Manage security at scale by eliminating user passwords and controlling access and managing log-in credentials using your company’s IDP (Okta, Azure, Active Directory, Google, OneLogin…).

In order to use SSO, you first need to move your workspace to subdomain. After that, you can add SSO configuration and disable other forms of log-in.

Single sign-on is a paid feature, available in Enteprise plan.

authentication and sso

Setting up custom domain #

Moving to subdomain

Before you can configure and start using SSO for authorization, you need to move Clockify to a custom subdomain.

Once you upgrade Clockify, you will get Authorization tab in workspace settings. There you can type the subdomain you wish to use and move your workspace there.

Once you move to subdomain, Google log-in will no longer work for you and your users. To use Google login, you’ll have to set it up manually by configuring SSO > OAuth2. If your user can’t login, they can set up the password by requesting password reset from “Forgot password” link.

Accessing Clockify

Once you create the subdomain, you and your users will have to access Clockify through the subdomain (https://mycompany.clockify.me/login).

If you’re using one of the apps (mobile, desktop, extension), you’ll have to login with your custom domain (you’ll be logged out automatically once workspace is moved).

Workspaces

Subdomain is tied to only one workspace.

Users on a subdomain can’t have multiple workspaces: they don’t have workspace switcher, don’t have Workspaces in the sidebar, and can’t access subdomain workspace from the main domain.

If you have other workspaces, you’ll have to log in to the main Clockify domain to access them.

Changing subdomain

You can change subdomain URL at any time. Just be careful because once you change URL, everyone will be logged out and will have to use the workspace through the new URL.

If you cancel paid subscription, once the subscription expires: you’ll be moved back to the main domain, your subdomain will become available for others to use, and your users will log in with their email and password.

API key

For security reasons, each user on a subdomain gets a separate API key that works only for that workspace – meaning, no one can access your data on the subdomain unless they have the right authorization.

If for example, you have a user who’s on two separate Enterprise workspaces, the owner of neither workspaces can see or get the data from other account.

Configuring SSO #

Clockify supports all major SSO identity providers:

  • SAML2 (Azure, OneLogin, Okta, LastPass, Bitium)
  • OAuth2 (Google, Facebook, Github, etc.)
  • LDAP (Active Directory)

Only workspace owner can see Authorization tab, manage subdomain, configure SSO, and turn SSO on/off.

If you wish to force everyone to log in with SSO, uncheck “Log in with email and password”. Once this change has been saved, any passwords associated to your members’ accounts will no longer work and they will be required to use SSO.

If you haven’t configured it correctly, you can always edit the information or delete the configuration (in that case, people will have to log in using email and password).

If you as the owner get locked out of your account, you can always log in using your original email and password at https://mysubdomain.clockify.me/login-owner

How to set up SAML2 with Okta

Step 1: Clockify

  • Create a subdomain

Step 2: Okta

  • Go to Applications -> Add application -> Create new app:
    • General Settings :: Platform: Web -> SAML2.0 -> App name: Clockify; Logo: https://clockify.me/assets/images/brand-assets/clockify-mark-blue.png
    • Configure SAML :: Single sign on URL: https://clockify.me/api/auth/saml2; Audience URI (SP Entity ID): https://yoursubdomain.clockify.me/api/auth/saml2; (Note: in case you need IdP-initiated authentication so users can log into Clockify straight from the Okta Dashboard, add to Default Relay State: {“location”:”https://yourcompanysubdomain.clockify.me”, “organizationName”:”yourcompanysubdomain”}
    • Feedback :: Check “I’m an Okta customer”
  • Go to Applications -> Clockify -> Sign on -> View Setup Instructions

Step 3: Clockify

  • Click “Add SSO Configuration” -> SAML2, and fill following fields:
    • Entity Id: https://yoursubdomain.clockify.me
    • Metadata Url: Go to “View Setup Instructions” in Okta and create a plain text file (using Notepad for example) called “meta.xml” file and copy/pase text from “Provide the following IDP metadata to your SP provider” section and upload that file in “Upload XML file”
    • Login Url: copy/paste “Identity Provider Single Sign-On URL” from Okta’s “View Setup Instructions”
    • Advanced -> Certificate: copy/paste “X.509 Certificate” from Okta’s “View Setup Instructions”
  • Click “Finish configuration”
  • Enable “Log in with SAML2” (and optionally disable “Log in with email and password”)

Step 4: Okta

  • Go to Applications -> Clockify -> Assignments -> Assign to people/groups (there you choose who from your Okta account will be able to access Clockify).
How to set up Google log-in

Once you move to subdomain, the default Google log-in will stop working and you’ll have to configure it manually to continue using it.

Setting up Google log-in is quick and easy (you’ll need to have a G Suite or Cloud Identity account in order to do this):

  1. Set up OAuth 2.0 in your Google account (you need to create a project and get OAuth 2.0 client ID for a web application)
  2. In Google Cloud Platform > API & Services > Credentials, open the project/application you’ve created and paste “https://yoursubdomain.clockify.me/login” under the “Authorized redirect URIs”
    google oauth clockify sso
  3. In Clockify, go to Authentication tab and click “Add SSO Configuration”
  4. Choose “OAuth2” authentication type
  5. Copy/paste client ID and client secret from your Google app, and fill other fields as according to the information below
  6. Click “Finish configuration”
  7. Check the “Log in with OAuth” checkbox to start using Google log-in
Client Id: $your_id // you need to get this from you Google API Console account
Client Secret: $your_secret // you need to get this from you Google API Console account
Authorization Code Path: https://accounts.google.com/o/oauth2/v2/auth
Access Token Path: https://www.googleapis.com/oauth2/v3/token
User Info Open Id Path: https://www.googleapis.com/oauth2/v3/userinfo
Redirect Url: // Self-generated, you add this in your Google Cloud Console > Authorized redirect URI
Email Token Field: email
Username Token Field: name
First Name Token Field: given_name
Last Name Token Field: family_name
Scope: openid email profile

Once you configure, you can force everyone to use your company’s Google identity for logging-in by disabling “Log in in with email and password”.

Managing new users #

Once you’re on a subdomain, you can invite users one by one using email (like before), or you can let anyone join without you having to manually invite them.

To let anyone join, check the “Users can join without an invite” checkbox.

If you use SSO and someone without an account logs in, an account will be automatically created for them and they’ll be logged in.

If you allows “Log in with email and password”, people will be able to create an account and automatically join your workspace.