All Collections
Workspace Management
Settings
Single Sign-On (SSO) with Azure Active Directory
Single Sign-On (SSO) with Azure Active Directory

Learn how to enable SSO with Azure Active Directory in your workspace.

Diego Wyllie avatar
Written by Diego Wyllie
Updated over a week ago

Overview

Azure Active Directory (Azure AD), now also known as Microsoft Entra ID, is Microsoft's robust identity and access management solution trusted by organizations worldwide. TrackingTime users can leverage the power of Azure AD to streamline their login experience, automate user provisioning, enhance security, and improve overall user satisfaction.

⚠️ SSO with Azure AD is only available in our Business plan. If you’d like to enable this feature, please get in touch with us.

How to configure SSO

Here’s how to configure SSO with Microsoft Azure Active Directory (aka Microsoft Entra ID) in TrackingTime.

  1. Open the Azure portal and sign in as an administrator. In the "Manage Azure Active Directory" section, click on "View".

  2. Click on "Enterprise applications".

  3. Click on "+ New application".

  4. Click on "+ Create your own applications".

  5. In the "What is the name of your app?" field, specify "TrackingTime SSO," select "Integrate any other application you don't find in the gallery (Non-gallery)" from the options, and click "Create".

  6. Once the application integration page loads, go to "2. Set up Single Sign On" and select "Get Started".

  7. Select "SAML" as the login method.

  8. Go to "Section 1 - Basic SAML Configuration" and click on "Edit" to enter the following values and replace “acme” with our own workspace ID.

    1. Identifier (Entity ID): https://pro.trackingtime.co

    2. Reply URL (Assertion Consumer Service URL): https://app.trackingtime.co/api/v4/microsoft/signin/callback/saml/acme

    3. Sign-On URL: https://trackingtime.co/vue/sso#acme

      Click "Save" to save the values and "X" to close the pop-up window.

  9. Copy the "App Federation Metadata URL”.

  10. Add the users who should have access to TrackingTime in "Home" > "App registrations" > "TrackingTime SSO | Authentication".

  11. Go back to TrackingTime to update your workspace ID in Settings > Single Sign-On.

  12. Paste the URL from 4. in the Metadata field and click on "Get Metadata".

  13. The system will process your URL and automatically retrieve all required metadata parameters.

⚠️ Only workspace administrators can configure SSO.

How to sign in using SSO

Here’s how users can sign in into a workspace using SSO.

  1. Click on Sign in with SSO or go directly to the SSO URL of your workspace, e.g. https://pro.trackingtime.co/vue/sso#acme where "acme" is to be replaced by your workspace ID.

  2. Enter your workspace id, e.g. “acme”.

  3. Sign in using your Microsoft account and follow the on-screen instructions.

If you’re having issues logging in, please contact your Microsoft’s account administrator.

📝 Login with email and password is disabled for SSO users for security reasons.

SCIM Provisioning

SCIM (System for Cross-domain Identity Management) Provisioning is a crucial feature in Single Sign-On (SSO) implementations with Azure AD. It simplifies user management, enabling organizations to automate the provisioning and deprovisioning of users across various applications and services.

What is SCIM Provisioning?

SCIM is an open standard protocol designed for user provisioning and management across different systems. It allows for the automation of user onboarding, offboarding, and attribute synchronization between Azure AD and other SSO-enabled applications like TrackingTime.

SCIM ensures that user information is always up to date and consistent, reducing administrative overhead and enhancing security.

How to enable SCIM Provisioning

Here’s how to enable SCIM Provisioning in your workspace.

  1. Go to TrackingTime to enable SCIM Provisioning in Auth > Single Sign-On > SCIM Provisioning.

  2. Copy the URL and token displayed on screen.

  3. Go to the Azure Portal in Home > App registrations > TrackingTime SSO | Authentication > TrackingTime SSO | Provisioning.

  4. Turn Provisioning status on.

  5. Paste the URL in the Tenant URL field and your SCIM token in the Secret Token field.

  6. Test the connection to make sure everything is correctly set up.

  7. Press Start to trigger the user synchronization process. Please note that it might take up to one hour for this process to be completed.

Once the process is completed, the users that you’ve specified in Azure AD will be able to log into your TrackingTime workspace.

How does SCIM Provisioning work?

Azure AD monitors events such as user creation, modification, and deletion. When a relevant event occurs, Azure AD sends a SCIM request to TrackingTime.

Currently, we support the following events:

User added

When a user is added to the TrackingTime SSO app, the user will be automatically added to your TrackingTime workspace.

User updated

When a user in your TrackingTime SSO app is updated, the information (first name, last name, email) will be automatically synced with TrackingTime. The default user role for new users is Project Manager. Learn more about user roles and permissions.

User deleted

When you remove a user from your TrackingTime SSO app, the user will be archived in your TrackingTime workspace and will no longer be able to log into your workspace. Learn more about archiving users.

FAQ

Do you support other SAML Identity Providers?

No, we currently don’t support other SAML Identity Providers. We’ll be adding support for Google SSO and other SAML Identity Providers in the near future.

Can I use SSO with my PRO subscription?

SSO with Azure AD is only available on our Business plan. If you’d like to enable SSO in your workspace, please contact us.

Related Articles
Single Sign-On (SSO) with Google
Did this answer your question?