Single Sign-On (SSO) gives ClickTime users the convenience of not needing to maintain a separate email/password combination in order to start their session. With SSO, a ClickTime user could, for example, sign in to the application by just using their Google Apps email address.
ClickTime currently offers the following single sign-on (SSO) options:
- Platform Identity Partner: Google Apps
- SAML Identity Partners: Azure AD, Okta, OneLogin
- Custom: Create your own custom authentication option for any other providers that support SAML 2.0
Click the following links to learn more about each option:
What is SAML?
Single Sign On Configuration
Identity Partner Configuration - Google Apps
Identity Partner Configuration - Azure AD, Okta, OneLogin
Custom SAML 2.0 Configuration
Logging into using Single Sign-On
Logging into ClickTime using Custom SAML Single Sign-On
SCIM User Provisioning/Setup
Security Assertion Markup Language (SAML) is a standard that allows authentication credentials to be shared by multiple applications within a network. This allows you to access many applications under your network’s umbrella using one username and password.
While some organizations still use SAML 1.1, ClickTime only supports SAML 2.0 for our partner and customer SAML Single Sign-On implementations. You may configure your Identity Provider for SP-initiated (user starts of https://login.clicktime.com) or IdP-initiated (user starts from within your Identity Provider) login workflows.
If you’d like to learn more about SAML, please visit our partners, Okta or OneLogin, for more information.
Complete configuration requires ClickTime-side configuration and Identity Provider -side configuration. This section covers the configuration from the ClickTime side.
ClickTime Administrators can opt to allow or require Single Sign-On settings for their entire company on the Company --> Preferences page in the Security section:
Please note: Unless you have an Enterprise account, you will only see the option for "Google". You can read more about Google SSO here. If you'd like to discuss upgrading your account so you can use another SSO solution, please reach out to our Support Team.
By selecting "Allow", your company can sign into ClickTime with both their ClickTime email/password combination, as well as your company's selected Single Sign-On method. For example, if I select "Allow" for "sign-in using Single Sign-On", then I will grant the user the ability to log in with either their email/password or the selected Single Sign-On provider (Azure AD, Google Apps, Okta,, OneLogin, or Custom SAML 2.0) account.
Usually this setting can be helpful for previewing an authentication configuration before you commit to requiring it. By default, a new company will always default to the "Allow" setting for Single Sign-On.
With "Require", you will commit your entire company to the authentication method you select, and disallow users from signing on with ClickTime email/password credentials.
Remember, any settings you choose will be company-wide, and accessing your account to change your Security Preferences will require you to sign in in with your chosen method the next time you log in.
Complete configuration requires ClickTime-side configuration and Identity Provider -side configuration. The next sections cover the configuration from the Identity Provider -side.
Identity Partner Configuration - Google Apps
For use of Google Apps, make sure that each person in your company has a corresponding Google hosted email address in the "Person Detail" page. Once that is set, signing into ClickTime is as simple as clicking on the Google Apps button from the sign-in screen.
Identity Partner Configuration - Azure AD, Okta, OneLogin
If your organization is using Okta or OneLogin, one of the above identity providers, please configure ClickTime from your identify provider (Okta or OneLogin) as a new App and retrieve the following values:
- Identity Provider Endpoint URL
- X. 509 certificate
Log in to your ClickTIme account, and go to the Company --> Preferences page. In the Security section, select Okta or OneLogin as your provider. Next, fill in the Identity Provider Endpoint URL and X. 509 certificate from your Identity Provider.
If you’re using Azure AD, please follow this Azure tutorial to complete your SSO configuration.
Enterprise customers may have Custom SAML enabled in their account - please contact your Success Manager or our Support Team to have this enabled. Once this is enabled, please configure ClickTime as a service provider with the following settings in your Identity Provider:
- Entity ID: https://app.clicktime.com/sp/
- ACS URL: https://app.clicktime.com/App/Login/Consume.aspx
As well, expect these settings from ClickTime:
- SAML request method: POST
- Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Be sure to retrieve the following information from your Identity Provider:
- Identity Provider Endpoint URL
- X. 509 certificate
You will need the Identity Provider Endpoint URL and X. 509 certificate values for input in the Company Preferences in your ClickTime account.
You may wish to consume our SAML metadata file here.
If you’re using an IdP-initiated login process, you may direct your users to your own portal. You may also opt to direct your users here for an SP-initiated login workflow.
Logging into using Single Sign-On
If you are starting on the login screen, click "Sign in with Google, Azure, and more" for more sign in options:
Next, click the appropriate SSO method:
Then, log in (if necessary) with your SSO provider's credentials.
Logging into ClickTime using Custom SAML Single Sign-On
If your organization uses a Custom SAML provider, please try starting here or please consult with your ClickTime Administrator for your organization's specific sign on instructions.
If your organization needs additional assistance setting up Single Sign-On with ClickTime, please contact us here! We offer support engagements to facilitate Single Sign-On with Custom SAML.
ClickTime supports SCIM provisioning for Azure AD, OneLogin and Okta. Please see our dedicated sections below for these SSO providers.
Azure AD
If your organization uses Azure to manage your employees' access to tools and services, you can take advantage of Azure's Active Directory feature to automatically grant access to ClickTime to your users.
The integration between Azure and ClickTime that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management).
Features
ClickTime supports user creation, updates to user attributes, and user deactivation through SCIM.
The following fields in ClickTime are supported using SCIM:
- Name
- Email Address
- Status
- Start Date
- End Date
- Role
- Employment Type
- Employee Number
- Custom Fields on the Person
ClickTime respects a one-way sync from identity provider to ClickTime. ClickTime does not lock SCIM managed fields, but any changes made in ClickTime will be overwritten by SCIM requests.
Subsequent changes to users in Azure will carry through in ClickTime. Here are some examples:
- When a person's name is updated in identity provider, their name will be updated in ClickTime
- When a person's email address is updated in identity provider, their email address will be updated in ClickTime
- Person custom field updates in the identity provider will be reflected in ClickTime
Requirements
Administrators in Enterprise Accounts will be able to enable SCIM on the company preferences page.
Before doing so, the following requirements must be met:
- You must be configured to Require or Allow SSO for Azure AD
- The Identity Endpoint must be filled in
- The X.509 Certificate must be filled in
Step-by-Step Configuration Guide
Administrators will be able to enable SCIM on the Company ---> Preferences page under the Security section.
1. Organizations that have Single Sign-On set to Require or Allow have the option to enable SCIM. Clicking "Generate Token" will display a token".
2. Copy the Token. This token will only be displayed once, and will be hidden once you leave this page in ClickTime.
3. Toggle all the optional ClickTime fields that you want to be managed by your Identity Provider. These will be optional Standard ClickTime fields (Employment Type, Start Date, etc.), or noted as Custom ClickTime fields. Save your Preferences page.
4. Create a new Azure tenant in Azure Directory (only necessary if there is not an existing Azure AD tenant)
- Go to Azure Portal
- Click on Azure Active Directory
- Click on Manage tenants tab at the top
- Click Create
- Select Basic Azure Active Directory tenant type
- Add configuration details
- Create
5. Adding users to the tenant (only necessary if there is not an existing Azure AD tenant with users)
- On the Azure AD tenant, click on Users in the left sidebar
- Click New user to add a new user, choose to Create a new user.
- Give the principal name
- In properties, fill in the First Name, Last Name, and especially the Email - this will be the ClickTime email
- Create
6. Create a new enterprise application in Azure AD
- Open the Azure AD tenant
- Click Enterprise applications in the left sidebar
- Select new application
- Select the Create your own application tab at the top
- Enter a name for the app and leave it as a Non-gallery application
- Create
7. Add users to Azure enterprise application
- On the enterprise app's left panel, under Manage, click on Users and groups
- Assign the user/users you'd like (these must exist on the Azure AD tenant)
8. Add Provisioning
- Click on Provisioning in the left sidebar in the enterprise application
- Get Started and start new provisioning
- Set to automatic provisioning
- Add the tenant URL as https://app.clicktime.com/scim and past in the bearer token as the secret token, when testing connection this should be successful
9. Basic provisioning mappings
- Back in provisioning, click Provisioning in the left sidebar
- Open the Mappings pane, click on Groups and disable Groups mapping, hit Save
- Open the Users back in the Mappings pane
- Update the first non-delete-able entry by clicking on the row, and change the source attribute to mail
- Delete all properties aside from the ones shown in the screenshot below:
- Hit Save
- Click on Show Advanced Options and Edit attribute list for customappsso
- Update the list so that it looks like the screenshot below
- Hit save
10. Custom provisioning mappings
- Back in the User Mappings under the Mappings pane, click on Show Advanced Options and Edit attribute list for customappsso
- Add the standard attributes that are being managed with SCIM
- Start Date: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:startDate set as String
- Use Expression as the mapping type
- End Date: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:endDate set as String
- Role: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:role set as String
- Employment Type: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:employmentType set as String - ensure that this is marked as "Required"
- Employee Number: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:employeeNumber set as String
- Hit Save
- Start Date: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:startDate set as String
-
Add the Custom Fields from ClickTime being managed with SCIM
- Make sure the "name" of the custom field has no spaces or non-alphanumeric characters
-
Add the attribute as urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User:<customFieldNameHere>
- Example: urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User:country
- Set this as a Boolean type if Yes/No field in ClickTime, an Integer if Currency in ClickTime, and otherwise a String
- Mark as required if the field is required in ClickTime
- Hit Save
-
Add mappings for the field(s)
- Back in User Attribute Mappings, click Add New Mapping under the table
-
Add a new mapping for each standard and custom field, set as a Direct map from an Azure attribute to one of the custom attributes for our enterprise application created
- Exceptions: Start Date and End Date. Rather than Direct , set this to be an Expression style mapping, and map from an existing Date attribute in Azure to the field for ClickTime. The expression should look like: FormatDateTime([employeeHireDate], , , "yyyy-MM-dd") for employeeHireDate, for example
11. Provisioning Users
- Azure does this automatically over time and batches, so it's easiest to check for the updates by forcing this process to happen on demand. This can only be done for a limited set of users.
- Inside our Enterprise Application in Azure AD, click on Provisioning in the left sidebar.
- Click on Provisioning on Demand in the left sidebar.
- Enter a user and provision as necessary (do this after creates or updates for testing rather than waiting for Azure to do this eventually).
OneLogin
If your organization uses OneLogin to manage your employees' access to tools and services, you can take advantage of OneLogin's "Provisioning" feature to automatically grant access to ClickTime to your users.
The integration between OneLogin and ClickTime that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management).
Features
ClickTime supports user creation, updates to user attributes, and user deactivation through SCIM. The following fields in ClickTime are support using SCIM:
- Name
- Email Address
- Status
- Start Date
- End Date
- Role
- Employment Type
- Employment Number
- Custom Fields on the Person
ClickTime respects a one-way sync from the identity provider to ClickTime. ClickTime does not lock SCIM managed fields, but any changes made in ClickTime will be overwritten by SCIM requests.
Subsequent changes to user in OneLogin will carry through in ClickTime. Here are some examples:
- When a person's name is updated in identity provider, their name will be updated in ClickTime
- When a person's email address is updated in identity provider, their email address will be updated in ClickTime
- Person custom field updates in the identity provider will be reflected in ClickTime
Requirements
Administrators in Enterprise Accounts will be able to enable SCIM on the company preferences page.
Before doing so, the following requirements must be met:
- You must be configured to Require or Allow SSO for OneLogin
- The Identity Endpoint must be filled in
- The X.509 Certificate must be filled in
Step-by-Step Configuration Instructions
Administrators will be able to enable SCIM on the Company ---> Preferences page under the Security section.
- Organizations that have Single Sign-On set to Require or Allow have the option to enable SCIM. Clicking "Generate Token" will display a token.
- Copt the token. This token will only be displayed once, and will be hidden once you leave this page in ClickTime.
- Toggle on all the optional ClickTime fields that you want to be managed by your Identity Provider. These will be Standard ClickTime fields (Employment Type, Start Date, etc.), or noted as Custom ClickTime fields. Note that Custom Fields that are marked as Required must be toggled "On" to be managed by SCIM. Save your Preferences page.
- Navigate to your organization's Identity Provider and find the ClickTime app.
- Sign into your OneLogin account as an Administrator. Navigate to the Applications tab and select Applications. Click Add App. Search for and select SCIM Provisioner with SAML (SCIM v2 Core). Give your SCIM app a display name value that will help you recognize it and click Save.
- Select the Configuration tab
- Provide the SCIM Base URL value https://app.clicktime.com/scim and paste the token into the SCIM bearer Token field.
-
Provide the SCIM JSON Template for ClickTime. This will look something like the example provided below
- Each of the standard ClickTime fields that are managed by SCIM will fall under the urn:ietf:params:scim:schemas:extension:clicktime:1.0:User object, and the properties must be named as provided. Remove the fields not being managed, or the entire object if none of the fields are being used.
-
ClickTime custom fields that are managed by SCIM will fall under the urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User object, and the properties must be named matching the custom field in ClickTime (this is the name, not the display name). abcName is provided as an example, which would likely need to be removed.
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:clicktime:1.0:User",
"urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User"
],
"userName": "{$parameters.email}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
},
"emails": [
{
"value": "{$user.email}",
"primary": true,
"type": "work"
}
],
"urn:ietf:params:scim:schemas:extension:clicktime:1.0:User": {
"startDate": "{$parameters.startDate}",
"endDate": "{$parameters.endDate}",
"role": "{$parameters.role}",
"employeeNumber": "{$parameters.employeeNumber}",
"employmentType": "{$parameters.employmentType}"
},
"urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User": {
"abcName": "{$parameters.abcName}"
}
}
- Click Enable to allow the SCIM app to make an initial connection to the SCIM Base URL defined.
- Click Save
-
Select the Parameters tab
- Click the SAML NameID (Subject) to change the value to Email
- For each of the values following in the JSON, such as startDate, endDate, etc. add a new field with the same name. Add a mapping to a user property for each field.
- Click Save
- Click More Actions > Reapply entitlement mappings
-
Select the Provisioning tab and enable provisioning. Select the boxes next to Create user, Delete User, and Update user.
- Update the dropdown so that When users are delete in OneLogin, or the user's app access is removed, perform the below action is set to Suspend
- Click Save
- Click More Actions > Reapply entitlement mappings
-
You can create a new user in OneLogin and assign them to this application
- Make sure that the scimusername when adding the person is set to their full email.
- Each time we assign / update / delete a user, you may need to approve the action (creation / updates / deletes).
Okta
If your organization uses Okta to manage your employees' access to tools and services, you can take advantage of Okta's "Provisioning" feature to automatically grant access to ClickTime to your users.
The integration between Okta and ClickTime that enables this provisioning to occur is built around an industry-standard protocol know as SCIM (System for Cross-domain Identity Management).
Features
ClickTime supports user creation, updates to user attributes, and user deactivation through SCIM. The following fields in ClickTime are supported using SCIM:
- Name
- Email Address
- Status
- Start Date
- End Date
- Role
- Employment Type
- Employment Number
- Custom Fields on the Person
ClickTime respects a one-way sync from the identity provider to ClickTime. ClickTime does not lock SCIM managed fields, but any changes made in ClickTime will be overwritten by SCIM requests.
Subsequent changes to users in Okta will carry through in ClickTime. Here are some examples:
- When a person's name is updated in identity provider, their name will be updated in ClickTime
- When a person's email address is updated in identity provider, their email address will be updated in ClickTime
- Person custom field updates in the identity provider will be reflected in ClickTime
Requirements
Administrators in Enterprise Accounts will be able to enable SCIM on the company preferences page.
Before doing so, the following requirements must be met:
- You must be configured to Require or Allow SSO for OKTA
- The Identity Endpoint must be filled in
- The X.509 Certificate must be filled in
Step-by-Step Configuration Instructions
Administrators will be able to enable SCIM on the Company ---> Preferences page under the Security section.
1. Organizations that have Single Sign-On set to Require or Allow have the option to enable SCIM. Clicking "Generate Token" will display a token.
2. Copy the Token. This token will only be displayed once, and will be hidden once you leave this page in ClickTime.
3. Navigate to your organization's Identity Provider and find the ClickTime app.
4. Click the Provisioning tab, check "Enable API Integration", and paste the token into the API Token field.
5. Click "Test API Credentials" to confirm that Okta and ClickTime are linked.
6. Click Save
7. If any standard fields are SCIM managed:
- Go to Directory ---> Profile Directory
- Add each standard ClickTime field that SCIM-managed as a new attribute. Use the external namespace urn:ietf:params:scim:schemas:extension:clicktime:1.0:User and the variable names given below:
-
- Start Date: startDate
- End Date: endDate
- Role: role
- Employment Type: employmentType - ensure that this is marked as "Required"
- Employee Number: employeeNumber
- Add mappings for each of the added attributes in the Okta to SCIM app tab in the Mappings modal and save
-
-
If any custom fields are SCIM managed:
- Go to Directory ---> Profile Directory
-
Add each ClickTime custom field that is SCIM-managed as a new attribute. Use the external namespace urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User. The variable name must completely match the name given to the custom field in ClickTime (not the display name, but the name) - this means that the name in ClickTime also cannot have any spaces.
- Mark the attribute as requires it it's required in ClickTime
- Add mappings for each of the added attributes in the Okta to SCIM app tab in the Mappings modal and save
Troubleshooting and Tips
Known Limitations for OKTA: For users with a space in their first name (eg. Mark Kathryn Smith), there are some displays in Okta where it may display Given Name as Mark and Family name as Kathryn Smith.
If you have questions or difficulties with your Azure - Okta - OneLogin/ClickTime SCIM integration, please contact ClickTime via support@clicktime.com.
User Deactivation: If a user who is a timesheet approver is inactivated through SCIM, any person they were assigned to as the approver will now be assigned to the first Admin in the system based on alpha-order.
Comments
0 comments
Article is closed for comments.