Configure WhenIWork SAML SSO in Entra ID
I've been working with a company that uses When I Work for employee scheduling and time tracking. This week, they wanted to onboard the service to Entra ID so that users can have a seamless sign on experience through their Microsoft account and the IT admins can secure logins with Conditional Access and other features in the M365 platform.
In my experience, every time I setup SAML Single Sign-On with SaaS apps in Entra ID, the language to get the integration setup is all over the place. Entity IDs, ACS, Issuer URLs, Endpoint URLs, Consumer URLs, Authority URLs, OAuth token endpoints—it's very confusing and changes for each service.
For this project, we couldn't find a guide for onboarding WhenIWork to Entra ID for Single Sign-On, so I wanted to write these steps down for other admins who need it. Big thanks to Sam Guerra for figuring this out.
To make these changes, you'll need these permissions at the minimum:
- Entra ID – Application Administrator Role (or Global Administrator)
- WhenIWork – Admin Role
If you're running Windows, you will also need Local Admin permissions to install the OpenSSL package on your PC (more info below).
Setup the Enterprise Application in Entra ID
First, navigate to the Entra ID/Azure AD portal: https://azad.cmd.ms/
Search for and open up the “Enterprise Application” blade. Click the “New Application” button:
Click the “Create your own application” button. Add a descriptive title like “When I Work SSO”, “WhenIWork” or something similar, then click the “Create” button:
Update the SAML attributes
WhenIWork requires the Unique User Attribute in Entra ID to be set as “user.Mail” instead of the default “user.userPrincipalName”.
To change this, scroll down to section 2 “Attributes & Claims” and click the “Edit” button:
Click on the row “Unique User Identifier (Name ID)”:
Change the “Source attribute” dropdown and set it to “user.mail”:
Save all of the changes and return to the WhenIWork “Single sign-on” blade.
Add information from WhenIWork to Entra ID
When your Enterprise Application is setup, we will need to get some information from WhenIWork using an account with Admin permissions.
Open the following URL in a new tab https://appx.wheniwork.com/settings/saml and login, or open the WhenIWork admin console, login, and navigate to the Gear icon > General Settings at the top right of the page:
Then, select the “SAML SSO” option from the menu on the left:
In the other tab with Entra ID, navigate to the SSO blade located at Manage > Single sign-on and click the “SAML” option:
To make things easier, move the WhenIWork SAML window on the left side of the screen, and the Entra ID Enterprise Application page to the right.
Copy the following values from WhenIWork over to the Entra ID “Basic SAML Configuration” page and click the “Save” button when finished.
| WhenIWork | Entra ID | Format |
|---|---|---|
| Entity ID | Identifier (Entity ID) | https://saml.wheniwork.com/<5 digit WhenIWork customer ID> |
| Consumer URL | Reply URL (Assertion Consumer Service URL) | https://app.wheniwork.com/rest/saml/auth/<5 digit WhenIWork customer ID> |
Add information from Entra ID to WhenIWork
Now that you've added the information to Entra from WhenIWork, you will need to add some information in the other direction.
In Entra ID, navigate back to the Single sign-on blade and scroll down to the fourth section on the “SAML-based Sign-on” page. Copy the following values from Entra ID over into WhenIWork:
| Entra ID | WhenIWork | Format |
|---|---|---|
| Login URL | Endpoint URL (SSO) | https://login.microsoftonline.com/**<36 character Entra Tenant ID>**/saml2 |
| Microsoft Entra Identifier | Issuer URL (Entity ID) | https://sts.windows.net/**<36 character Entra Tenant ID>**/ (Be sure to include the / backslash at the end.) |
Get the certificate fingerprint
Download the Certificate file. In the Entra ID tab, navigate to the “Single sign-on” blade of the Enterprise Application, scroll down to section 3 “SAML Certificates” and download the “Certificate (Base 64)” file in the .cer format.
Now, you'll need to get the Certificate Fingerprint (not the Thumbprint listed in Entra ID) from the .cer file. This is a bit of a pain and requires some manual intervention.
Here are the instructions for both Windows and MacOS to generate the fingerprint:
Windows
These steps were performed on Windows 11.
On a Windows PC, you will need to download and run an OpenSSL application to generate the fingerprint.
Open a new tab and download the Win64OpenSSLLight EXE file directly from this link: https://slproweb.com/download/Win64OpenSSLLight-340.exe
Alternatively, navigate to the product page and download the version you need: https://slproweb.com/products/Win32OpenSSL.html
Install the EXE file and open the app from the Start menu named “win64 OpenSSL Command Prompt:
Run the following command to generate the thumbprint, changing the -in location to where you downloaded the file:
openssl x509 -fingerprint -sha256 -in "C:\Users\TimDAnnecy\Downloads\When I Work.cer"
Copy the output to the clipboard:
Now, you need to remove the : colon characters from the Fingerprint string.
You can do this manually, or by pasting it into Notepad and using the Find & Replace tool (Ctrl + H) to “Replace all” and remove all colon characters. Once cleaned up, Copy the Fingerprint to the clipboard.
Now, you need to remove the : colon characters from the Fingerprint string.
You can do this manually, or by pasting it into Text Edit and using the Find & Replace tool (Ctrl + H) to “Replace all” and remove all colon characters. Once cleaned up, Copy the Fingerprint back to the clipboard.
MacOS
Note: These steps were performed on MacOS Sequoia 15.2 (24C98)
On a Mac, the OpenSSL app is pre-installed and you can generate the thumbprint with a single command.
Open the Terminal app and run the following command, changing the location to where you downloaded the file:
openssl x509 -fingerprint -sha256 -in /Users/tim/Downloads/When\ I\ Work.cer
Copy the Fingerprint output to the clipboard:
Now, you need to remove the : colon characters from the Fingerprint string.
You can do this manually, or by pasting it into TextEdit and using the Find & Replace tool (Command + F) to “Replace all” and remove all colon characters. Once cleaned up, Copy the Fingerprint back to the clipboard.
Paste the Fingerprint into WhenIWork
Once you have the Fingerprint copied to the clipboard, return to the WhenIWork SAML page and paste the value into the “Certificate Fingerprint (SAML)” field and click the “Save” button.
Test the integration
Now that the attributes have been added in WhenIWork and in Entra ID, test to make sure the configuration is working by clicking the “Test this application” button:
Click the “Test sign-in” button. If everything comes back successfully, you've configured the Entra ID side correctly.
Try signing into WhenIWork by navigating to the app in the M365 Waffle menu:
Alternatively, navigate to the main WhenIWork homepage and click the “Login” link that the top right: https://wheniwork.com
On the login page, click the “Third Party Connect” button:
Choose “SAML”:
Type the company name, account ID, or subdomain and click the “Login” button.
Note: If you don't know the Account ID, you can get it by signing in with your Admin account (non-SSO sign in) and navigating to Gear icon > General Settings at the top right of the page. This information is in the Account ID field.
If SAML is configured correctly, you'll get the Entra ID sign in flow and can sign in using your Microsoft account.
Conclusion
Thanks again to Sam Guerra for figuring out the certificates in this flow.
