How do I use SSO (single sign-on) with shyftplan?

What settings are required so that employees can also (or only) log in to shyftplan via SSO?

After a one-off setup in your company profile, you can offer your employees, managers and owners convenient log-in via SSO. We show you how to do it here.

shyftplan supports the SAML 2.0 protocol for SSO.

• Switch to your company profile
  
• Select the “Security and SSO” tab
  
• Activate the “Single sign-on enabled” switch
  
• Click on the plus symbol
  
• Fill in all fields marked in red and click on “Save”
  
• The fields “Assertion consumer service binding” and “SLO target url” do not have to be filled in.
• The fields “SSO target url” and “IDP certificate fingerprint” are always required.
  • IDP certificate fingerprint must be in SHA256 format - conversion e.g. in this online tool.
• For the other fields, the requirement depends on your SSO provider.
  • You can request/look up all the necessary values from them.
  • Often, but not always, the “Issuer” field, for example, must be filled in.

Example:

You can then set for each employee (or manager/owner) in their profile whether they can only log in via SSO in future. This is also possible via the API, e.g. when creating a new employment in shyftplan: https://developer.shyftplan.com/reference/postapiv2employments

For security reasons, the setting that employees can only log in with SSO (and not additionally by entering an e-mail and password) can no longer be reversed once it has been activated.

Azure as example

1. Create a new app in the Azure portal: “Shyftplan Prod” or “Shyftplan POC”
2. Then select the app by clicking on it and activate the single sign-on under “Manage”
3. On the “Select a single sign-on method” page, select SAML
4. Click on the Edit button under “Basic SAML Configuration”
   
5. Complete these details:
   1. Identifier - https://shyftplan.com/saml/metadata
   2. Reply URL - https://shyftplan.com/saml/auth
6. Set the NameID parameter:
   The NameID must correspond to the mail address used in shyftplan. It may be necessary to pass the user's mail (user.mail) instead of the user's uid.
7. Under “SAML Signing Certificate”, click on Download at Certificate (Base64) so that you can cache the certificate on your computer:
   
8. Copy the content of the certificate and paste it into this online tool, for example, to generate a SHA256 fingerprint
9. You must enter the fingerprint in the company settings in shyftplan in your SSO settings (IDP certificate fingerprint)
   
10. Copy the Azure login URL...
    
    ...and insert it as SSO Target URL:
    
    In the screenshot above, you can also see the URL for “Azure AD Identifier”, which you should enter in the “Issuer” field:
    
11. Also add this IDP fingerprint algorithm:
    http://www.w3.org/2000/09/xmldsig#sha256
    
12. Finally, click on “Save”
13. The following fields can be left blank:

• Assertion consumer service binding

• Name ID format

• Issuer

• Authentication context

• SLO target URL

  Want assertions signed can remain deactivated
  IdP certificate
  
  Instead of the entire certificate, only enter its sha256 fingerprint in shyftplan. For example, use this service to calculate the fingerprint from the certificate (select sha256 as the algorithm).