Skip to main content

Single Sign-On (SSO)

Set up SSO on your TimeZest account

Jason Casuga avatar
Written by Jason Casuga
Updated over 2 weeks ago

Single Sign-On (SSO) allows users to access multiple applications using a single set of login credentials. It enhances security and simplifies the authentication process. This guide will help you configure SSO for your TimeZest account using Microsoft Entra (formerly Azure AD).

There are three phases of setup:

Creating the TimeZest SSO application in Entra

Provisioning

Adding TimeZest users to the TimeZest SSO application

Microsoft provisioning requests

At this time, Microsoft is not accepting new SSO or provisioning requests, which means TimeZest cannot be listed in the Microsoft Entra Gallery.

The instructions below will help you create a TimeZest SSO application, set up provisioning, and add TimeZest users to the application.

See more from Microsoft:

Application gallery listing status

Creating the TimeZest SSO application in Entra

You will first create the TimeZest SSO application in Entra.

Step 1: Adding TimeZest SSO to the Microsoft Entra list of applications

  1. In the Azure portal, go to Enterprise applications.

  2. Click the New application button > Create your own application.

    1. Name the app. We suggest: TimeZest SSO.

    2. Select the Integrate any other application you don't find in the gallery (Non-gallery) option.

    3. Click Create.

Step 2: Configure App Registration & Redirect URIs

  1. Go to Home > App registrations > All applications.

  2. Select TimeZest SSO.

  3. In the sidebar, click Authentication.

    1. Click the +Add a platform button, then select Web.

    2. Enter the following values:

      1. Add https://app.timezest.com/saml/microsoft in the Redirect URI field.

      2. Add https://app.timezest.com/saml/microsoft/logout in the Front-channel logout URL field.

    3. Click Configure to close the flyout.

    4. Click Save.

Step 3: Set API Permissions

  1. Click the API Permissions in the sidebar.

  2. Click +Add a permission.

  3. Click Microsoft Graph > Application permissions.

  4. Search for and select User.ReadBasic.All.

  5. Select Add permissions.

  6. Click the Grant admin consent for MSFT button.

Step 4: Set up SAML Single Sign-On

  1. Navigate to Home > Enterprise applications

  2. Click on the TimeZest SSO app.

  3. Click Manage > Single sign-on link in the sidebar.

    1. Select SAML as the single sign-on method.

    2. Under Basic SAML Configuration section, click Edit.

    3. Select the Add identifier button and provide the following values:

      1. Enter api://timezest as Identifier (Entity ID) (you can use a different identifier if you prefer to).

        1. Copy the Entity ID onto Notepad for later use.

      2. Enter https://app.timezest.com/saml/microsoft as Reply URL (Assertion Consumer Service URL).

        1. Leave the Index field blank.

    4. Click Save.

Testing the integration

Do not test the SSO sign in configuration at this time. Additional setup is needed before users will be able to log in.

Step 5: Collect App Info to enter in TimeZest

There are three pieces of information you will capture in the SSO application to enter in TimeZest: Tenant ID, Application ID, and Entity ID. These steps will show you how to get to those items in Entra.

  1. Application ID

    1. Go to Home > Enterprise Applications > TimeZest SSO > Manage > Properties

    2. Copy the Application ID onto Notepad for later use.

  2. Tenant ID

    1. Go to the Microsoft Entra ID > Overview page

    2. Copy the Tenant ID onto the same Notepad along with Application ID for later use.

  3. Entity ID

    1. Go to Home > Enterprise Applications > TimeZest SSO > Manage > Single sign-on

    2. Copy the Entity ID onto the same Notepad along with the Application ID and Tenant ID for later use.

  4. Go back into the TimeZest app > Security & Permissions > Microsoft Entra ID > Connect

    1. Enter the Tenant ID, Application ID, and Entity ID.

    2. Select the Save Changes button.

Provisioning

Once the SSO application has been connected, you will now begin the provisioning process to map TimeZest users to the same users in Entra.

Step 6: Provisioning users from Microsoft 365 to TimeZest

  1. Go to Home > Enterprise applications > TimeZest SSO > Provisioning > Overview (Preview).

  2. Click Connect your application button.

    1. Enter your Tenant URL

    2. Enter the Secret Token

    3. Click Test Connection.

    4. If successful, click Create.

Resetting connection

The Tenant URL and Secret Token are only accessible when you initially set up the SSO integration or have removed the integration with TimeZest and attempting to reconnect.

Both fields can be found and copied in the Provisioning setup in the TimeZest app.

Step 7: Attribute Mapping

  1. On the left menu, select Attribute Mapping (Preview).

  2. Click Provision Microsoft Entra ID Groups:

    1. Change the Enabled field to No.

    2. Click Save.

  3. Go back to Attribute Mapping (Preview) page and click Provision Microsoft Entra ID Users.

    1. Click Edit for the userName attribute.

      1. Change Source attribute to mail.

      2. Change Matching precedence to 2.

      3. Click OK.

    2. Click Edit for the externalId attribute.

      1. Change Source attribute to objectId.

      2. Change Match objects using this attribute to Yes.

      3. Change Matching precedence to 1.

    3. Remove the mappings below by selecting the Delete button next to each:

      1. title

      2. emails[type eq "work"].value

      3. preferredLanguage

      4. name.givenName

      5. name.familyName

      6. name.formatted

      7. addresses[type eq "work"].formatted

      8. addresses[type eq "work"].streetAddress

      9. addresses[type eq "work"].locality

      10. addresses[type eq "work"].region

      11. addresses[type eq "work"].postalCode

      12. addresses[type eq "work"].country

      13. phoneNumbers[type eq "work"].value

      14. phoneNumbers[type eq "mobile"].value

      15. phoneNumbers[type eq "fax"].value

    4. Confirm the following mappings will remain:

      1. userName

      2. active

      3. displayName

      4. externalId

      5. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber

      6. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department

      7. urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager

    5. Click Save button.

  4. Return to Attribute Mapping (Preview) page and click on the Provisioning link on the left sidebar.

    1. Change Provisioning Status to On.

    2. Click Save.

Provisioning is now configured, and any time a user is added or removed from the “TimeZest SSO” application, that change will be reflected in TimeZest.

Adding TimeZest users to the TimeZest SSO application

The final step is adding the TimeZest users to the TimeZest SSO application so they can log in to the TimeZest app without having to enter their password.

Step 8: Managing TimeZest users in Microsoft 365

  1. Go to Home > Enterprise applications > TimeZest SSO > Manage > Users & Groups.

  2. Click the +Add user/group button.

    1. In the Users and Groups screen, click the None Selected link.

    2. Add users from the list.

    3. When done, click the Select button.

    4. Click the Assign button.

The setup is now complete. Your users will now be able to access the TimeZest app and enter their email address to log in.

Auto sync and active

When users are added to the TimeZest SSO application but their TimeZest profile is not yet created, the provisioning process will automatically create the user in TimeZest and set them as Active. To verify, go to TimeZest > Users. You can disable the blue toggle the same day the user is created to avoid being charged a license.

Did this answer your question?