The new unified SSO App offers multiple methods of authentication, such as SAML, and One-time token. This makes the login process secure, more streamlined and efficient.
Things to know:
The Feature is private and can be activated as Add-on for clients with Enterprise Plan. Contact your account manager to know more about this solution and it fees.
The App does not work with single accounts. It only works with Branch Manager and their branch companies.
You can have only one active authentication method at the same time.
The App does not limit the branches a user sees in the Location Selector after successful login.
At the moment TIMIFY supports only SAML and One-Time Token as Authentication Method.
1. How to install the SSO App.
1. How to install the SSO App.
The Branch Manager Owner, Admin(s), as well as Managers with permissions to access the Apps section, can install the App after providing TIMIFY with a Private Access Key from the tab “Private Apps”.
After the App is installed, it is necessary to define if the App should be configured globally or configured in branch accounts. The first option gives you the possibility to set up the App for all branches from Branch Manager. The second option will allow you to save different settings on each branch, this means that each branch owner and/or admin users will be able to configure the App separately.
2. Set up
The set up of this App will depend on the authentication method it is selected in the first step.
If you select the One-Time Token SSO method the usage is very simple. You will use a link generated by TIMIFY as a secret to log in to an application. This link is embedded into your system and it can be selected to log in to TIMIFY. Some additional parameters can be added to the link like Name, Email, Branch ID´s among others.
If the SAML option has been selected, you should set up the authentication method to communicate with the Identity Provider (IdP). For this, you will have to copy from the SSO App an Assertion Consumer Service URL, generated from us. This is the URL where we expect to receive the authentication token. You will also need to paste your IdP URL which we need to redirect upon login attempt. In Order to ensure this, you will need to provide x.509 certificate, called Public Certificate.
Optionally, you could add an Identifier (Entity ID). The unique ID that identifies your application to the IdP (this should be the same that you use in your IdP). The Secret Generator is automatically generated by TIMIFY and this URL is unique.
💡 When selecting an authentication method the App generates automatically a secret in the database background. It will be also possible to generate a new one from the method’s configuration.
On this step you can define how the SSO App will behave. These settings will appear in every Authentication Method you select.
Limit the SSO authentication by domain name(s): For additional security, the access is limited only to those email domains allowed from our App. If users try to log in with a different email domain than the specified, the user will be redirected to a block access page.
Unique Identifier: Select your unique user identifier: Email or ExternalID.
💡If you select ExternalID as unique identifier you must add a domain on the Restricted Email Domain section mentioned here above, it cannot be left empty.
Email Mismatch Rules: In case of a mismatch between your user’s identity provider and the defined on the App, choose which one we should use during the user enrolment process. There is a third option which allows you to not use either one of them (in case you used External ID, for example). This means that resources and SSO users can have different emails and they will not be overwritten
User Permissions: Have a default permission type or match all permission types with groups in the Identity Provider depending of what you have defined for your users.
User Branch Access: This option only appears if the SSO App is installed on a global level (Branch Manager). On a local level, this step is not required. If you select the option Identity Provider (IdP) you need to create a parameter at your end or simply select the option SSO App. This means that you will be able later on to define which user can access to which branch/es.
Resources Rules: Here you can select if you want to create a new resource (in case have not created any) or not to create a new resource.
User Details Overwrite: This is in case you have information that differs from your users in your IdP and TIMIFY. Here you can define either to overwrite this information in TIMIFY or in the SSO App.
Default Permission Types: You can define the type of permission for all your imported or manually added users with no permissions defined. You need to map all existing Permission Types (Global Permission Types or Local depending on the app configuration) with Permission Groups inside the Identity Provider. Since it is not possible to ensure that permissions in the Identity Provider will be the same as in TIMIFY, the best solution is to define for example, permission "Type A" corresponds to Identity Provider Permission "Group A". This is done by providing an external ID or unique identifier of that Permission Group. When there are no Permission Types created inside TIMIFY only the Admin Permission will be shown in the list.
4. Import Users
On this section, you have the possibility to Import a CSV file with all your users. In case you need to skip this step, it is important to know that you can do it later as you have the possibility to add users manually. The upload is made via a CSV file which you can access by downloading our template. On the template you may need to fill External ID, Names, Email and Branch ID´s. If the file is downloaded from a single account, the Branch ID´s tab won´t be shown. In case a user, needs to access several accounts (branches) you can add all of them divided by a comma "," (do not add branches divided only by a space).
In case there is an error when the file is uploaded, a warning message will show up and a link will be provided to download a CSV with a report of all the errors.
Please consider, that even if you use the External ID option to log in, it is required to add an email address (it can be a dummy email address), otherwise you won´t be able to save and continue.
5. Match Parameters
Once the SAML has been all set, you can click on the three dots in SAML - Current Authentication Method - to match all your parameters.
Names: Not all clients will have 1 field for names as we do. For this, you can use multiple parameters combined with
+, for example:
user.FName + user.LName.
User External ID
Branch ID: When the app is being used and configured from the Branch Manager, it is not necessary to add a Branch ID as users will have access only to the branch they have been assigned.
Permission Type: This parameter shows depending on the selection in the previous step in the User Permissions setting
6. Onboarding Success
The last step will be shown once the SSO App is all set.