CheckWorkRights offers SSO Authentication for customers using Microsoft Entra (formerly Active Directory) as their identity provider.
This allows IT teams to have an additional level of security and control over access to CheckWorkRights and the employee data contained on the platform.
Users can then access CheckWorkRights using the UPN email address associated with their Entra identity using the same authentication workflow they are used to, without memorising a new password or login process.
Getting Started
To configure our Microsoft Entra-based SSO authentication please contact the CheckWorkRights team.
There are broadly two steps to getting this set up:
CheckWorkRights team will provide your tech team with configuration instructions for an enterprise app in your Entra environment. This should generate three IDs: a Client ID, Client Secret and Tenant ID.
Entering those three IDs into CheckWorkRights and confirming the new authentication flow. We will do this step together with you and someone from your tech team on a quick call.
This will replace the login workflow for users already in CheckWorkRights as well as any new ones you create. Noting that it’s an all-in authentication approach so no users will be able to access CheckWorkRights without the right permissions in Entra.
Authentication Flow of SSO enabled account
First, enter the user’s email address (please ensure that the user’s UPN (username) in Entra matches the email address entered in CheckWorkRights).
Note: The credentials entered on the Microsoft sign in page are the credentials the user will be signed in as, if a matching CheckWorkRights user exists.
In the event that they enter one email on the CheckWorkRights sign in page, and a different one on Microsoft sign in page, the Microsoft sign in will be respected.
Click Next. The user will be navigated to the Microsoft login page.
Pick an account or Click ‘Use another account’.
If the user clicks ‘Use another account’.
First, the user needs to enter their Microsoft email and click Next.
Enter Password and click Sign in.
Click Yes to continue. The user will then be redirected to the CheckWorkRights Dashboard screen.
Note: If the user selects an existing account, they will be directed to the password entry page. If the user selects an account that is already signed in with Microsoft, they will be redirected to CheckWorkRights Dashboard screen.
When creating a new user, the user email in CheckWorkRights has to match the users primary email (UPN) in Entra.
How to Disable SSO
As an Administrator in CheckWorkRights navigate to the Integration tab in the Admin Section
Click the Disable button, and confirm the action in the modal that appears.
After disabling, the user is navigated back to the Integrations tab.
FAQ’s
Will we have a break glass account excluded from SSO?
No, all users will be subjected to SSO on the account. That being the case, CheckWorkRights can always recover your account for you should you for whatever reason lose access.
Will users be forced to use SSO or will the capability exist for users to log in manually?
All users will be forced to use SSO if it's on for the account.
Will we have separate landing pages for the manual (break glass) and SSO accounts?
No separate landing page, users will login at the same admin page, and if their email matches an existing account in your CheckWorkRights account they'll be sent off to Entra for validation.
Will the approach be to upload the SSO certificate or credentials? Will it be self-managed?
The setup requires you to follow a config process on your Microsoft Entra tenancy and provide us with three fields: tenant id, client id and client secret.
We'll use these three to access your Microsoft instance for authentication purposes. You can provide these values directly into our UI.
I can't Log in with my SSO credentials
Here are a couple of checks you can do to help you log into the CheckWorkRights Web Application:
Ask your Microsoft Entra administrator to check that you have permission to log in to CheckWorkRights
Ask your CheckWorkRights Administrator to ensure your user email in CheckWorkRights matches your Microsoft Entra email. This needs to be your primary Entra email address (UPN).
If you tried to log in and received this screen, you do not have the required permissions to access the CheckWorkRights Web Application
Ask your CheckWorkRights Administrator to review your permissions, you will need to have access to the Web Application with any of the following account profiles: Administrator, All Employees, By Multiple Business Units or Locations, By Single Business Units, or Recruitment Team.
The list of User Security options available in CheckWorkRights can be viewed in the User Security page