Skip to main content

Single sign-on (SSO)

Manage security at scale by eliminating user passwords and controlling access and managing log-in credentials using your company's IDP via both SAML and oAuth (Office 365, Okta, Azure, Active Directory, Google, OneLogin...).

Single sign-on is an extra feature, which you can enable by upgrading your workspace to Enterprise plan.

Cloud: In order to use SSO, you first need to move your workspace to subdomain. After that, you can add SSO configuration and disable other forms of log-in.

Self-hosting: If you're self-hosting Clockify, you set up SSO in your Admin panel (it's enabled across all workspaces).

Setting up custom domain

Moving to subdomain

Before you can configure and start using SSO for authorization, you need to move Clockify to a custom subdomain.

Once you upgrade Clockify, you will get Authorization tab in workspace settings. There you can type the subdomain you wish to use and move your workspace there.

Once you move to subdomain, Google log-in will no longer work for you and your users. To use Google login, you'll have to set it up manually by configuring SSO > OAuth2. If your user can't login, they can set up the password by requesting password reset from "Forgot password" link.

Accessing Clockify from subdomain

Once you create the subdomain, you and your users will have to access Clockify through the subdomain (https://mycompany.clockify.me/login).

If you're using one of the apps (mobile, desktop, extension), you'll have to login with your custom domain (you'll be logged out automatically once workspace is moved).

Workspaces on subdomain

Subdomain is tied to only one workspace.

Users on a subdomain can't have multiple workspaces: they don't have workspace switcher, don't have Workspaces in the sidebar, and can't access subdomain workspace from the main domain.

If you have other workspaces, you'll have to log in to the main Clockify domain to access them.

Changing subdomain

You can change subdomain URL at any time. Just be careful because once you change URL, everyone will be logged out and will have to use the workspace through the new URL.

If you cancel paid subscription, once the subscription expires: you'll be moved back to the main domain, your subdomain will become available for others to use, and your users will log in with their email and password.

How API keys work on subdomain workspaces

For security reasons, each user on a subdomain gets a separate API key that works only for that workspace - meaning, no one can access your data on the subdomain unless they have the right authorization.

If for example, you have a user who's on two separate Enterprise workspaces, the owner of neither workspaces can see or get the data from other account.

App support

Inviting new users

Once you're on a subdomain, you can invite users one by one using email (like before), or you can let anyone join without you having to manually invite them.

To let anyone join, check the "Users can join without an invite" checkbox.

If you use SSO and someone without an account logs in, an account will be automatically created for them and they'll be logged in.

If you allow "Log in with email and password", people will be able to create an account and automatically join your workspace.

Configuring SSO

Clockify supports all major SSO identity providers:

  • SAML2 (OneLogin, Okta, LastPass, Bitium, Azure)
  • OAuth2 (Google, Azure, Facebook, Github, etc.)
  • LDAP (Active Directory)

Only workspace owner can see Authorization tab, manage subdomain, configure SSO, and turn SSO on/off.

If you wish to force everyone to log in with SSO, uncheck "Log in with email and password". Once this change has been saved, any passwords associated to your members' accounts will no longer work and they will be required to use SSO.

If you haven't configured it correctly, you can always edit the information or delete the configuration (in that case, people will have to log in using email and password).

If you as the owner get locked out of your account, you can always log in using your original email and password at https://mysubdomain.clockify.me/login-owner

To add Default Relay State, use these parameters (be sure to use the curly brackets and put the straight quotes instead of the curly ones, or it won't work):