Troubleshooting SSO Login Issues in Clockify (SAML 2.0 & OAuth2)
If you or your team encounter issues while logging into Clockify using SSO (via SAML 2.0 or OAuth2), use this guide to quickly identify and resolve the most common problems.
| Issue | Possible Cause | Solution |
| You don’t have permission to access this workspace | User not added to the Clockify workspace | Manually invite the user, check if the user is assigned to the Clockify app on IdP, or enable auto-provisioning |
| SAML Authentication Failed / Invalid response | Misconfigured SAML metadata or missing email claim | Check Entity ID, SSO URL, and ensure email attribute is present |
| No email received in SAML response | Email claim not configured in IdP | Add claim named email mapped to user.mail or user.userprincipalname |
| OAuth2 login redirects but fails silently | Missing scopes or misconfigured redirect URI | Verify client settings in the OAuth2 provider and ensure the redirect URI is correct |
| The user exists but can’t log in via SSO | The user belongs to a different workspace | Verify the user is added to the correct Clockify workspace |
| Expired certificate or token | IdP certificate/token not renewed | Rotate certificate or regenerate tokens as needed |
Owner can always log in using the original credentials at https://mysubdomain.clockify.me/login-owner.
Troubleshooting SAML 2.0 Issues #
“You don’t have permission to access this workspace”
Clockify can’t authenticate the user because they haven’t been added to the workspace.
Fix:
- Invite the user manually from Team → Invite
- Or enable Auto-provisioning under SSO settings
Incorrect or Incomplete SAML Setup
Verify the following in both Clockify and your IdP:
- Entity ID, SAML SSO URL, Metadata URL, Relay State and X.509 Certificate are correct
- The email attribute is included in the SAML assertion
- Clockify workspace domain matches what’s configured in IdP
- NameID Format is set to emailAddress
Missing Email Claim
Fix (Azure AD example):
- Go to Enterprise applications → your app → Single sign-on
- Under Attributes & Claims, add a claim:
- Name: email
- Source attribute: user.mail
User Belongs to a Different Workspace
Fix:
- Confirm the user is invited to the correct workspace
- Workspace SSO settings only apply to that specific workspace
“SAML Authentication Failed” or “Invalid Response”
- Check if the signature is valid
- NameID is set to email
- Response is within valid time range (NotBefore, NotOnOrAfter)
Troubleshooting OAuth2 Issues (e.g., Google, Microsoft) #
User can’t log in via Oauth2
- Check that the email used with OAuth2 matches the one in Clockify
Redirect URI Mismatch
If you’re using a custom OAuth2 app (e.g., for enterprise Microsoft login), the redirect URI might not be correctly set.
Fix:
- Go to your OAuth2 provider’s app settings
- Make sure to add relevant redirect URI is:
https://app.clockify.me/login/android/oauth2 For Android
https://clockify.me/login/ios/oauth2 For iOS app
Invalid Token / Expired Session
Tokens issued by the provider may expire or become invalid.
Fix:
- Try logging out and back in again
- If using Microsoft, ensure consent has been granted for required scopes (like openid, email, profile)
Best Practices for Admins #
- Regularly check for certificate expiration
- Always match users by email address across all platforms
Need More Help? #
If you’re still having trouble, reach out to Clockify Support with:
- A screenshot of the error
- A screenshot from Developer tools Console
- The user’s email address
- Timestamp of the login attempt
- (For SAML) A copy of the SAML response or debug log