Extras

Clockify Help Center Extras Single sign-on (SSO)

Single sign-on (SSO)

Single sign-on feature (hereafter SSO) provides security at scale by eliminating user passwords, controlling access and managing login credentials by using your company’s IdP via both SAML and OAuth (Office 365, Okta, Azure, Active Directory, Google, OneLogin…).

This is an extra feature, which you can enable by upgrading your workspace to Enterprise plan.

Depending on the type of hosting, there are different ways in which you can set it up in Clockify:

Self-hosting #

If you’re self-hosting Clockify, set up SSO in your Admin panel. It’s enabled across all workspaces.

Cloud hosting #

In order to use SSO, you first need to move your workspace to subdomain. After that, you can add SSO configuration and disable other forms of login.

Setting up custom subdomain #

Moving to subdomain #

Before you can configure and start using SSO for authorization, you need to move your Clockify app domain to a custom subdomain.

When you upgrade your Clockify subscription to Enterprise plan, you will get Authentication tab in the Workspace settings. There, you can enter the subdomain you’d like to use and move your workspace there.

To set up subdomain:

  1. Navigate to the Authentication tab in the Workspace settings
  2. Enter your custom subdomain in the provided field
  3. Click Create subdomain and Create to confirm the action

After you created your subdomain and moved your workspace there, Google login will no longer work for you and your users.

If you’d, however, like to use Google login, you need to set it up manually by configuring OAuth2 for SSO.

For more information, check out the Setting up Google login section below.

Your users can set up password by requesting the password reset from Forgot password.

Accessing Clockify from subdomain #

After you create your subdomain, you’ll automatically be logged out of any apps you were logged in with your Clockify account. You’ll have access to them only through the subdomain you created (e.g. https://yourcompanysubdomain.clockify.me/login).

Workspaces on subdomain #

Subdomain is tied to only one workspace. Users on subdomain can’t have multiple workspaces: there is no workspace switcher, no workspaces in the sidebar, and no access to subdomain workspace from the main domain.

To access multiple workspaces, log in to the main Clockify domain.

Changing subdomain #

You can change subdomain URL at any time.

Once you change your URL, your Users will be logged out and will have to use the workspace through the new URL.

If you cancel the subscription to the Enterprise plan:

  • you’ll move back to the main domain when the subscription expires
  • your subdomain will become available for others to use
  • your users will have to log in with their email and password

API keys on subdomain #

For security reasons, each user on subdomain gets a separate API key that works only for that workspace – meaning, no one can access your data on your subdomain unless they have the right authorization.

If, for example, there is a user with two separate Enterprise workspaces, workspace owners can’t see, or access data from each others accounts.

Inviting new users #

Once you’re in the subdomain workspace, you can invite users one by one using email (like before), or let anyone join without you having to manually invite them.

To let anyone join, check the Users can join without an invite checkbox.

If you use SSO and someone without an account tries to log in, the account will be automatically created for them and they’ll log in.

If you allow Log in with email and password, people will be able to create an account and automatically join your workspace.

Configuring SSO #

Android app has been migrated from clockify.me domain to app.clockify.me subdomain. Therefore, all the SSO configurations supported by Clockify, should also contain app.clockify.me links. For example, in the Redirect URL section add https://app.clockify.me/login/android/oauth2 to https://clockify.me/login/android/oauth2 link.

Clockify supports all major SSO identity providers:

Only workspace owner can see Authorization tab, manage subdomain, configure SSO, and turn SSO on/off.

If you wish to force everyone to log in with SSO, simply uncheck the Log in with email and password box. Once this change has been saved, any passwords associated to your members’ accounts will no longer work and they will be required to use SSO.

Data in the SSO configuration can always be edited or deleted. If deleted, your users will have to switch back to logging in by using email and password.

Owner can always log in using the original email and password at https://mysubdomain.clockify.me/login-owner

To add Default Relay State, use the parameters below.

Make sure to use curly brackets and straight quotes instead of the curly ones, otherwise it won’t work.

Example of Default Relay State:

{"location":"https://yourcompanysubdomain.clockify.me", "organizationName":"yourcompanysubdomain"}

SAML2 with Okta #

User interface displayed in this video may not correspond to the latest version of the app.

Step 1: Create subdomain in Clockify #

For more information on this, check out Setting up custom subdomain section.

Step 2: Create application in Okta #

  1. Navigate to Applications in the sidebar
  2. Click Create App Integration button
  3. Choose SAML 2.0 in modal
  4. Click Next

Create SAML integration #

In General Settings form, enter the following information and click Next

  • App name: e.g. Clockify
  • Logo: e.g. upload Clockify logo

In Configure SAML form, enter the following information:

  • Single sign on URL (or ACS): Specific URL that SAML assertions from Okta should be sent to (e.g. https://global.api.clockify.me/auth/saml2)
  • Audience URI (Entity ID in your app): Unique identifier of your custom application; same as Entity Id in SAML authentication field (e.g. https://yourcompanysubdomain.clockify.me)
  • Default Relay State: IdP-initiated authentication so that users can log in to Clockify straight from the Okta dashboard

Example of Default Relay State:

{"location":"https://yourcompanysubdomain.clockify.me", "organizationName":"yourcompanysubdomain"}

Make sure you put straight quotes instead of the curly ones, or it won’t work.

Leave everything else as is and click Next.

In Feedback check I’m an Okta customer adding an internal app and click Finish.

You should get the screen that looks something like this:

As the final step in this section, click View Setup Instructions button seen in the screenshot above.

In How to Configure SAML 2.0 for Clockify Application, you’ll get the list of data you need in order to configure your Clockify application.

Step 3: Add SSO configuration in Clockify #

Now, in Clockify, in Authentication screen where you created your subdomain:

  1. Click Configure SSO at the bottom of the screen
  2. Choose SAML2 as authentication type
  3. Choose Okta as IdP Template

SAML2 authentication form appears:

Enter the following:

  • Entity Id (Audience URI in Okta): e.g. https://yourcompanysubdomain.clockify.me
  • Metadata Url:
    • Navigate back to Okta
    • Copy the Identity Provider metadata link from the Settings section in Okta
    • Save it as an .xml file and upload it to Clockify
  • SAML SSO URL: Copy/paste Identity Provider Single Sign-On URL from Okta’s How to configure SAML 2.0 for Clockify Application

For example:

https://okta.ops.clockify.me/app/dev05335506_clockifytempsaml2_1/exk4erumfseHaalgs5d7/sso/saml
  • Advanced: Copy/paste X.509 Certificate from Okta

Finally, your screen in Clockify should look something like this:

and

Click Finish configuration to complete the process and enable Log in with SAML2. Optionally, disable Log in with email and password.

Step 4: Assign application in Okta #

In Okta:

  1. Navigate to Applications
  2. Choose Clockify
  3. In Assignments tab click Assign
  4. Choose Assign to People/Groups depending on who from your Okta account you’d like to be able to access Clockify

And that’s it! Now you, and your workspace users are able to log in to your workspace with SAML2.

SAML2 with OneLogin #

User interface displayed in this video may not correspond to the latest version of the app.

Step 1: Create subdomain in Clockify #

For more information on this, check out Setting up custom subdomain section.

Step 2: Create application in OneLogin #

  1. Navigate to Applications
  2. Click Add App
  3. Search and choose SAML Custom Connector (Advanced)
  4. Info:
    • Display Name: Clockify
    • Logo: e.g. upload Clockify logo

Click Save and fill out the Configuration:

  • Audience: Clockify
  • Recipient: https://global.api.clockify.me/auth/saml2
  • ACS (Consumer) URL Validator*: ^https:\/\/global.api.clockify\.me\/auth\/saml2\/$
  • ACS (Consumer) URL*: https://global.api.clockify.me/auth/saml2
  • Login URL: https://yourcompanysubdomain.clockify.me/
  • SAML initiator: Service Provider
  • Click Save to complete the process

Step 3: Add SSO configuration in Clockify #

  1. Click Configure SSO
  2. Choose SAML2 as authentication type
  3. Choose OneLogin as IdP Template and fill out the following fields
    • Audience (Entity Id): Clockify
    • Metadata Url: Go to OneLogin > SSO and copy Issuer URL then paste it in Metadata Url in Clockify
    • Login Url: Copy/paste SAML 2.0 Endpoint (HTTP) from SSO section in OneLogin

In Advanced section, enter:

  • Certificate: Copy/paste the X.509 Certificate from View Details, SSO in OneLogin

Step 4: Assign application in OneLogin #

In OneLogin:

  1. Navigate to Users (this is where you choose which users from your OneLogin account will be able to access Clockify)
  2. Click on the specific User
  3. In Applications, click the + sign to add an app
  4. Choose Clockify
  5. Click Continue and Save

In Clockify, click Finish configuration to complete the process and enable Log in with SAML 2.0. Optionally, you can disable Log in with email and password.

And that’s it! Now you, and your workspace users are able to log in to your workspace with SAML 2.0.

SAML2 with Google #

Step 1: Create subdomain in Clockify

For more information, check out how to set the subdomain.

Clockify: 

  1. Navigate to the Authentication tab 
  2. Choose Add SSO configuration
  3. Choose SAML2 as identity provider In Authentication type window
  4. Click Next 
  5. Choose Google as IdP template 

Step 2: Create application in Google  #

Google:

  1. Create Google account and go to the Admin page 
  2. Choose Add custom SAML app in Add app
  3. Insert the following
    App name: e.g. https://yourcompanysubdomain.clockify.me/
    Description: e.g. Clockify SAML2 demo app
    App icon: optionally add icon
  4. Click Continue 
  5. You’ll proceed to the Google Identity Provider details screen
    Google side:
  6. Download IdP metadata URL and upload it to Clockify/IdP Metadata URL field
  7. Copy SSO URL and paste it to Login URL field in Clockify
    Clockify side:
  8. Click Continue
  9. You’ll proceed to Service provider details
  10. Insert the following:
    – ACS URL: Copy/paste Reply URL from Clockify, e.g. https://global.api.clockify.me/auth/saml2
    – Entity ID: Unique identifier of your custom application, e.g. Clockify
    – Start URL: Copy/paste Default Relay State from Clockify, e.g. 

{“location”:”https://yourcompanysubdomain.clockify.me”,”organizationName”:”yourcompanysubdomain”, “appName”: “WEB”}


  1.  Click Continue
  2. You’ll proceed to the Attribute mapping screen
  3. Click Finish to complete the process

Now that you’ve completed all the steps and created the app, open the app’s settings and in Service status enable the app for everyone.

The app you created will appear in the Google workspace for all the users of that workspace.   

SAML2 with Rippling #

Step 1: Create subdomain in Clockify #

For more information on this, check out the Setting up custom subdomain section.

Step 2: Create application in Rippling #

  1. Log in to Rippling as Administrator
  2. Select IT management
  3. Select Custom app
  4. Give app a descriptive name, select category and upload a logo
  5. Check Single Sign-on (SAML) 
  6. Click Continue
  7. Confirm that you are Application Admin

New page with SSO instructions opens and you can proceed with the next step. The page contains SSO Setup instructions which include the IdP Metadata XML file.

Download IDP Metadata from Rippling.

Step 3: Add SSO configuration in Clockify #

In the Authentication tab in which you created your subdomain:

  1. Click Add SSO configuration
  2. Choose SAML2 as authentication type and click Next
  3. Choose Rippling as IdP Template

In SAML2 authentication form that appears enter the following information:

  • Entity Id (Service Provider Entity ID in Rippling): e.g. https://yourcompanysubdomain.clockify.me
  • Metadata Url: Upload IdP Metadata XML file you downloaded in Step 2
  • Login Url: Copy/paste IdP Metadata URL from Rippling

Click Finish configuration to complete the process and enable Log in with SAML2. Optionally, disable Log in with email and password.

Step 4: Assign application in Rippling #

Navigate back to Rippling:

On SSO Instructions page scroll down and enter the following: 

  • ACS URL: Copy/paste Reply URL from Clockify
  • Service Provider Entity ID: Copy/paste Entity ID from Clockify 
  1. Click Move to Next Step 
  2. Choose Access Rules you want
  3. Choose Provision Time you want
  4. Configure SSO for Admins if necessary 
  5. Configure Group Attributes if necessary
  6. Click Connect via Rippling if you’d like to check the connection between apps or simply Continue

And that’s it! You’ve successfully installed your application in rippling and you and your users are now able to log in to your workspace with SAML 2.0.

SAML2 with JumpCloud #

Step 1: Create subdomain in Clockify #

For more information on this, check out the Setting up custom subdomain section.

Step 2: Add SSO Configuration in Clockify  #

In the Authentication tab in which you created your subdomain:

  1. Click Add SSO configuration
  2. Choose SAML2 as authentication type and click Next
  3. Choose JumpCloud as IdP Template

Step 3: Create application in JumpCloud #

  1. Navigate to SSO in the sidebar on the left
  2. Click + to add new app
  3. Choose Custom SAML App
  4. In Application Information enter the following:
  • Display Label: Application name e.g. Clockify
  • Logo: e.g. upload Clockify logo

In SSO tab you can proceed with the next step. The page contains SSO Setup instructions which include the IdP Metadata XML file. Download IDP Metadata from JumpCloud and save it for later.

Continue by populating the following fields.

Example of Default Relay State:

{"location":"https://yourcompanysubdomain.clockify.me", "organizationName":"yourcompanysubdomain"}

Make sure you put straight quotes instead of curly ones, or it won’t work.

  1. In User attribute mapping add attributes mapping Service Provider Attribute Name to JumpCloud Attribute Name 
  2. Click Activate
  3. Open the application you created
  4. Click on IDP Certificate Valid on the left and download the certificate
  5. Click Save

You’ve successfully created your application in JumpCloud. Now you can decide which users from your JumpCloud account will be able to access Clockify and finish the configuration in Clockify.

Step 4: Finish SSO configuration in Clockify #

  1. Navigate back to Clockify
  2. In SAML2 authentication form enter the following information:
  • IdP Entity ID: e.g. https://yourcompanysubdomain.clockify.me
  • Metadata Url: Upload IdP Metadata XML file you downloaded in Step 3
  • IdP Url: Copy/paste IDP URL from JumpCloud
  • Advanced: Copy/paste IDP Certificate from JumpCloud

Click Finish configuration to complete the process and enable Log in with SAML2. Optionally, disable Log in with email and password.

Google Login #

Once you move to subdomain, the default Google log-in will stop working and you’ll have to configure it manually to continue using it.

Setting up Google log-in is quick and easy.

You’ll need to have a G Suite or Cloud Identity account in order to do this.

You need to Set up OAuth 2.0 in your Google account, create a project and get OAuth 2.0 client ID for a web application.

In Google Cloud Platform navigate to API & Services and choose Credentials. Open the project/application you’ve created and paste https://yoursubdomain.clockify.me/login under the Authorized redirect URIs.

You should also add the following URIs in order for the OAuth login to work on Clockify mobile apps:

Regional redirection #

If you’re using regional servers for hosting, these are the URLs available for regional redirection:

United States (US)

  • Android: https://use2.clockify.me/en/login/android/oauth
  • iOS: https://use2.clockify.me/en/login/ios/oauth2

Australia (AU)

Europe (EU)

United Kingdom (UK)

  1. In Clockify, go to Authentication tab and click Configure SSO
  2. Choose OAuth2 authentication type
  3. Choose Google in IdP Templates modal
  4. Click Next
  5. Copy/paste Client ID and Client Secret from your Google app as seen in the example below (fields in the Advanced section will be pre-populated)

Your screen in Clockify should look something like this:

and

Click Finish configuration to complete the process. Check the Log in with OAuth checkbox to start using Google login. Optionally, you can force everyone to use your company’s Google identity for logging in by disabling Log in with email and password.

OAuth with Microsoft Azure #

User interface displayed in this video may not correspond to the latest version of the app.

You can connect Azure to Clockify by setting up OAuth.

Step 1: Create subdomain in Clockify #

For more information on this, check out Setting up custom subdomain section.

Step 2: Add SSO configuration in Clockify #

  1. Click Configure SSO
  2. Choose OAuth2 as authentication type
  3. Choose Azure in IdP Templates modal
  4. Copy Redirect URI

Step 3: Register application in AzureAD #

  1. Navigate to App registrations
  2. Click New Registration
  3. Enter the following information:

You should also add the following URIs in order for the OAuth login to work on Clockify mobile apps: https://app.clockify.me/login/ios/oauth2 and https://app.clockify.me/login/android/oauth2 

or, if you’re using one of the regional servers, you should add one of the regional URLs.

Step 4: Configure (Clockify & Azure) #

Configure AzureAD:  #

  • Certificates & Secrets:
    • Choose New client secret
      • Description: Clockify
      • Expires: Never
    • Click Add
  • Client Secret: Copy/paste the value of this client secret
  • API permissions:
    • Add a permission
      • Microsoft Graph
      • Check openid in Delegated permissions
      • Add permissions (you can also check other permissions such as email and profile)
  • Refresh the page
  • Go back to Overview

Configure Clockify: #

  • OAuth2 authentication:
    • Client Id: Go to Azure — Overview — Application (client) ID: copy the value and paste it back in Clockify
    • Client Secret: this should already be pasted from previous steps (Certificates & Secrets)
    • Directory (tenant) ID: Go to Azure — Overview — Directory (tenant) ID copy the value and paste it back in Clockify

Fields in the Advanced section will be pre-populated.

Your screen in Clockify should look something like this:

and

Click Finish configuration to complete the process. Check the Log in with OAuth checkbox (and optionally disable Log in with email and password).

Alternatively, you can connect Azure using the SAML2 authentication protocol, first by adding an unlisted (non-gallery) application to your Azure AD organization and then configuring SAML-based single sign-on to this non-gallery application.

SAML2 with Microsoft Azure #

User interface displayed in this video may not correspond to the latest version of the app.

Step 1: Create subdomain in Clockify #

For more information on this, check out Setting up custom subdomain section.

Step 2: Add application in Azure #

  1. Navigate to Enterprise Applications
  2. New application (then make sure you’re on the new gallery view)
  3. Choose Create your own application
  4. Enter the following:
    • Name: Clockify
    • Integrate any other application you don’t find in the gallery

Click Create and navigate to Properties and fill out the fields:

  • Logo: e.g. upload Clockify logo
  • Optionally change User assignment required and Visible to users if necessary

Click Save to complete the process.

Step 3: Clockify #

  1. Click Configure SSO
  2. Choose SAML2 as authentication type
  3. Click Next

Once you get the SAML2 authentication template, go back to Azure.

Step 4: Azure SSO configuration #

  1. Navigate to Single sign-on in the sidebar
  2. Choose SAML
  3. Basic SAML Configuration (click the pencil to edit):
    • Identifier (Entity ID): This is where you put your subdomain address, e.g. https://yourcompanysubdomain.clockify.me/
    • Reply URL (Assertion Consumer Service URL): go back to Clockify and copy pre-generated Reply URL, e.g. https://global.api.clockify.me/auth/saml2

Click Save and continue with SAML Certificate: (click the pencil to edit):

  • New certificate

Save the changes and click the 3 dots on the Inactive certificate, choose Make certificate active and click Yes.

Now, reload the page to see the changes.

Step 5: Clockify #

  1. Entity Id: (this is where you put your subdomain address, in our case it’s https://yourcompanysubdomain.clockify.me/)
  2. Federation Metadata: Navigate to Azure, under SAML Certificates copy/paste App Federation Metadata Url in Clockify

Login Url: Navigate to Azure, under Set up Clockify find Login URL and copy/paste it in Clockify

Click Finish configuration and enable Log in with SAML2 (and optionally disable Log in with email and password).

Step 6: Assign application in Azure #

  1. Navigate to Users and Groups in the sidebar (where you choose which users from your Azure account will be able to access Clockify)
  2. Click Add user/group
  3. In Users and groups choose users you want
  4. Click Select and Assign

OAuth with Okta #

Step 1: Create subdomain in Clockify #

For more information on this, check out Setting up custom subdomain section.

Step 2: Create application in Okta #

  1. Navigate to Applications in the sidebar
  2. Click Create App Integration button
  3. Choose OIDC – OpenID Connect in Sign-in method section
  4. Choose Web application in Application type section
  5. Click Next

Create OIDC Integration #

In New Web App Integration, General Settings form enter the following information and click Save.

  1. App integration name: e.g. Clockify
  2. Logo (optional): e.g. upload Clockify logo
  3. Sign-in redirect URIs: Copy/paste URL from Redirect URL (Advanced section) in Clockify SSO configuration

You should also add the following URIs in order for the OAuth login to work on Clockify mobile apps:

or, if you’re using one of the regional servers, you should add one of the regional URLs.

Then, scroll down and in the Assignments section check Allow everyone in your organization to access option. Click Save to complete the action.

You should get the screen that looks like this:

Step 3: Add SSO configuration in Clockify #

Now, in Clockify, in Authentication screen where you created your subdomain:

  1. Click Configure SSO at the bottom of the screen
  2. Choose OAuth2 as authentication type
  3. Choose Okta as IdP Template
  4. Click Next

In OAuth authentication form enter the following information:

  • Client ID: Generated in Okta in the previous step; copy it from the Client Credentials section
  • Client Secret: Same as Client ID; copy it from the Client Credentials section
  • Okta Domain: Copy it from Okta, General Settings, Okta domain field (Note: Okta Domain requires a domain name only, for example: doamin_name.okta.com instead of: https://domain_name.okta.com)
  • Advanced section is pre-populated (automatically generated)

The screen should look something like this:

and

Step 4: Assign application in Okta #

In Okta:

  1. Navigate to Applications
  2. Choose Clockify
  3. In Assignments tab click Assign
  4. Choose Assign to People/Groups depending on who from your Okta account you’d like to be able to access Clockify

In Clockify, click Finish configuration to complete the process and enable Log in with OAuth. Optionally, you can disable Log in with email and password.

Finally, your screen in Clockify should look something like this:

And that’s it! Now you, and your workspace users are able to log in to your workspace with OAuth.