Setting up SSO with SAML authentication
Overview
SAML authentication is set up in the following three steps.
- Set the information required for TimeTracker NX and the linked service.
- Confirm that linkage is possible.
- Set the user for whom SSO is enabled
Please check the following link for precautions when setting up. : Precautions when using SAML authentication
Setting up TimeTracker NX and the linked service
This time, we will use Microsoft Azure AD as an example to set up TimeTracker NX and the linked service.
The screen may change depending on the provider. Please check with the provider for details.
-
Log in to TimeTracker NX as a user with administrator privileges and open the system administration screen.
-
Go to the screen shown below and click the "Edit" button.
-
Check "Enable sign-on with SAML authentication" (① in the figure below).
"URL (Entity ID)" and "Assertion Consumer Service URL" will be displayed, so copy and paste them into the text.
Click ② or ③ to copy the value. -
Log in to the following link with your Microsoft account: Microsoft 365 Admin Center
-
Click "Azure Active Directory" from the side navigation.
-
Click "Users" from the side navigation on the screen after the transition.
The user displayed on the screen after clicking is the user to be linked.
If any users are missing, add them in advance.
Use the "User Principal Name" displayed on this screen in the next link: Setting users for SAML authentication -
Click "Enterprise Applications" from the side navigation.
Click "New Application" on the screen after the transition.
-
On the screen after the transition, perform the following operations and click "Create".
- ②: Enter a name of your choice.
- ③: Check this box.
-
Click "Assign Users and Groups" on the screen after the transition.
Click "Add User or Group" on the screen after the transition.
-
On the screen after the transition, perform the following operations to add a user.
- Click ① to display the setting dialog on the right.
- Select the target user from ②. Once selected, it will be displayed in ③.
- Click "Select" in ④ to enable ⑤. Click ⑤.
-
Select the following on the screen after the transition.
-
Click "Settings" on the screen after the transition.
Click "Add Identifier" on the screen after the transition.
-
In the displayed dialog, perform the following operations.
- Click ① and paste the "URL (Entity ID)" noted in "Step 3" into ②.
- Click ③ and paste the "Assertion Consumer Service URL" noted in "Step 3" into ④.
- Click Save in ⑤.
-
On the screen after the transition, check that the settings you made in the previous step are reflected, and
② Click "Edit" under "Attributes and Claims".
-
On the screen after the transition, double-click "Unique User Identifier".
In the dialog that appears, enter "user.mail" in "Source Attribute" and click "Save".
-
Click "SAML-based Sign-on" on the screen after the transition to move to the next screen.
-
Copy the "App Federation Metadata URL" of "③ SAML Certificate" on the screen after the transition.
You can copy it by clicking ① in the image below.
-
Open the URL you copied in the previous step in a browser.
Search for the keyword "<X509Certificate>" and copy the string between "<X509Certificate>" and "</X509Certificate>".
~ 
Paste the string you copied here into the "X509 Certificate" setting screen of TimeTracker NX.
If the text to be pasted is insufficient, authentication will not be performed correctly. Please check the range to be copied. -
Return to the Microsoft Azure AD settings screen and paste the values of the following items in "④ Setup for [Set App Name]" into TimeTracker NX.
Microsoft Azure AD items TimeTracker NX items Login URL SSO URL Azure AD Identifier Entity ID 
-
In the TimeTracker settings screen, make sure that "Local authentication and SAML authentication" is checked for "Valid range", and click "Save".
If "SAML authentication only" is checked, you will not be able to log in if the authentication settings have failed.First, make sure that SSO integration can be performed correctly with "Local authentication and SAML authentication".
The settings are now complete.
Next, check that the settings are correct.
Check the settings
-
Log out of TimeTracker NX once and log in with an account that has administrator privileges.
If SSO integration is enabled, the following login screen will be displayed.
Select ② and log in with your TimeTracker NX account and password.
-
Set the key for integration in the user information for which you are attempting SSO integration.
This trial should be performed by the user who operated the Microsoft Azure AD screen in the procedure "Setting up TimeTracker NX and the linked service".
-
Open the user list on the system administration screen.
-
Enter the "User Principal Name" of the linked Microsoft Azure AD in the "Email" field of the user.
"User Principal Name" is the item displayed on the following screen of Microsoft Azure AD. -
Click the "Test" button of "⑤ Test single sign-on with [set app name]" on the Microsoft Azure AD setting screen.
-
If you can log in to TimeTracker NX, the setup is successful.
This confirms that SSO has been set up.
You can also log in by clicking "Log in with organizational account" on the TimeTracker NX login screen.
You can also close the Microsoft Azure AD screen.
Then, switch the "Valid range" to "SAML authentication only" on the TimeTracker settings screen to disable local authentication.
Next, enable SSO for each user.
Set the user for whom SSO is enabled
Set up SSO for each user.
Set up in the following two steps.
-
Set the information for the authentication service.
Authentication is performed using email addresses as the key.
For each user, edit "Email" in the same way as in the following link. : "Step 2 of checking the settings" -
Select the users for whom you want to enable local authentication and enable them.
Select the target from the user list and check "Allow local authentication" on the editing screen.
Setting up each user one by one from the settings screen is time-consuming.
You can set up multiple users at once by using the function in the following link. : Export/Import User Information
Notes on user settings
- You cannot set the same email address for multiple users.
- Users who have left "Email" blank and have not checked "Allow local authentication" will not be able to log in.
Be sure to set one of these.
- If communication with the SSO authentication destination becomes impossible, SSO authentication may not be possible due to some kind of problem.
In that case, users who do not have this item enabled will not be able to log in, so
Please allow local authentication for at least one user. - On the other hand, if "Allow local authentication" is enabled for many accounts, password management becomes a hassle and security risks arise.
For example, consider an operation such as "Allow local authentication only for users with system administration privileges."
How to log in with local authentication
When SSO authentication is enabled, the following screen will be displayed when logging in.
Click the red frame above to log in with the account and password you set in TimeTracker NX.
Notes on SSO authentication
Here are some points to note when enabling SSO authentication.
(There is no problem if you do not use the SSO function)
Enable HTTPS access
To use this function, the URL must be SSL authenticated.
Make sure that the URL to access TimeTracker NX starts with "https".
Functions that cannot be used by specifying the login name for users with "SAML authentication only"
Users with "SAML authentication only" cannot specify the login name and password for the following functions.
- Excel integration add-in
- Web API
- TimeTracker Reporting
- TimeTrakcer Analytics
Please use the "API key" for authentication instead of your account name and password.
For details on the API key, please refer to "Generate an API key".
Operational suggestions when using the above functions
There are three methods below.
- Enable local authentication.
- Enable local authentication for all users.
In the TimeTracker settings screen, set "Valid range" to "Local authentication and SAML authentication". - Enable local authentication only for those who want to use the function.
Check "Allow local authentication" for the target user in the user settings.
- Enable local authentication for all users.
- Prepare a dedicated account that allows local authentication, and use that account to use the above functions.
Prepare for problems with not being able to connect to the authentication server
If SSO is no longer possible due to some problem, disable SSO using one of the following methods.
-
A user who can also perform local authentication logs in and disables SSO.
-
Forcibly disable SSO.
We recommend that you set it up so that it can be handled using 1.
1. A user who can also perform local authentication logs in and disables SSO
Log in using the procedure in the following link: "How to log in using local authentication"
In the single sign-on settings screen, uncheck "Enable sign-on using SAML authentication".
Initialize using the procedure in the following link. : "Change password"
2. Forcefully disable SSO
This method updates the configuration file stored on the TimeTracker NX server PC to disable SSO.
Please follow the steps below to resolve the issue.
- Open "appsettings.json" located directly under the TimeTracker NX installation folder.
- Search for the keyword "sso" and set the following value to "true".
"Saml": {
"ForceDisableSamlSso": false, ←Change this
"UseIdpSession": true
}, - Reopen the TimeTracker NX login screen.
You can log in with the login account and password you set in TimeTracker NX.
After the problem is resolved, restore the value you changed in step 2.
