tdannecy@gmail.com

Configure WhenIWork SAML SSO in Entra ID

#Entra #AzureAD

I've been working with a company that uses When I Work for employee scheduling and time tracking. This week, they wanted to onboard the service to Entra ID so that users can have a seamless sign on experience through their Microsoft account and the IT admins can secure logins with Conditional Access and other features in the M365 platform.

In my experience, every time I setup SAML Single Sign-On with SaaS apps in Entra ID, the language to get the integration setup is all over the place. Entity IDs, ACS, Issuer URLs, Endpoint URLs, Consumer URLs, Authority URLs, OAuth token endpoints—it's very confusing and changes for each service.

For this project, we couldn't find a guide for onboarding WhenIWork to Entra ID for Single Sign-On, so I wanted to write these steps down for other admins who need it. Big thanks to Sam Guerra for figuring this out.

To make these changes, you'll need these permissions at the minimum:

If you're running Windows, you will also need Local Admin permissions to install the OpenSSL package on your PC (more info below).

Setup the Enterprise Application in Entra ID

First, navigate to the Entra ID/Azure AD portal: https://azad.cmd.ms/

Search for and open up the “Enterprise Application” blade. Click the “New Application” button:

Click the “Create your own application” button. Add a descriptive title like “When I Work SSO”, “WhenIWork” or something similar, then click the “Create” button:

Update the SAML attributes

WhenIWork requires the Unique User Attribute in Entra ID to be set as “user.Mail” instead of the default “user.userPrincipalName”.

To change this, scroll down to section 2 “Attributes & Claims” and click the “Edit” button:

Click on the row “Unique User Identifier (Name ID)”:

Change the “Source attribute” dropdown and set it to “user.mail”:

Save all of the changes and return to the WhenIWork “Single sign-on” blade.

Add information from WhenIWork to Entra ID

When your Enterprise Application is setup, we will need to get some information from WhenIWork using an account with Admin permissions.

Open the following URL in a new tab https://appx.wheniwork.com/settings/saml and login, or open the WhenIWork admin console, login, and navigate to the Gear icon > General Settings at the top right of the page:

Then, select the “SAML SSO” option from the menu on the left:

In the other tab with Entra ID, navigate to the SSO blade located at Manage > Single sign-on and click the “SAML” option:

To make things easier, move the WhenIWork SAML window on the left side of the screen, and the Entra ID Enterprise Application page to the right.

Copy the following values from WhenIWork over to the Entra ID “Basic SAML Configuration” page and click the “Save” button when finished.

WhenIWork Entra ID Format
Entity ID Identifier (Entity ID) https://saml.wheniwork.com/<5 digit WhenIWork customer ID>
Consumer URL Reply URL (Assertion Consumer Service URL) https://app.wheniwork.com/rest/saml/auth/<5 digit WhenIWork customer ID>

Add information from Entra ID to WhenIWork

Now that you've added the information to Entra from WhenIWork, you will need to add some information in the other direction.

In Entra ID, navigate back to the Single sign-on blade and scroll down to the fourth section on the “SAML-based Sign-on” page. Copy the following values from Entra ID over into WhenIWork:

Entra ID WhenIWork Format
Login URL Endpoint URL (SSO) https://login.microsoftonline.com/**<36 character Entra Tenant ID>**/saml2
Microsoft Entra Identifier Issuer URL (Entity ID) https://sts.windows.net/**<36 character Entra Tenant ID>**/
(Be sure to include the / backslash at the end.)

Get the certificate fingerprint

Download the Certificate file. In the Entra ID tab, navigate to the “Single sign-on” blade of the Enterprise Application, scroll down to section 3 “SAML Certificates” and download the “Certificate (Base 64)” file in the .cer format.

Now, you'll need to get the Certificate Fingerprint (not the Thumbprint listed in Entra ID) from the .cer file. This is a bit of a pain and requires some manual intervention.

Here are the instructions for both Windows and MacOS to generate the fingerprint:

Windows

These steps were performed on Windows 11.

On a Windows PC, you will need to download and run an OpenSSL application to generate the fingerprint.

Open a new tab and download the Win64OpenSSLLight EXE file directly from this link: https://slproweb.com/download/Win64OpenSSLLight-340.exe

Alternatively, navigate to the product page and download the version you need: https://slproweb.com/products/Win32OpenSSL.html

Install the EXE file and open the app from the Start menu named “win64 OpenSSL Command Prompt:

Run the following command to generate the thumbprint, changing the -in location to where you downloaded the file:

openssl x509 -fingerprint -sha256 -in "C:\Users\TimDAnnecy\Downloads\When I Work.cer"

Copy the output to the clipboard:

Now, you need to remove the : colon characters from the Fingerprint string.

You can do this manually, or by pasting it into Notepad and using the Find & Replace tool (Ctrl + H) to “Replace all” and remove all colon characters. Once cleaned up, Copy the Fingerprint to the clipboard.

Now, you need to remove the : colon characters from the Fingerprint string.

You can do this manually, or by pasting it into Text Edit and using the Find & Replace tool (Ctrl + H) to “Replace all” and remove all colon characters. Once cleaned up, Copy the Fingerprint back to the clipboard.

MacOS

Note: These steps were performed on MacOS Sequoia 15.2 (24C98)

On a Mac, the OpenSSL app is pre-installed and you can generate the thumbprint with a single command.

Open the Terminal app and run the following command, changing the location to where you downloaded the file:

openssl x509 -fingerprint -sha256 -in /Users/tim/Downloads/When\ I\ Work.cer

Copy the Fingerprint output to the clipboard:

Now, you need to remove the : colon characters from the Fingerprint string.

You can do this manually, or by pasting it into TextEdit and using the Find & Replace tool (Command + F) to “Replace all” and remove all colon characters. Once cleaned up, Copy the Fingerprint back to the clipboard.

Paste the Fingerprint into WhenIWork

Once you have the Fingerprint copied to the clipboard, return to the WhenIWork SAML page and paste the value into the “Certificate Fingerprint (SAML)” field and click the “Save” button.

Test the integration

Now that the attributes have been added in WhenIWork and in Entra ID, test to make sure the configuration is working by clicking the “Test this application” button:

Click the “Test sign-in” button. If everything comes back successfully, you've configured the Entra ID side correctly.

Try signing into WhenIWork by navigating to the app in the M365 Waffle menu:

Alternatively, navigate to the main WhenIWork homepage and click the “Login” link that the top right: https://wheniwork.com

On the login page, click the “Third Party Connect” button:

Choose “SAML”:

Type the company name, account ID, or subdomain and click the “Login” button.

Note: If you don't know the Account ID, you can get it by signing in with your Admin account (non-SSO sign in) and navigating to Gear icon > General Settings at the top right of the page. This information is in the Account ID field.

If SAML is configured correctly, you'll get the Entra ID sign in flow and can sign in using your Microsoft account.

Conclusion

Thanks again to Sam Guerra for figuring out the certificates in this flow.

Discuss...