Improve security by eliminating user passwords. Instead, control access and manage log-in credentials using your company’s IDP (Azure, Active Directory, Google, Okta, OneLogin…).

authentication and sso

Setting up custom domain #

Moving to subdomain

Before you can configure and start using SSO for authorization, you need to move Clockify to a custom subdomain.

Once you upgrade Clockify, you will get Authorization tab in workspace settings. There you can type the subdomain you wish to use and move your workspace there.

Once you move to subdomain, Google log-in will no longer work for you and your users. To use Google login, you’ll have to set it up manually by configuring SSO > OAuth2. If your user can’t login, they can set up the password by requesting password reset from “Forgot password” link.

Accessing Clockify

Once you create the subdomain, you and your users will have to access Clockify through the subdomain (https://mycompany.clockify.me/login).

If you’re using one of the apps (mobile, desktop, extension), you’ll have to login with your custom domain (you’ll be logged out automatically once workspace is moved).

Workspaces

Subdomain is tied to only one workspace.

Users on a subdomain can’t have multiple workspaces: they don’t have workspace switcher, don’t have Workspaces in the sidebar, and can’t access subdomain workspace from the main domain.

If you have other workspaces, you’ll have to log in to the main Clockify domain to access them.

Changing subdomain

You can change subdomain URL at any time. Just be careful because once you change URL, everyone will be logged out and will have to use the workspace through the new URL.

If you cancel paid subscription, once the subscription expires: you’ll be moved back to the main domain, your subdomain will become available for others to use, and your users will log in with their email and password.

API key

For security reasons, each user on a subdomain gets a separate API key that works only for that workspace – meaning, no one can access your data on the subdomain unless they have the right authorization.

If for example, you have a user who’s on two separate Enterprise workspaces, the owner of neither workspaces can see or get the data from other account.

Configuring SSO #

Clockify supports all major SSO identity providers:

  • SAML2 (Azure, OneLogin, Okta, LastPass, Bitium)
  • OAuth2 (Google, Facebook, Github, etc.)
  • LDAP (Active Directory)

To configure SSO:

  1. Click “Configure SSO”
  2. Choose authentication type (SAML, OAuth, LDAP)
  3. Go to your identity provider’s settings and copy/paste the required data into Clockify
  4. Finish configuration

Once you configure SSO, tick the checkbox for it under the “Log-in setup” section.

If you wish to force everyone to log in with SSO, uncheck “Log in with email and password”. Once this change has been saved, any passwords associated to your members’ accounts will no longer work and they will be required to use SSO.

If you haven’t configured it correctly, you can always edit the information or delete the configuration (in that case, people will have to log in using email and password).

You can also upload a logo which will appear on the log in button.

Only workspace owner can see Authorization tab, manage subdomain, configure SSO, and turn SSO on/off. If you as the owner get locked out of your account, you can always log in using your original email and password at https://mycompany.clockify.me/login/admin

Setting up “Log in with Google” #

Once you move to subdomain, the default Google log-in will stop working and you’ll have to configure it manually to continue using it.

Setting up Google log-in is quick and easy:

  1. Set up OAuth 2.0 in your Google account
  2. In Clockify -> Authentication tab, click “Configure SSO”
  3. Choose “OAuth”¬†authentication type
  4. Copy/paste info from your Google app
  5. Click “Finish configuration”
  6. Check the “Log in with OAuth” checkbox to start using Google log-in

Once you configure, you can force everyone to use your company’s Google identity for logging-in by disabling “Log in in with email and password”.

Managing new users #

Once you’re on a subdomain, you can invite users one by one using email (like before), or you can let anyone join without you having to manually invite them.

To let anyone join, check the “Users can join without an invite” checkbox.

If you use SSO and someone without an account logs in, an account will be automatically created for them and they’ll be logged in.

If you allows “Log in with email and password”, people will be able to create an account and automatically join your workspace.