Troubleshooting SSO Login Issues in Clockify (SAML 2.0 & OAuth2)
3 min read
If you or your team encounter issues while logging into Clockify using SSO (via SAML 2.0 or OAuth2), use this guide to quickly identify and resolve the most common problems.
| Issue | Possible Cause | Solution |
| You don’t have permission to access this workspace | User not added to the Clockify workspace | Manually invite the user, check if the user is assigned to the Clockify app on IdP, or enable auto-provisioning |
| SAML Authentication Failed / Invalid response | Misconfigured SAML metadata or missing email claim | Check Entity ID, SSO URL, and ensure email attribute is present |
| No email received in SAML response | Email claim not configured in IdP | Add claim named email mapped to user.mail or user.userprincipalname |
| OAuth2 login redirects but fails silently | Add a claim named email mapped to user.mail or user.userprincipalname | Verify client settings in the OAuth2 provider and ensure the redirect URI is correct |
| The user exists but can’t log in via SSO | The user belongs to a different workspace | Verify the user is added to the correct Clockify workspace |
| Expired certificate or token | IdP certificate/token not renewed | Rotate certificate or regenerate tokens as needed |
Troubleshooting SAML 2.0 Issues #
“You don’t have permission to access this workspace”
Clockify can’t authenticate the user because they haven’t been added to the workspace.
Fix:
- Invite the user manually from Team → Invite
- Or enable Auto-provisioning under SSO settings
Incorrect or Incomplete SAML Setup
Verify the following in both Clockify and your IdP:
- Entity ID, SAML SSO URL, Metadata URL, Relay State and X.509 Certificate are correct
- The email attribute is included in the SAML assertion
- Clockify workspace domain matches what’s configured in IdP
- NameID Format is set to emailAddress
Missing Email Claim
Fix (Azure AD example):
- Go to Enterprise applications → your app → Single sign-on
- Under Attributes & Claims, add a claim:
- Name: email
- Source attribute: user.mail
User Belongs to a Different Workspace
Fix:
- Confirm the user is invited to the correct workspace
- Workspace SSO settings only apply to that specific workspace
“SAML Authentication Failed” or “Invalid Response”
- Check if the signature is valid
- NameID is set to email
- Response is within valid time range (NotBefore, NotOnOrAfter)
Troubleshooting OAuth2 Issues (e.g., Google, Microsoft) #
User can’t log in via Oauth2
- Check that the email used with OAuth2 matches the one in Clockify
Redirect URI Mismatch
If you’re using a custom OAuth2 app (e.g., for enterprise Microsoft login), the redirect URI might not be correctly set.
Fix:
- Go to your OAuth2 provider’s app settings
- Make sure to add relevant redirect URI is:
https://app.clockify.me/login/android/oauth2 For Android
https://clockify.me/login/ios/oauth2 For iOS app
Invalid Token / Expired Session
Tokens issued by the provider may expire or become invalid.
Fix:
- Try logging out and back in again
- If using Microsoft, ensure consent has been granted for required scopes (like openid, email, profile)
Best Practices for Admins #
- Regularly check for certificate expiration
- Always match users by email address across all platforms
Need More Help? #
If you’re still having trouble, reach out to Clockify Support with:
- A screenshot of the error
- A screenshot from Developer tools Console
- The user’s email address
- Timestamp of the login attempt
- (For SAML) A copy of the SAML response or debug log
Was this article helpful?
Thank you! If you’d like a member of our support team to respond to you, please drop us a note at support@clockify.me