Single Sign On (SSO) Identity Providers

Overview

Single Sign On (SSO) allows you to control access to Beyond using your own Identity Provider instead of having users log in with their TempWorks credentials.

This allows you to use your Identity Provider to enforce whatever sign in requirements you see fit, including things like multi-factor authentication, password strength requirements, or requiring the user to be logging in from a certain IP range or corporate network.

Currently, SSO works with Beyond and the Outlook Add-In, and the same settings are applied to both products.

*Note* This integration does require initial setup by TempWorks.

For more information about getting this setup, and pricing inquiries, please contact your TempWorks Account Manager.

This article covers the following:

  1. Identity Providers
  2. Identity Provider Setup
  3. Next Steps



Identity Providers

An Identity Provider is a service for managing user accounts that your users can log into from another application.

Examples of Identity Providers include:

*Note* TempWorks does not support SSO through the following:

  • Google Cloud Identity & Amazon Web Services (AWS) Single Sign On.
  • Personal Google accounts,  Facebook, or other social media accounts.

For an Identity Provider to be compatible with SSO, it must utilize the OAuth 2.0 protocol using OpenID Connect.



Identity Provider Setup

While you have the ability to use any major Identity Provider that utilizes the OAuth 2.0 protocol using OpenID Connect (examples above), TempWorks clients have seen immediate success using Azure AD (Active Directory).

The following is a basic setup example within Azure AD.

*Note* To access the areas of Azure AD outlined below, you will need to have an account with Azure AD along with administrative permissions within Beyond. 


Standard Azure AD Example

Begin by logging into Azure AD (Active Directory):

From the landing page, navigate to "App Registrations" within the left sidebar:

Select "New Registration" and create a registration for "TempWorks Beyond" or whatever name you would like that would be easy to remember:

*Note* Once you have created the registration of "TempWorks Beyond" or whatever name you would like that would be easy to remember, the following will be automatically generated:

  • Directory (Tenant) ID
  • Application (Client) ID

Save the above items as they will be needed during the setup of SSO within Beyond.

While within the "TempWorks Beyond" registration, select "Certificates and Secrets" in the left sidebar:

Select "New Client Secret" within the "Client Secrets" tab:

Enter the following information:

  • Description: Enter a description for the Client Secret.
  • Expires: Cannot be longer than 24 months when selecting "custom".

*Note* The expiration date cannot be longer than 24 months when selecting "custom".

*Warning* A new Client Secret will need to be created and added within Beyond before the expiration date of the original. If this is not done, users will be unable to log into Beyond once the original Client Secret expires.

Select "Add"

*Note* Copy the "Client Secret" immediately after creating it to be added to Beyond.

Navigating away and back to this screen will hide the "Client Secret", making it unable to be copied, resulting in a new Client Secret needing to be created.

While within the "TempWorks Beyond" registration, select "Authentication" in the left sidebar:

Navigate to Beyond > B Menu > System Settings > Security > Authentication > Single Sign On > Redirect URL > More Details > Copy:

*Note* The "Redirect URL" will be custom to your company and will be configured during the initial setup by TempWorks.

Navigate back to Azure AD > Authentication > Web > Redirect URI's > Add URI:

Paste the "Redirect URL" into the "Add URI" section.

Check the box for "ID Tokens" within the "Implicit grant and hybrid flows" section:

Select the option for "Accounts in this organizational directory only" within the "Supported account types" section:

Select "No" for "Enable the following mobile and desktop flows" within the "Advanced settings" section:

Select "Save" to save all the changes that have been applied:



Next Steps

Once the Identity Provider setup is complete, you are ready to add the following information into Beyond and complete the setup of SSO:

  1. Identity Provider URL: “https://login.microsoftonline.com/{YourAzureTenantId} with the [YourAzureTenantID] being the "Directory (Tenant) ID" from Azure AD.
  2. Client ID: This is the "Application (Client) ID" from Azure AD.
  3. Client Secret: This is the "Client Secret" from Azure AD.
  4. Claim Name: This is "upn" for setups using Azure AD.

*Note* To complete the SSO setup process in Beyond, please see the following article titled Beyond - Single Sign-On.

Related Articles