After enabling either Azure (Entra ID) or Okta, your first SSO configuration task will be to select an SSO Mode which fits your company’s needs. Note that if you are already using WhenToWork, you may initially choose a Mode which facilitates transition of current WhenToWork employees to SSO log in, and later change to a different Mode, after all existing users have been provisioned.
The Mode selection dropdown provides five options: Self-provisioning, Email Matching, Auto-create, Preemptive and Locked. Each of those options is described here below and in the Setup Assistant. You can also use the provided “Help me choose” button which analyzes your company user information and asks a series of questions which will help you determine the best Mode for your needs.
- Self-provisioning: Active WhenToWork users provision their own accounts without prior action by the manager. As users login to WhenToWork using their login ID and password, they will be prompted to select their Azure identity. Thereafter, WhenToWork is only accessible using Azure credentials via the Home Page URL. Only a manager can de-provision a user-provisioned account, which then optionally sends instructions to the user to restart the user self-provisioning process.
- Unprovisioned users must know their WhenToWork password.
- When implementing SSO on an existing account, this mode reduces the manager’s effort of manually provisioning a large number of users.
- Once existing users are all provisioned, you should change the configuration to a different Mode so that new users will not have to go through the process of entering a WhenToWork login id and
- Email Matching: First time login by an unprovisioned Azure user is automatically provisioned by locating the WhenToWork primary email address or addresses that match the incoming Azure email address.
- User email addresses assigned in Azure must be found in the primary email address list of at least one WhenToWork user.
- If there are multiple matches, all matching WhenToWork user accounts will be provisioned. When logging in via Azure, a pick list will be presented.
- WhenToWork email address changes are restricted to managers until after an employee is provisioned.
- Auto-create: Automatically create a new user in WhenToWork at the time of login, when no match is found for the incoming Azure email address. An email will be sent to the main manager to indicate that a new WhenToWork user has been generated. Enabling this option will allow users to have immediate access to WhenToWork but the manager will still need to set up the user with positions and schedule.
- This option is appropriate for brand new WhenToWork accounts and for legacy accounts wherein all current users have already been provisioned.
- Managers must wait for new users to access WhenToWork before assigning positions and shifts to users.
- Preemptive: Managers link users in the Azure user directory to a user account in WhenToWork prior to any attempt to log in to WhenToWork, and without any provisioning-related action required on behalf of the user.
- Preemptive Employee Provisioning is the most deterministic method of employee provisioning.
- All of the provisioning effort and responsibility resides with the manager.
- Additional effort is required to set up the query and permissions or keys needed to access the Azure user directory from WhenToWork.
- Click here to see an example of Preemptive setup.
- Locked: New users cannot be provisioned for SSO access using Azure. This mode should be applied to any account, including a test account, which is no longer in use.
- Provisioned users for this account should be unlinked before applying this mode so that their Azure identities are available for linking under a different WhenToWork account.
Once you have selected Mode, the Setup Assistant will step you through the relevant configuration inputs required for that Mode.
The Setup Assistant provides elaborate instructions, incremental validation and additional error checking, and therefore provides the most reliable setup results; however, if you are already familiar with the configuration settings, you may elect to make your changes on the SSO Configuration base page.
If you need to repeat the same configuration on additional WhenToWork accounts, or to save the current configuration state for restoration at a later time, use the Backup and Restore buttons which saves and restores the entire SSO configuration to/from a local file.
Note, you can temporarily disable your SSO configuration using the “Disable Okta/Azure” button, which preserves your configuration data until you decide to re-enable it at a later time. Also, enabling a different IAM provider does not replace the configuration data for other IAMs.
See also:
Preemptive Provisioning