Single Sign-On
      Back to home
      1. WebWork Time Tracker Help Center
      2. Single Sign-On

      How to configure SCIM first and then SAML for Microsoft Entra ID

      WebWork SCIM integration features

      WebWork’s SCIM integration supports several member management features.

      • Push New Users
        • New users created through Microsoft Entra ID will also be created in WebWork.
      • Push Profile Updates
        • Updates made to a user's profile through Microsoft Entra ID will be pushed to WebWork.
      • Push User Deactivation
        • Deactivating a user or disabling their access to the application through Microsoft Entra ID will deactivate the user in WebWork.

      Note: for WebWork, deactivating a user means removing access to login, but maintaining their information as an inactive user.

      • Reactivate Users
      WebWork member accounts can be reactivated in Microsoft Entra ID.

      How to configure SCIM?

      Note: to set up provisioning, you must first have Microsoft Entra ID SSO enabled for your workspace. 

      1. Go to Applications > Enterprise applications > New application > Create your own application.

      Creating a custom enterprise application for WebWork in Entra ID

      Navigating to provisioning settings in Entra ID for WebWork

      WebWork SCIM settings page showing Tenant URL and Secret Token

       

      2. Then go to Provisioning > Connect your application.

      Pasting SCIM credentials into Entra ID for WebWork integration

      Testing the SCIM connection with WebWork Time Tracker

      3. Go to your WebWork account > Settings > Single Sign-On.

      4. Copy SCIM Tenant URL and SCIM Secret Token.

      Disabling group provisioning for WebWork SCIM setup

      5. Come back to Microsoft Entra ID and paste them in respective fields.

      6. Click Test connection > Create

      Configuring user attribute mapping for WebWork in Entra ID

      7. Go to Attribute mapping (Preview) > Provision Microsoft Entra ID Groups > switch Enabled to No > Save

      Editing email mapping for SCIM in WebWork configuration

      Updating external ID attribute for WebWork SCIM provisioning


      8. Go to Attribute mapping (Preview) > Provision Microsoft Entra ID Users > scroll to Attribute Mappings

      Removing unnecessary attributes from WebWork SCIM mapping

      9. In Customappsso Attribute: emails[type eq “work”].value, click Edit Microsoft Entra ID Source attribute: from mail to userPrincipalName > click Ok

      SCIM user provisioning status for WebWork Time Tracker

      10. Also in Customappsso Attribute: externalId > Edit Microsoft Entra ID Source attribute: from mailNickname to objectId > then press Ok and Save

      Successfully synced users from Entra ID to WebWork


      Profile updates from Entra ID reflected in WebWork


      How to configure SAML after SCIM ?

      1. Log in to your organization's Microsoft Entra ID admin center.

      2. Click on Applications > Enterprise applications > your application > Set up single sign on > Get started > Select a single sign-on method (SAML)

      Reactivating WebWork user accounts from Entra ID

      WebWork SCIM sync summary page with recent activity

      3. Go to your WebWork account > Settings > Single Sign-On.

      4. Copy SAML Identifier (Entity ID) and SAML Reply URL (Assertion Consumer Service URL)

      WebWork SCIM integration showing status as active

      5. Go to Basic SAML Configuration >  Edit > paste them in their respective fields and Save.

      Attribute mapping preview panel for WebWork SCIM


      Microsoft Entra ID user list assigned to WebWork

      6. Go to Attributes & Claims > Edit > in Additional Claims edit all 4 Claim names & Values from the version below to the next after it:

      Confirmation of successful SCIM configuration with WebWork

      The version you need to use:

      Entra ID enterprise app overview for WebWork SSO

      Access each attribute and fill the exact information shown in the steps below:

      Navigating to Single Sign-On settings for WebWork

      WebWork SSO configuration section showing SAML fields

      Copying SAML Identifier and Reply URL from WebWork

      Editing basic SAML configuration for WebWork in Azure

      Adding namespace URL for userprincipalname claim


      7. Go to SAML Certificates > copy App Federation Metadata URL >  paste your WebWork account SSO settings > Save changes

      Setting namespace for objectid claim for WebWork

      8. Go to Users and groups > Add user/group > click User/Group > Select > Assign

      Copying Federation Metadata URL for WebWork SSO


      Pasting metadata URL into WebWork account settings

      Assigning users to the WebWork SSO application

      Resolving assignment error during WebWork SAML setup

      9. Then Go to Single sign-on > click Test > Test sign in


      Restarting provisioning to fix user assignment in WebWork


      This will direct you from Microsoft Entra ID back to your WebWork Account and SSO will be enabled on your Profile.

      Testing SAML sign-in for WebWork Time Tracker

      WebWork profile page showing SSO email address

      Note: To appear on WebWork’s Members page, assigned users must first log in with SSO.

      In case you get the message “Application assignment failed”, go back to Enterprise applications > click on your Application > Provisioning > Pause provisioning > Start provisioning.


      Make sure to follow those steps:

      1. Sign in to your WebWork account
      2. Click Sign in with Microsoft Entra ID
      3. Enter your Microsoft Entra ID email address

      https://www.webwork-tracker.com/login/sso