TimeLog SSO

Introduction

TimeLog supports enabling single-sign-on (SSO) for all paying customers on "Advanced" plans or "Basic Plus" plans where the feature "Departments and international employees" is turned on.

Right now, it is a manual opt-in.

When switching, users already signed in will remain signed in until the existing cookies are invalidated. Same goes for the various apps. In most cases, it will be seamless, especially if all users are signed in to the AD automatically.

Reporting API, Transactional API and REST API functionality remain unchanged. However, the REST API log in flow will change for the end-user (only) as they are redirected to the SSO endpoint for authentication.

Getting started

Choose your identity provider:


Microsoft Azure Active Directory

Microsoft AD FS with WS-Federation

Limitations

  • The current version is an all-or-nothing solution. Either all users switch or none, however, we have drafted an extension that will allow both to work a the same time, but we have no timeline for this yet.
  • The TimeLog Tracker for Outlook application does not support our login portal and therefore not SSO. However, it can be used using the existing TimeLog username/password combinations. We have no timeline for this yet.
  • The in-product "Session timed out" alert will not work anymore and no matter what is entered, the user will be logged out, redirected to the log in portal, further redirected to Azure Active Directory and in most cases be logged right back in. We know the user interface might give another impression, we will change this in the future.
  • The in-product "Change password" dialogue for each user will still be visible, but will (naturally) have no impact on the password in Azure Active Directory. We will change this in the future.
  • The "Activate new employee" flow will ask the user to enter a password in the process, this password is of no use since the SSO authentication is used instead after the first login is completed. We will change this behavior in the future.
  • The Transactional API does not support SSO, so it will fall back to the TimeLog credentials. For credentials existing prior to enabling SSO, there is no change. Creating a new user will work fine as well, until we remove the other limitations listed above. We will decide and disclose how to handle this at a later point.
  • Our financial integrations are not affected by this change. However, specifically for the Navision integration the user created for this purpose should not change username. Additionally, we map the internal reference of invoices based on the initials of the employee, so it will continue to work after users change their usernames.
  • We do not sync the Active Directory, so new names, deletes etc. will not be reflected automatically.

Auto-provisioning

Auto-provisioning of users is not supported.

In the current version, all users have to be created manually in TimeLog - otherwise they cannot log in and will be presented with the following error message: "You have not been created in TimeLog. Please contact your internal TimeLog responsible to get help.".