For TimeTell neXT Single-Sign-On (SSO) is configured slightly different compared to TimeTell 9, For now we only support Microsoft Entra ID. If there is a need for other SSO providers we will investigate that as long as the provider supports Open ID Connect. 

Getting started

TimeTell will:

1. Provide the Redirect URL
2. Configure the users in TimeTell

Customer will provide:

1. Directory/TenantID
2. Appliction/ClientID
3. ClientSecret (the value not the ID)

Configure Microsoft Entra ID

In Microsoft Entra ID the following parts will be configured:

• App registration
• Authentication
• Certificate & secrets
• Token configuration

App registration

Do not start from an Enterprise application to create the app registration. But really start from an application registration (that will also create an enterprise application for it). The login will not from if you start from an Enterprise application as Microsoft will expose certain data in a different way not supported by TimeTell.

From the organization Overview page click App registrations. 

Click New registration:

• Name, use TimeTell (recommended name)
• Supported account types, select the appropriate option, we tested with Accounts in this organizational directory only.
• Redirect URI, skip

Authentication

Within the created application click Authentication:

• Click Add a platform
• Click Web
• Redirect URI, use the value that was provided to you by TimeTell
• Front-channel logout URL, leave blank

Certificate and Secrets

Click Certificates & secrets:

• Certificates, leave as is
• Client secrets, click New client secret:
  1. Description, TimeTellSecret (recommended name)
  2. Expires, set to 24 months (or any value required by company policy)
• Now copy and store the text shown under Client secrets, TimeTellSecret, Value. This will not be shown again.

You should make note of the expiration date of the secret and create a new secret a week (or more) before expiration and share it with TimeTell. This will prevent users cannot logon anymore once the secret expires. 

Token configuration

• Go to Token configuration
• click Add optional claim
  1. select ID and 
  2. check email then
  3. click Add.

A question will be asked to configure OpenId Connect scopes to be configured. 

• Check the Turn on the Microsoft Graph profile permission (required for claims to appear in token) then 
• click Add.

Verify API Permissions

• Go to API Permissions
• Under the API / Permissions name table you should see:
  1. Microsoft Graph
     • Email: Status, Granted for <your organization>
• If it is not yet granted click the Grant admin consent for <your organization> above the table.