Press "Enter" to skip to content
< Back

SSO Glossary

A glossary of terms related to SSO and WhenToWork. 

  • Access token: access token is a JSON Web Token (JWT) that contains claims. These claims identify the granted permissions to your APIs. Access tokens are used to provide access to APIs and resource servers. When your API receives an access token, it must validate the signature to prove its authenticity. Picture a backstage pass at a concert. An access token is like that pass—it grants you access to specific areas (like APIs or resource servers). When you use an app with SSO, it hands you this backstage pass to prove you’re allowed in. It’s used for authorization, granting access to specific resources.
  • API (Application Programming Interface): provides an interface that allows developers to interact with programs and apps. Each API has a set of credentials (similar to a username and password pair) that admins and developers use to interact with the data.
  • Authority: What you can do (custom scopes). Identity Access Manager (IAM). Immutable identifier – IAM generated Id. Example: OAuth2.0 (“Open Authorization”).
  • Auto-create (SSO mode): Automatically create a new user in WhenToWork at the time of login, when no match is found for the incoming Azure email address. An email will be sent to the main manager to indicate that a new WhenToWork user has been generated. Enabling this option will allow users to have immediate access to WhenToWork but the manager will still need to set up the user with positions and schedule.
    • This option is appropriate for brand new WhenToWork accounts and for legacy accounts wherein all current users have already been provisioned.
    • Managers must wait for new users to access WhenToWork before assigning positions and shifts to users.
  • Client Secret: In the context of Azure, a client secret serves as the password for a service principal. Think of it like a backstage pass—the secret allows an application to prove its identity when requesting an access token. It’s commonly used for authorization in scenarios like API calls without involving a browser or human sign-in. 
  • Email Matching (SSO mode): First time login by an unprovisioned Azure user is automatically provisioned by locating the WhenToWork primary email address or addresses that match the incoming Azure email address.
    • User email addresses assigned in Azure must be found in the primary email address list of at least one WhenToWork user.
    • If there are multiple matches, all matching WhenToWork user accounts will be provisioned. When logging in via Azure, a pick list will be presented.
    • WhenToWork email address changes are restricted to managers until after an employee is provisioned.
  • IAM (Identity and access management): is for making sure that only the right people can access an organization’s data and resources. It’s a cybersecurity practice that enables IT administrators to restrict access to organizational resources so that only the people who need access have access.
  • ID Token: Imagine attending a conference with name tags. An ID token serves as proof of authentication—confirming that a user is who they claim to be. It contains information about the user and is always in JSON Web Token (JWT) format. But here’s the catch: don’t use an ID token to call an API, use an access token instead. 
  • Identity: Who you are (profile, email scopes). Identity Provider (IDP). Immutable identifier – typically email address. Examples: OpenID, SAML. 
  • Locked (SSO mode): New users cannot be provisioned for SSO access using Azure. This mode should be applied to any account, including a test account, which is no longer in use.
    • Provisioned users for this account should be unlinked before applying this mode so that their Azure identities are available for linking under a different WhenToWork account.
  • Mode: determines how employees are provisioned and signed in using Azure. The Mode setting has no effect on tech users who can login using either Azure SSO login or WhenToWork login id and password. This prevents tech users from being accidentally locked out do to a configuration error. There are five options for Mode: Self-provisioning, email matching, auto-create, preemptive, and locked. See SSO Mode Options for more information. 
  • OAuth2 (Open Authorization): Allows access to resources hosted by another web app. Rigid, but there are many options: Implicit, Hybrid, Codeflow.
  • Preemptive (SSO mode): Managers link users in the Azure user directory to a user account in WhenToWork prior to any attempt to log in to WhenToWork, and without any provisioning-related action required on behalf of the user.
    • Preemptive Employee Provisioning is the most deterministic method of employee provisioning.
    • All of the provisioning effort and responsibility resides with the manager.
    • Additional effort is required to set up the query and permissions or keys needed to access the Azure user directory from WhenToWork.
  • Provisioning: refers to the process of creating user accounts and granting them appropriate rights and permissions to access an organization’s resources.
  • Self-provisioning (SSO mode): refers to a process where users can autonomously create or manage their own accounts for single sign-on (SSO) services. Essentially, it allows users to set up their authentication credentials without administrative intervention.
    Active WhenToWork users provision their own accounts without prior action by the manager. As users login to WhenToWork using their login ID and password, they will be prompted to select their Azure identity. Thereafter, WhenToWork is only accessible using Azure credentials via the Home Page URL. Only a manager can de-provision a user-provisioned account, which then optionally sends instructions to the user to restart the user self-provisioning process.

    • Unprovisioned users must know their WhenToWork password.
    • When implementing SSO on an existing account, this mode reduces the manager’s effort of manually provisioning a large number of users.
    • Once existing users are all provisioned, you should change the configuration to a different Mode so that new users will not have to go through the process of entering a WhenToWork login id and password.
  • SSO (Single-Sign On): an authentication scheme that allows users to log in once using a single set of credentials and access multiple applications during the same session. In other words, it enables seamless access to related software systems without the need to re-enter authentication factors.
  • Tech user: A Tech user is a new user type in WhenToWork that is used to configure and setup SSO capabilities. This is created for someone in your organization that has expertise in Azure or Okta implementations. A Tech user account can be created for anyone, including the current WhenToWork company Manager; however, SSO configuration capabilities are only accessible when signed in to the Tech user account. Instructions to add a tech user here.
  • Two-Factor Authentication: (2FA) is an identity and access management security method that requires two forms of identification to access resources and data. It provides an additional layer of security beyond just a password, helping businesses monitor and safeguard sensitive information and networks. Enabling this Two-Factor Authentication setting offsets that risk by enforcing an additional layer of security for users that can change security-related settings.