Pulse And OpenIDConnect (OIDC) User Authentication

Introduction

This guide explains how to configure Timebase Pulse to authenticate users via OpenIDConnect (OIDC), a modern standard for secure authentication. OpenIDConnect allows users to sign in using their existing accounts with Identity Providers like Microsoft Entra ID, Google, Okta, Auth0, and others - without storing passwords in Pulse.

The Identity Providers are configured in the settings.config file of your Pulse instance. See the link below explaining the Pulse settings.config file. The IdentityProviders section of this file, explained below, is explained below. Note that this section is added to the existing JSON object the Pulse settings.config file.

Pulse Settings Configuration

Understanding the Configuration

Configuration Structure

Field Descriptions

Type: Fully qualified type name for the OpenIDConnect plugin. Always use: Timebase.Pulse.IdentityProvider.OpenIDConnect.Plugin

Display name: User-facing name displayed on the Pulse login page (e.g., "Sign in with Google")

Scheme: Unique internal identifier for this provider. Must be URL-safe and match the callback path /signin-{scheme}

ClientId: OAuth 2.0 client identifier provided by your identity provider

ClientSecret: OAuth 2.0 client secret (keep secure!)

Authority: Base URL of the identity provider's OpenIDConnect discovery endpoint

Scopes: OAuth scopes to request. Minimum: ["openid", "email"]

ClaimsToMap: Maps OIDC claims to Pulse user properties. Common claims to map include:

Name: User's display name in Pulse. Common OIDC Claims include name, email,preferred_username
Email: User's email address, email
NameIdentifier: Unique user identifier (recommended to use sub)
GivenName: First name. Common OIDC Claims include given_name
FamilyName: Last name. Common OIDC Claims include family_name

You can configure multiple OpenIDConnect Identity Providers simultaneously. Users will see all options on the login page:

Deeper Dive: Example 1

Azure Entra ID Configuration

{
"Type": "Timebase.Pulse.IdentityProvider.OpenIDConnect.Plugin",
"DisplayName": "Azure AD",
"Scheme": "entra",
"Options": {
"ClientId": "Your Application (Client) ID goes here",
"ClientSecret": "Your Client Secret goes here",
"Authority": "https://login.microsoftonline.com/{tenant-id}/v2.0",
"Scopes": [ "email" ],
"ClaimsToMap": {
"Name": "email",
}
}
}

Steps in Azure

Step 1: Create App Registration

Navigate to Azure Portal: Go to portal.azure.com. Search for "Microsoft Entra ID" or "Azure Active Directory"

Create New App Registration: Select App registrations from the left menu. Click + New registration

Configure Registration: Name: Timebase Pulse Production

Supported account types: Single tenant - Only your organization (most common) Multi-tenant - Multiple organizations. Personal Microsoft accounts - Include consumer accounts.

Redirect URI: Platform: Web. URI: https://your-pulse-domain.com/signin-entra

⚠️ Must match your Scheme value: /signin-{scheme}

Click Register

Step 2: Gather Configuration Values

From Overview Page

- Copy Application (client) ID → This is your ClientId
- Copy Directory (tenant) ID → Use in Authority URL

Build your Authority URL

- Format: https://login.microsoftonline.com/{tenant-id}/v2.0
- Example: https://login.microsoftonline.com/279ae460-7684-4d08-9705-13cec36d1ea2/v2.0
- Use /common/v2.0 for multi-tenant apps (allows any Azure AD account)

Authority URL Variations:

Single tenant: https://login.microsoftonline.com/{tenant-id}/v2.0
Multi-tenant: https://login.microsoftonline.com/common/v2.0
Consumer accounts: https://login.microsoftonline.com/consumers/v2.0

Step 3: Create Client Secret

Navigate to Certificates & Secrets

- Select Certificates & secrets from left menu
- Click + New client secret

⚠️ CRITICAL: Copy the Value immediately (shown only once)

Step 4: Configure API Permissions

Add Permissions

- Select API permissions from left menu
- Click + Add a permission
- Choose Microsoft Graph → Delegated permissions
- Add:
  - openid (should be included by default)
  - email (View users' email address)
  - profile (View users' basic profile)
- Click Add permissions

Grant Admin Consent (Optional but recommended)

- Click Grant admin consent for [Your Organization]
- This pre-approves permissions for all users

Step 5: Configure Token Claims (Recommended)

Add Optional Claims

- Select Token configuration from left menu
- Click + Add optional claim
- Token type: ID
- Select claims:
  - email
  - preferred_username
- Click Add

Deeper Dive: Example 2

Google Workspace / Google Identity

{
"Type": "Timebase.Pulse.IdentityProvider.OpenIDConnect.Plugin",
"DisplayName": "Google",
"Scheme": "google",
"Options": {
"ClientId": "{ClientID}.apps.googleusercontent.com",
"ClientSecret": "Your Client Secret goes here",
"Authority": "https://accounts.google.com/",
"Scopes": [ "openid", "email", "profile" ],
"ClaimsToMap": {
"Name": "email",
"Email": "email",
"NameIdentifier": "sub"
}
}
}

Google Setup Steps

Step 1: Create Google Cloud Project

Navigate to Google Cloud Console

- Go to console.cloud.google.com
- Sign in with a Google account with admin privileges
Create or Select Project
- Click the project dropdown at the top
- Click New Project
- Project name: Timebase Pulse Auth
- Organization: Select your organization (if applicable)
- Click Create

Step 2: Configure OAuth Consent Screen

Navigate to OAuth Consent

- In the left menu, go to APIs & Services → OAuth consent screen

Choose User Type

- Internal: Only users in your Google Workspace organization (recommended for business)
- External: Anyone with a Google account (requires verification for production)
- Click Create
Configure Consent Screen
- App name: Timebase Pulse
- User support email: Your support email
- App logo: (Optional) Upload company logo
- Application home page: https://your-pulse-domain.com
- Authorized domains: Add your Pulse domain (e.g., flow-software.com)
- Developer contact: Your email address
- Click Save and Continue
Configure Scopes
- Click Add or Remove Scopes
- Select:
  - openid
  - .../auth/userinfo.email
  - .../auth/userinfo.profile
- Click Update → Save and Continue
Add Test Users (External apps only)
- Add email addresses of users who can test before verification
- Click Save and Continue
Review and Submit
- Review settings
- For Internal apps: Click Back to Dashboard (you're done!)
- For External apps: Submit for verification (can take days/weeks)

Step 3: Create OAuth Credentials

Navigate to Credentials

- Go to APIs & Services → Credentials
- Click + Create Credentials → OAuth client ID
Configure OAuth Client
- Application type: Web application
- Name: Timebase Pulse Production
Add Authorized Redirect URIs
- Click + Add URI under "Authorized redirect URIs"
- Add: https://your-pulse-domain.com/signin-google

- Click Create

⚠️ Must exactly match: https://{your-domain}/signin-{scheme}

Save Credentials

- A dialog appears with your credentials
- Client ID: Copy this → This is your ClientId
- Client Secret: Copy this → This is your ClientSecret
- Click OK
- You can always retrieve these from the Credentials page

Note on the configuration values:

ClientId: Format is {numbers}-{hash}.apps.googleusercontent.com
ClientSecret: Format is GOCSPX-{alphanumeric}
Authority: Always https://accounts.google.com/ (no trailing path needed)
Scopes: ["openid", "email", "profile"]

Google-Specific Notes

Authority URL: Google's OpenID Connect discovery document is at https://accounts.google.com/.well-known/openid-configuration

Claims: Google uses standard OpenID Connect claims:

- sub - Unique user identifier
- email - User's email address
- email_verified - Boolean indicating if email is verified
- name - Full display name
- given_name - First name
- family_name - Last name

Pulse And OpenIDConnect (OIDC) User Authentication

How do I configure Pulse to authenticate users using other Identity Providers like Active Directory, Microsoft Entra ID, Google, Okta, Auth0, and others?

Introduction

Understanding the Configuration

Field Descriptions