your tenant, utilise the script below and then migrate the users to the domain that's federated with MyLogin as the IdP.
Get-MsolUser -All | Where-Object { $_.UserPrincipalName -like "*@YOURDOMAIN.com" -and $_.ImmutableId -like "" } | foreach { Set-MsolUser -UserPrincipalName $_.UserPrincipalName -ImmutableId (New-Guid).guid; }
Once users have had their immutableIDs updated and have been migrated to the federated domain. You will need to update their UPN to contain the same domain name as the federated domain, so that they can be matched in the MyLogin UI, as only users with a UPN containing the domain name that you have selected for MyLogin to view users from will be visible to the platform. To do this you can use the script below.
We have provided a version for both the Msol Service module and the Microsoft Graph Module. To use the Msol Service module you will need to first use the command Connect-MsolService and to use the Graph module you will need to first use the command Connect-MgGraph and sign in as an administrator:-
Msol Version
Get-MsolUser -All | Where-Object { $_.UserPrincipalName -like "*@YOUROLDDOMAIN.com" } | foreach { Set-MsolUserPrincipalName -UserPrincipalName $_.UserPrincipalName -NewUserPrincipalName $_.UserPrincipalName.Replace('@YOUROLDDOMAIN.com', '@YOURNEWDOMAIN.com')}
MgGraph Version
Get-MgUser -All | Where-Object { $_.UserPrincipalName -like "*@YOUROLDDOMAIN.com" } | foreach { Update-MgUser -UserId $_.Id -NewUserPrincipalName $_.UserPrincipalName.Replace('@YOUROLDDOMAIN.com', '@YOURNEWDOMAIN.com')}
Step-by-step guide to setup MyLogin as your domain's identity provider
Note: Following these steps will enact MyLogin as your default identity provider at the domain level and cannot be further isolated to a lower level.
-
On any Windows device, open Powershell and enter the following command:
Install-Module -Name MSOnline
Import-Module MSOnline
Connect-MsolService
- Log in as a Global Administrator from your Azure AD/Entra ID tenant.
On the settings page of MyLogin. Enter your domain name under Federated Domain Setup, click Copy to clipboard to obtain the script and then paste this into Powershell.
Once the above script has been run. You can check your domain settings with the following command in Powershell:
Get-MSolDomainFederationSettings -DomainName YOURDOMAIN.com | Format-List *
Setting up your Windows 11 devices to use MyLogin as the IdP
1. Navigate to intune.microsoft.com and log in as a Global Administrator for the tenant that the domain you are federating belongs to.
2. Navigate to ‘Groups’ on intune.microsoft.com and create a Group called "MyLogin Devices" (or use an existing device group).
3. Assign any devices you’d like to use MyLogin as the identity provider for, onto this Group.
4. Navigate to ‘Devices’ on intune.microsoft.com and create a Configuration profile also named "MyLogin Devices".
5. You will need to set this profile up for "Windows 10 and later" using the "Custom" template profile, as in the screenshot below. Apply the OMA-URIs in the section below to this Configuration Profile under the Configuration settings section.
Make sure to paste the full OMA-URI path, including the dot "."
./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment
Data type: Integer Value: 1
./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync
Data type: Boolean Value: True
./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn
Data type: Integer Value: 1
./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls
Data type: String Value: app.mylogin.com (If setting up in Australia use:- app.ap-southeast.mylogin.com)
./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames
Data type: String Value: app.mylogin.com (If setting up in Australia use:- app.ap-southeast.mylogin.com)
./Device/Vendor/MSFT/Policy/Config/Authentication/PreferredAadTenantDomainName
Data type: String Value: [Enter your custom domain name]
6. Assign the configuration profile to the MyLogin Device group.
7. Once the configuration profile is pushed down to the group and devices have synced via Intune, the first time you login to the device, you will need to login to each device with your domain specific login option, so that subsequent logins display the MyLogin screen by default.
Additional settings and suggestions (optional)
If you’d like the MyLogin dashboard to load on Edge startup:
- Create an additional Configuration profile.
- From the Settings picker, select Microsoft Edge - Startup, home page, and new tab page, and next to Sites to open when the browser starts (Device), enter "app.mylogin.com".
-
Assign the configuration profile to the MyLogin Devices Group.
Comments
0 commentsPlease sign in to leave a comment.