Time Doctor customers can use Azure to log in to Time Doctor. Time Doctor has integrated Azure Active Directory single sign-on, making it easy for employees of companies to log in and have an account automatically created. They can hit the ground running with little effort from the company admin.

This article explains how to configure Azure SSO for Time Doctor.

Before we go further, please make sure you have the following:

  1. An active Azure account with an Active Directory subscription

  2. An active Time Doctor account

Register Time Doctor App on Azure

1. Log into Azure portal as admin and click Azure Active Directory. It’s listed under Azure Services


2. In Azure Active Directory, select App registrations in the left-hand navigation menu. 


3. Click on New registration to start adding your app 

Set any name you want, or use “Time Doctor.” Set the supported account type and then for “web,” set the redirect URI to https://2.timedoctor.com/login/oauth2/azure/callback

Configure Your Azure Time Doctor Application

After the application has been created, you’ll be redirected to the application page. The next thing you need to do is click Authentication in the left-hand menu.

When the page loads, you’ll see Platform Configurations. Go to the card for the Web platform and click “Add URI.” Add the following URLs:

Scroll down to Implicit grant and check the boxes for “Access tokens” and “ID tokens.” When that’s done, click Save at the top of the page.

Define the Scope of the Time Doctor Application

After saving your app, you’ll need to define the scope of this token. This will determine the data that Azure will include in every token it sends to Time Doctor.

To do this, click Token configuration in the left-hand navigation menu. This should be the second link after Authentication. When that page opens, click “Add optional claim.”

A panel will open up on the right side of the page. In that panel, select “ID” for the token type and check the following options:

  • acct

  • email

  • family_name

  • given_name

  • verified_primary_email

When you’re done, click Add, tick the checkbox in the banner popup to turn on Microsoft Graph email permissions, and click Add to save the settings completely.

Check Your App’s API Permissions

In the left-hand panel in your app directory, go to API permissions. This should be the option right below Token Configuration. Make sure you have added the following under OpenID permissions:

  • email

  • openid

  • profile

  • User.Read

If one of these options is missing, click Add a permission to open a panel on the right side of the page. In that panel, click Microsoft Graph. When it opens, click Delegated Permissions and then check “openid” under “OpenId permissions.”

Check Your App’s API Permissions

In the left-hand panel in your app directory, go to API permissions. This should be the option right below Token Configuration. Make sure you have added the following under OpenID permissions:

  • email

  • openid

  • profile

  • User.Read

If one of these options is missing, click Add a permission to open a panel on the right side of the page. In that panel, click Microsoft Graph. When it opens, click Delegated Permissions and then check “openid” under “OpenId permissions.”



Set the Application URL

Next, you’ll need to set an application URI. From the left side menu, click Expose an API. You’ll see Application ID URI with a link labelled “Set.” Click on that link and then Save.


Now that everything is set, you need to get the client ID and issuer we need to configure Time Doctor. To do that, click Overview in the left-hand menu. Copy the Application (client) ID from the Essential section. You’ll use this for the Client ID field in Time Doctor.

The next thing you need to do is click Endpoints. A panel will open up on the right-hand side of the page. Copy the OAuth 2.0 authorization endpoint (v2) from that panel. You’ll use this for the Issuer field in Time Doctor. 



Now that you’ve created your application, you need to assign it to users. Microsoft has an article explaining how to do that. You can read it here.

Adding Azure to Time Doctor as a Provider

Adding SSO to Time Doctor is the easiest part of this guide. The following steps assume you’ve already created an account on Time Doctor. If you haven’t, you can use this link to create one.


  • Scroll down to Single Sign On (SSO). Click Add Provider and select Azure as your provider. 
  • Fill out your configuration details and then click Save.

Note:

Setting a domain is optional. You can specify which domains you want to allow to find your company when searching for SSO companies. Adding any domains to this field will have the following effects:

  • Any domain you specify will allow anyone with an email address on that domain to find your company on Time Doctor. This will only happen if you give them access to your application on Azure as well.

  • Anyone using an email address from one of the specified domains will be able to join your company on Time Doctor, even if you haven’t manually added/invited and/or provisioned them. They’ll be automatically given default settings.

If you don’t add any domains, then no one will be able to find or join your Time Doctor company until you manually add/invite them.

And that’s all for configuring SSO.