TimeLog SSO

Introduction

TimeLog supports enabling single-sign-on (SSO) for all paying customers on Professional-plan or higher.

Right now, it is a manual opt-in.

When switching, users already signed in will remain signed in until the existing cookies are invalidated. Same goes for the various apps. In most cases, it will be seamless, especially if all users are signed in to the Identity Provider automatically.

Reporting API, Transactional API and REST API functionality remain unchanged. However, the REST API log in flow will change for the end-user (only) as they are redirected to the SSO endpoint for authentication.

Getting started

Choose your identity provider:


Microsoft Entra ID
Google Identity

Limitations

  • We do not sync with the Identity Provider, so new names, deletes etc. will not be reflected automatically.
  • The TimeLog Tracker for Outlook application does not support our login portal and therefore not SSO. However, it can be used using the existing TimeLog username/password combinations. We have no timeline for this yet.
  • The in-product "Change password" dialogue for each user will still be visible, but will (naturally) have no impact on the password in the Identity Provider. We will change this in the future.
  • The "Activate new employee" flow will ask the user to enter a password in the process, this password is of no use since the SSO authentication is used instead after the first login is completed. We will change this behavior in the future.
  • The Transactional API does not support SSO, so it will fall back to the TimeLog credentials. For credentials existing prior to enabling SSO, there is no change. Creating a new user will work fine as well, until we remove the other limitations listed above. We will decide and disclose how to handle this at a later point.
  • Our financial integrations are not affected by this change. However, specifically for the Navision integration the user created for this purpose should not change username. Additionally, we map the internal reference of invoices based on the initials of the employee, so it will continue to work after users change their usernames.

Multi-tenant interaction

One SSO identity provider can be connected to one or more TimeLog sites.

The "Account name" on the first step of the login flow determines the correct redirect.

Multiple Identity Providers

TimeLog supports the use of multiple identity providers.

This is particular useful, if you have external consultants that are not part of your SSO identity provider. Standard behaviour is to automatically redirect the user to the primary identity provider. However, TimeLog can enable (per tenant) a login flow that allows the user to choose between the primary identity provider and the TimeLog identity provider (as shown below).

Auto-provisioning

Auto-provisioning of users is not supported.

In the current version, all users have to be created manually in TimeLog - otherwise they cannot log in and will be presented with the following error message: "You have not been created in TimeLog. Please contact your internal TimeLog responsible to get help.".

SSO flow