Manage security at scale by eliminating user passwords and controlling access and managing log-in credentials using your company's IDP via both SAML and oAuth (Office 365, Okta, Azure, Active Directory, Google, OneLogin...).

Cloud: In order to use SSO, you first need to move your workspace to subdomain. After that, you can add SSO configuration and disable other forms of log-in.

Single sign-on is an extra feature, which you can enable by upgrading your workspace to Enterprise plan.

Self-hosting: If you're self-hosting Clockify, you set up SSO in your Admin panel (it's enabled across all workspaces).

Setting up custom domain #

Moving to subdomain

Before you can configure and start using SSO for authorization, you need to move Clockify to a custom subdomain.

Once you upgrade Clockify, you will get Authorization tab in workspace settings. There you can type the subdomain you wish to use and move your workspace there.

Once you move to subdomain, Google log-in will no longer work for you and your users. To use Google login, you'll have to set it up manually by configuring SSO > OAuth2. If your user can't login, they can set up the password by requesting password reset from "Forgot password" link.

Accessing Clockify

Once you create the subdomain, you and your users will have to access Clockify through the subdomain (https://mycompany.clockify.me/login).

If you're using one of the apps (mobile, desktop, extension), you'll have to login with your custom domain (you'll be logged out automatically once workspace is moved).

Workspaces

Subdomain is tied to only one workspace.

Users on a subdomain can't have multiple workspaces: they don't have workspace switcher, don't have Workspaces in the sidebar, and can't access subdomain workspace from the main domain.

If you have other workspaces, you'll have to log in to the main Clockify domain to access them.

Changing subdomain

You can change subdomain URL at any time. Just be careful because once you change URL, everyone will be logged out and will have to use the workspace through the new URL.

If you cancel paid subscription, once the subscription expires: you'll be moved back to the main domain, your subdomain will become available for others to use, and your users will log in with their email and password.

API key

For security reasons, each user on a subdomain gets a separate API key that works only for that workspace - meaning, no one can access your data on the subdomain unless they have the right authorization.

If for example, you have a user who's on two separate Enterprise workspaces, the owner of neither workspaces can see or get the data from other account.

Configuring SSO #

Clockify supports all major SSO identity providers:

  • SAML2 (OneLogin, Okta, LastPass, Bitium, Azure)
  • OAuth2 (Google, Azure, Facebook, Github, etc.)
  • LDAP (Active Directory)

Only workspace owner can see Authorization tab, manage subdomain, configure SSO, and turn SSO on/off.

If you wish to force everyone to log in with SSO, uncheck "Log in with email and password". Once this change has been saved, any passwords associated to your members' accounts will no longer work and they will be required to use SSO.

If you haven't configured it correctly, you can always edit the information or delete the configuration (in that case, people will have to log in using email and password).

If you as the owner get locked out of your account, you can always log in using your original email and password at https://mysubdomain.clockify.me/login-owner

To add Default Relay State, use these parameters (be sure to use the curly brackets and put the straight quotes instead of the curly ones, or it won't work):

{"location":"https://yourcompanysubdomain.clockify.me", "organizationName":"yourcompanysubdomain"}
How to set up SAML2 with Okta

Step 1: Clockify

  • Create a subdomain

Step 2: Okta

  • Go to Applications -> Add application -> Create new app:
    • General Settings :: Platform: Web -> SAML2.0 -> App name: Clockify; Logo: https://clockify.me/assets/images/brand-assets/clockify-mark-blue.png
    • Configure SAML :: Single sign on URL: https://global.api.clockify.me/auth/saml2; Audience URI (SP Entity ID): https://yoursubdomain.clockify.me/api/auth/saml2
    • Note: In case you need IdP-initiated authentication so users can log into Clockify straight from the Okta Dashboard, add to Default Relay State (be sure to put the straight quotes instead of the curly ones, or it won't work):
      {"location":"https://yourcompanysubdomain.clockify.me", "organizationName":"yourcompanysubdomain"}
    • Feedback :: Check "I'm an Okta customer"
  • Go to Applications -> Clockify -> Sign on -> View Setup Instructions

Step 3: Clockify

  • Click "Add SSO Configuration" -> SAML2, and fill following fields:
    • Entity Id: https://yoursubdomain.clockify.me
    • Metadata Url: Go to "View Setup Instructions" in Okta and create a plain text file (using Notepad for example) called "meta.xml" file and copy/pase text from "Provide the following IDP metadata to your SP provider" section and upload that file in "Upload XML file"
    • Login Url: copy/paste "Identity Provider Single Sign-On URL" from Okta's "View Setup Instructions"
    • Advanced -> Certificate: copy/paste "X.509 Certificate" from Okta's "View Setup Instructions"
  • Click "Finish configuration"
  • Enable "Log in with SAML2" (and optionally disable "Log in with email and password")

Step 4: Okta

  • Go to Applications -> Clockify -> Assignments -> Assign to people/groups (there you choose who from your Okta account will be able to access Clockify).
How to set up SAML2 with OneLogin

Step 1: Clockify

  • Create a subdomain

Step 2: OneLogin

  • Go to Aplications > Add App > Search for SAML
    • Select SAML Test Connector (Advanced)
  • Info:
    • Display Name > Clockify
    • Logo: Upload Square Icon https://clockify.me/assets/images/brand-assets/clockify-mark-blue.png
  • Save
  • Configuration:
    • Audience: https://yourcompanysubdomain.clockify.me/api/auth/saml2
    • Recipient: https://global.api.clockify.me/auth/saml2
    • ACS (Consumer) URL Validator*: ^https:\/\/global.api.clockify\.me\/auth\/saml2\/$
    • ACS (Consumer) URL*: https://global.api.clockify.me/auth/saml2
    • Login URL: https://yourcompanysubdomain.clockify.me/
    • SAML initiator: Service Provider
  • Improtant > Save

Step 3: Clockify

  • Click "Add SSO Configuration" -> SAML2, and fill following fields:
    • Entity Id: https://yourcompanysubdomain.clockify.me/
    • Metadata Url: Go to OneLogin > SSO and copy Issuer URL then paste it in Metadata Url in Clockify
    • Login Url: Copy SAML 2.0 Endpoint (HTTP) from One Login > SSO and paste it to Login Url in Clockify
    • Advanced > Certificate: Go to OneLogin > SSO and click "View Details" under X.509 Certificate then copy the X.509 Certificate certificate and paste it into Clockify under Advanced > Certificate
  • Click “Finish configuration”
  • Enable “Log in with SAML2” (and optionally disable “Log in with email and password”)

Step 4: OneLogin

  • Go to Users (this is where you choose which users from your OneLogin account will be able to access Clockify).
    • Users > Click on the specific User > Applications > click "+" sign to add an app > select Clockify > Continue > Save
How to set up Google log-in

Once you move to subdomain, the default Google log-in will stop working and you'll have to configure it manually to continue using it.

Setting up Google log-in is quick and easy (you'll need to have a G Suite or Cloud Identity account in order to do this):

  1. Set up OAuth 2.0 in your Google account (you need to create a project and get OAuth 2.0 client ID for a web application)
  2. In Google Cloud Platform > API & Services > Credentials, open the project/application you’ve created and paste “https://yoursubdomain.clockify.me/login” under the “Authorized redirect URIs”
    Note: you should also add following URIs in order for the OAuth login to work on Clockify browser extensions, and mobile/desktop apps:

    google oauth clockify sso
  3. In Clockify, go to Authentication tab and click "Add SSO Configuration"
  4. Choose "OAuth2" authentication type
  5. Copy/paste client ID and client secret from your Google app, and fill other fields as according to the information below
  6. Click "Finish configuration"
  7. Check the "Log in with OAuth" checkbox to start using Google log-in
Client Id: $your_id // you need to get this from you Google API Console account
Client Secret: $your_secret // you need to get this from you Google API Console account
Authorization Code Path: https://accounts.google.com/o/oauth2/v2/auth
Access Token Path: https://www.googleapis.com/oauth2/v3/token
User Info Open Id Path: https://www.googleapis.com/oauth2/v3/userinfo
Redirect Url: // Self-generated, you add this in your Google Cloud Console > Authorized redirect URI
Email Token Field: email
Username Token Field: name
First Name Token Field: given_name
Last Name Token Field: family_name
Scope: openid email profile

Once you configure, you can force everyone to use your company's Google identity for logging-in by disabling "Log in in with email and password".

How to connect with Microsoft Azure

You can connect Azure to Clockify by setting up OAuth.

Step 1: Clockify

  • Add SSO configuration > OAuth2
  • Redirect Url > copy

Step 2: AzureAD

Step 3: Configuration (Clockify & Azure)

Configuration AzureAD: 

  • Certificates & Secrets: New client secret > Description: clockify > Expires: Never > Add
  • copy the value of this client secret and go back to Clockify then paste it in "Client Secret"
  • API permissions: Add a permission > Microsoft Graph > Delegeted permissions > check openid > Add permissions (you can also check other permissions such as "email" and "profile")
  • Refresh
  • Go back to Overview

Configuration: Clockify

  • OAuth2 authentication: 
  • Client Id: Go to Azure -- Overview -- Application (client) ID: copy the value and paste it back in Clockify
  • Client Secret: this should already be pasted from previous steps (Certificates & Secrets)
  • Authorization Code Path: Go to Azure -- Overview -- Endpoints -- Copy the value of OAuth 2.0 authorization endpoint (v2) and paste it back in Clockify
  • Access Token Path: Go to Azure -- Overview -- Endpoints -- Copy the value of OAuth 2.0 token endpoint (v2) and paste it in Clockify
  • User Info Open Id Path: https://graph.microsoft.com/oidc/userinfo
  • Email Token Field: email
  • Scope: openid email profile
  • Click "Finish Configuration"

Step 4: Clockify

  • Log-in setup: enable "Log in with OAuth" (and optionally disable “Log in with email and password”)

  • Alternatively, you can connect Azure using the SAML2 authentication protocol, first by adding an unlisted (non-gallery) application to your Azure AD organization and then configuring SAML-based single sign-on to this non-gallery application.

    Step 1: Azure

    • Go to Enterprise Applications > New application (then make sure you're on the new gallery view) > Create your own application
    • Name: Clockify
    • Integrate any other application you don't find in the gallery
    • Create
    • Go to Properties
    • Logo: Upload Square Icon https://clockify.me/assets/images/brand-assets/clockify-mark-blue.png
    • Optionally change "User assignment required" and "Visible to users" if necessary
    • Save

    Step 2: Azure SSO configuration

    • Go to Single sign-on in the sidebar
    • Select SAML
    • Basic SAML Configuration: click the pencil to edit
      • Identifier (Entity ID): (this is where you put your subdomain address, in our case it's https://acmecompany.clockify.me/)
      • Reply URL (Assertion Consumer Service URL): https://global.api.clockify.me/auth/saml2
    • Save
    • SAML Signing Certificate: click the pencil to edit > New certificate > Save > click the 3 little dots on the certificate and then > Make certificate active > Yes
    • Reload the page

    Step 3: Clockify

    • Add SSO configuration > SAML2 > Next
    • Entity Id: (this is where you put your subdomain address, in our case it's https://acmecompany.clockify.me/)
    • Metadata Url: Go back to Azure > under SAML Signing Certificate > App Federation Metadata Url > Copy and paste it back in Clockify
    • Login Url: Go back to Azure > under Set up Clockify find > Login URL > Copy and paste it back in Clockify
    • Click “Finish configuration”
    • Enable “Log in with SAML2” (and optionally disable “Log in with email and password”)

    Step 4: Azure

    • Go to Users and Groups in the sidebar (where you choose which users from your Azure account will be able to access Clockify).
    • Users and groups > Add user > Users and groups (none selected) > Select users you want > Select > Assign

    Managing new users #

    Once you're on a subdomain, you can invite users one by one using email (like before), or you can let anyone join without you having to manually invite them.

    To let anyone join, check the "Users can join without an invite" checkbox.

    If you use SSO and someone without an account logs in, an account will be automatically created for them and they'll be logged in.

    If you allow "Log in with email and password", people will be able to create an account and automatically join your workspace.