Skip to content
  • There are no suggestions because the search field is empty.

Microsoft Single Sign-On (SSO) Configuration

 

Available on Premium plan. Only the Workspace Owner & Executive Managers can enable SSO (single sign-on).

We recommend that you first enable SCIM and only then SAML.

WebWork SCIM integration features

WebWork’s SCIM integration supports several member management features.

  • Push New Users
    • New users created through Microsoft Entra ID will also be created in WebWork.
  • Push Profile Updates
    • Updates made to a user's profile through Microsoft Entra ID will be pushed to WebWork.
  • Push User Deactivation
    • Deactivating a user or disabling their access to the application through Microsoft Entra ID will deactivate the user in WebWork.

Note: for WebWork, deactivating a user means removing access to login, but maintaining their information as an inactive user.

  • Reactivate Users
WebWork member accounts can be reactivated in Microsoft Entra ID.

How to configure SCIM?

Note: to set up provisioning, you must first have Microsoft Entra ID SSO enabled for your workspace. 

1. Go to Applications > Enterprise applications > New application > Create your own application.

Creating a custom enterprise application for WebWork in Entra ID

Navigating to provisioning settings in Entra ID for WebWork

WebWork SCIM settings page showing Tenant URL and Secret Token

 

2. Then go to Provisioning > Connect your application.

Pasting SCIM credentials into Entra ID for WebWork integration

Testing the SCIM connection with WebWork Time Tracker

3. Go to your WebWork account > Settings > Single Sign-On.

4. Copy SCIM Tenant URL and SCIM Secret Token.

Disabling group provisioning for WebWork SCIM setup

5. Come back to Microsoft Entra ID and paste them in respective fields.

6. Click Test connection > Create

Configuring user attribute mapping for WebWork in Entra ID

7. Go to Attribute mapping (Preview) > Provision Microsoft Entra ID Groups > switch Enabled to No > Save

Editing email mapping for SCIM in WebWork configuration

Updating external ID attribute for WebWork SCIM provisioning


8. Go to Attribute mapping (Preview) > Provision Microsoft Entra ID Users > scroll to Attribute Mappings

Removing unnecessary attributes from WebWork SCIM mapping

9. In Customappsso Attribute: emails[type eq “work”].value, click Edit Microsoft Entra ID Source attribute: from mail to userPrincipalName > click Ok

SCIM user provisioning status for WebWork Time Tracker

10. Also in Customappsso Attribute: externalId > Edit Microsoft Entra ID Source attribute: from mailNickname to objectId > then press Ok and Save

Successfully synced users from Entra ID to WebWork


Profile updates from Entra ID reflected in WebWork


How to configure SAML after SCIM ?

1. Log in to your organization's Microsoft Entra ID admin center.

2. Click on Applications > Enterprise applications > your application > Set up single sign on > Get started > Select a single sign-on method (SAML)

Reactivating WebWork user accounts from Entra ID

WebWork SCIM sync summary page with recent activity

3. Go to your WebWork account > Settings > Single Sign-On.

4. Copy SAML Identifier (Entity ID) and SAML Reply URL (Assertion Consumer Service URL)

WebWork SCIM integration showing status as active

5. Go to Basic SAML Configuration >  Edit > paste them in their respective fields and Save.

Attribute mapping preview panel for WebWork SCIM


Microsoft Entra ID user list assigned to WebWork

6. Go to Attributes & Claims > Edit > in Additional Claims edit all 4 Claim names & Values from the version below to the next after it:

Confirmation of successful SCIM configuration with WebWork

The version you need to use:

Entra ID enterprise app overview for WebWork SSO

Access each attribute and fill the exact information shown in the steps below:

Navigating to Single Sign-On settings for WebWork

WebWork SSO configuration section showing SAML fields

Copying SAML Identifier and Reply URL from WebWork

Editing basic SAML configuration for WebWork in Azure

Adding namespace URL for userprincipalname claim


7. Go to SAML Certificates > copy App Federation Metadata URL >  paste your WebWork account SSO settings > Save changes

Setting namespace for objectid claim for WebWork

8. Go to Users and groups > Add user/group > click User/Group > Select > Assign

Copying Federation Metadata URL for WebWork SSO


Pasting metadata URL into WebWork account settings

Assigning users to the WebWork SSO application

Resolving assignment error during WebWork SAML setup

9. Then Go to Single sign-on > click Test > Test sign in


Restarting provisioning to fix user assignment in WebWork


This will direct you from Microsoft Entra ID back to your WebWork Account and SSO will be enabled on your Profile.

Testing SAML sign-in for WebWork Time Tracker

WebWork profile page showing SSO email address

Note: To appear on WebWork’s Members page, assigned users must first log in with SSO.

In case you get the message “Application assignment failed”, go back to Enterprise applications > click on your Application > Provisioning > Pause provisioning > Start provisioning.

Automatic User Provisioning 

With Automatic User Provisioning WebWork can manage user accounts based on your company’s Microsoft Entra ID directory. Instead of manually adding, updating, or removing members in WebWork, changes in Microsoft Entra ID are synced automatically.

  • New hires are added to WebWork as soon as they are created in Microsoft Entra ID.

  • Profile changes (name, email, role) are updated automatically.

  • Departing employees are deactivated in WebWork when removed from Microsoft Entra ID.

  • Reactivated employees regain access instantly once they’re restored in Microsoft Entra ID.

This ensures accurate, secure, and up-to-date member management without extra work from your IT team.


Make sure to follow those steps:

1. Sign in to your WebWork account
2. Click Sign in with Microsoft Entra ID
3. Enter your Microsoft Entra ID email address

https://www.webwork-tracker.com/login/sso