Single Sign-On (SSO) gives ClickTime users the convenience of not needing to maintain a separate email/password combination in order to start their session. With SSO, a ClickTime user could, for example, sign in to the application by just using their Google Apps email address.
ClickTime currently offers the following single sign-on (SSO) options:
- Platform Identity Partner: Google Apps
- SAML Identity Partners: Azure AD, Okta, OneLogin
- Custom: Create your own custom authentication option for any other providers that support SAML 2.0
Click the following links to learn more about each option:
What is SAML?
Single Sign On Configuration
Identity Partner Configuration - Google Apps
Identity Partner Configuration - Azure AD, Okta, OneLogin
Custom SAML 2.0 Configuration
Logging into using Single Sign-On
Logging into ClickTime using Custom SAML Single Sign-On
SCIM User Provisioning/Setup
Security Assertion Markup Language (SAML) is a standard that allows authentication credentials to be shared by multiple applications within a network. This allows you to access many applications under your network’s umbrella using one username and password.
While some organizations still use SAML 1.1, ClickTime only supports SAML 2.0 for our partner and customer SAML Single Sign-On implementations. You may configure your Identity Provider for SP-initiated (user starts of https://login.clicktime.com) or IdP-initiated (user starts from within your Identity Provider) login workflows.
If you’d like to learn more about SAML, please visit our partners, Okta or OneLogin, for more information.
Complete configuration requires ClickTime-side configuration and Identity Provider -side configuration. This section covers the configuration from the ClickTime side.
ClickTime Administrators can opt to allow or require Single Sign-On settings for their entire company on the Company --> Preferences page in the Security section:
Please note: Unless you have an Enterprise account, you will only see the option for "Google". You can read more about Google SSO here. If you'd like to discuss upgrading your account so you can use another SSO solution, please reach out to our Support Team.
By selecting "Allow", your company can sign into ClickTime with both their ClickTime email/password combination, as well as your company's selected Single Sign-On method. For example, if I select "Allow" for "sign-in using Single Sign-On", then I will grant the user the ability to log in with either their email/password or the selected Single Sign-On provider (Azure AD, Google Apps, Okta,, OneLogin, or Custom SAML 2.0) account.
Usually this setting can be helpful for previewing an authentication configuration before you commit to requiring it. By default, a new company will always default to the "Allow" setting for Single Sign-On.
With "Require", you will commit your entire company to the authentication method you select, and disallow users from signing on with ClickTime email/password credentials.
Remember, any settings you choose will be company-wide, and accessing your account to change your Security Preferences will require you to sign in in with your chosen method the next time you log in.
Complete configuration requires ClickTime-side configuration and Identity Provider -side configuration. The next sections cover the configuration from the Identity Provider -side.
Identity Partner Configuration - Google Apps
For use of Google Apps, make sure that each person in your company has a corresponding Google hosted email address in the "Person Detail" page. Once that is set, signing into ClickTime is as simple as clicking on the Google Apps button from the sign-in screen.
Identity Partner Configuration - Azure AD, Okta, OneLogin
If your organization is using Okta or OneLogin, one of the above identity providers, please configure ClickTime from your identify provider (Okta or OneLogin) as a new App and retrieve the following values:
- Identity Provider Endpoint URL
- X. 509 certificate
Log in to your ClickTIme account, and go to the Company --> Preferences page. In the Security section, select Okta or OneLogin as your provider. Next, fill in the Identity Provider Endpoint URL and X. 509 certificate from your Identity Provider.
If you’re using Azure AD, please follow this Azure tutorial to complete your SSO configuration.
Enterprise customers may have Custom SAML enabled in their account - please contact your Success Manager or our Support Team to have this enabled. Once this is enabled, please configure ClickTime as a service provider with the following settings in your Identity Provider:
- Entity ID: https://app.clicktime.com/sp/
- ACS URL: https://app.clicktime.com/App/Login/Consume.aspx
As well, expect these settings from ClickTime:
- SAML request method: POST
- Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Be sure to retrieve the following information from your Identity Provider:
- Identity Provider Endpoint URL
- X. 509 certificate
You will need the Identity Provider Endpoint URL and X. 509 certificate values for input in the Company Preferences in your ClickTime account.
You may wish to consume our SAML metadata file here.
If you’re using an IdP-initiated login process, you may direct your users to your own portal. You may also opt to direct your users here for an SP-initiated login workflow.
Logging into using Single Sign-On
If you are starting on the login screen, click "Sign in with Google, Azure, and more" for more sign in options:
Next, click the appropriate SSO method:
Then, log in (if necessary) with your SSO provider's credentials.
Logging into ClickTime using Custom SAML Single Sign-On
If your organization uses a Custom SAML provider, please try starting here or please consult with your ClickTime Administrator for your organization's specific sign on instructions.
If your organization needs additional assistance setting up Single Sign-On with ClickTime, please contact us here! We offer support engagements to facilitate Single Sign-On with Custom SAML.
ClickTime supports SCIM provisioning for Azure AD, OneLogin and Okta. Please see our dedicated sections below for these SSO providers.
Azure AD (Coming Soon!)
OneLogin
If your organization uses OneLogin to manage your employees' access to tools and services, you can take advantage of OneLogin's "Provisioning" feature to automatically grant access to ClickTime to your users.
The integration between OneLogin and ClickTime that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management).
Features
ClickTime supports user creation, updates to user attributes, and user deactivation through SCIM. The following fields in ClickTime are support using SCIM:
- Name
- Email Address
- Status
- Start Date
- End Date
- Role
- Employment Type
- Employment Number
- Custom Fields on the Person
ClickTime respects a one-way sync from the identity provider to ClickTime. ClickTime does not lock SCIM managed fields, but any changes made in ClickTime will be overwritten by SCIM requests.
Subsequent changes to user in OneLogin will carry through in ClickTime. Here are some examples:
- When a person's name is updated in identity provider, their name will be updated in ClickTime
- When a person's email address is updated in identity provider, their email address will be updated in ClickTime
- Person custom field updates in the identity provider will be reflected in ClickTime
Requirements
Administrators in Enterprise Accounts will be able to enable SCIM on the Company ---> Preferences page. Your accounts must be configured to Require or Allow OneLogin in the Security section of the Company ---> Preferences page.
Step-by-Step Configuration Instructions
Administrators will be able to enable SCIM on the Company ---> Preferences page under the Security section.
- Organizations that have Single Sign-On set to Require or Allow have the option to enable SCIM. Clicking "Generate Token" will display a token.
- Copt the token. This token will only be displayed once, and will be hidden once you leave this page in ClickTime.
- Toggle on all the optional ClickTime fields that you want to be managed by your Identity Provider. These will be Standard ClickTime fields (Employment Type, Start Date, etc.), or noted as Custom ClickTime fields. Note that Custom Fields that are marked as Required must be toggled "On" to be managed by SCIM. Save your Preferences page.
- Navigate to your organization's Identity Provider and find the ClickTime app.
- Sign into your OneLogin account as an Administrator. Navigate to the Applications tab and select Applications. Click Add App. Search for and select SCIM Provisioner with SAML (SCIM v2 Core). Give your SCIM app a display name value that will help you recognize it and click Save.
- Select the Configuration tab
- Provide the SCIM Base URL value https://app.clicktime.com/scim and paste the token into the SCIM bearer Token field.
- Provide the SCIM JSON Template for ClickTime. This will look something like the example provided below
- Each of the standard ClickTime fields that are managed by SCIM will fall under the urn:ietf:params:scim:schemas:extension:clicktime:1.0:User object, and the properties must be named as provided. Remove the fields not being managed, or the entire object if none of the fields are being used.
- ClickTime custom fields that are managed by SCIM will fall under the urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User object, and the properties must be named matching the custom field in ClickTime (this is the name, not the display name). abcName is provided as an example, which would likely need to be removed.
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:clicktime:1.0:User",
"urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User"
],
"userName": "{$parameters.email}",
"name": {
"givenName": "{$user.firstname}",
"familyName": "{$user.lastname}"
},
"emails": [
{
"value": "{$user.email}",
"primary": true,
"type": "work"
}
],
"urn:ietf:params:scim:schemas:extension:clicktime:1.0:User": {
"startDate": "{$parameters.startDate}",
"endDate": "{$parameters.endDate}",
"role": "{$parameters.role}",
"employeeNumber": "{$parameters.employeeNumber}",
"employmentType": "{$parameters.employmentType}"
},
"urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User": {
"abcName": "{$parameters.abcName}"
}
} - Click Enable to allow the SCIM app to make an initial connection to the SCIM Base URL defined.
- Click Save
- Select the Parameters tab
- Click the SAML NameID (Subject) to change the value to Email
- For each of the values following in the JSON, such as startDate, endDate, etc. add a new field with the same name. Add a mapping to a user property for each field.
- Click Save
- Click More Actions > Reapply entitlement mappings
- Select the Provisioning tab and enable provisioning. Select the boxes next to Create user, Delete User, and Update user.
- Update the dropdown so that When users are delete in OneLogin, or the user's app access is removed, perform the below action is set to Suspend
- Click Save
- Click More Actions > Reapply entitlement mappings
- You can create a new user in OneLogin and assign them to this application
- Make sure that the scimusername when adding the person is set to their full email.
- Each time we assign / update / delete a user, you may need to approve the action (creation / updates / deletes).
Okta
If your organization uses Okta to manage your employees' access to tools and services, you can take advantage of Okta's "Provisioning" feature to automatically grant access to ClickTime to your users.
The integration between Okta and ClickTime that enables this provisioning to occur is built around an industry-standard protocol know as SCIM (System for Cross-domain Identity Management).
Features
ClickTime supports user creation, updates to user attributes, and user deactivation through SCIM. The following fields in ClickTime are supported using SCIM:
- Name
- Email Address
- Status
- Start Date
- End Date
- Role
- Employment Type
- Employment Number
- Custom Fields on the Person
ClickTime respects a one-way sync from the identity provider to ClickTime. ClickTime does not lock SCIM managed fields, but any changes made in ClickTime will be overwritten by SCIM requests.
Subsequent changes to users in Okta will carry through in ClickTime. Here are some examples:
- When a person's name is updated in identity provider, their name will be updated in ClickTime
- When a person's email address is updated in identity provider, their email address will be updated in ClickTime
- Person custom field updates in the identity provider will be reflected in ClickTime
Requirements
Administrators in Enterprise Accounts will be able to enable SCIM on the company preferences page.
Your account must be configured to Require or Allow Okta in the Security section of the Company ---> Preferences page.
Step-by-Step Configuration Instructions
Administrators will be able to enable SCIM on the Company ---> Preferences page under the Security section.
1. Organizations that have Single Sign-On set to Require or Allow have the option to enable SCIM. Clicking "Generate Token" will display a token.
2. Copy the Token. This token will only be displayed once, and will be hidden once you leave this page in ClickTime.
3. Navigate to your organization's Identity Provider and find the ClickTime app.
4. Click the Provisioning tab, check "Enable API Integration", and paste the token into the API Token field.
5. Click "Test API Credentials" to confirm that Okta and ClickTime are linked.
6. Click Save
7. If any standard fields are SCIM managed:
- Go to Directory ---> Profile Directory
- Add each standard ClickTime field that SCIM-managed as a new attribute. Use the external namespace urn:ietf:params:scim:schemas:extension:clicktime:1.0:User and the variable names given below:
-
- Start Date: startDate
- End Date: endDate
- Role: role
- Employment Type: employmentType - ensure that this is marked as "Required"
- Employee Number: employeeNumber
- Add mappings for each of the added attributes in the Okta to SCIM app tab in the Mappings modal and save
-
- If any custom fields are SCIM managed:
- Go to Directory ---> Profile Directory
- Add each ClickTime custom field that is SCIM-managed as a new attribute. Use the external namespace urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User. The variable name must completely match the name given to the custom field in ClickTime (not the display name, but the name) - this means that the name in ClickTime also cannot have any spaces.
- Mark the attribute as requires it it's required in ClickTime
- Add mappings for each of the added attributes in the Okta to SCIM app tab in the Mappings modal and save
Troubleshooting and Tips
Known Limitations for OKTA: For users with a space in their first name (eg. Mark Kathryn Smith), there are some displays in Okta where it may display Given Name as Mark and Family name as Kathryn Smith.
If you have questions or difficulties with your Azure - Okta - OneLogin/ClickTime SCIM integration, please contact ClickTime via support@clicktime.com
Comments
0 comments
Article is closed for comments.