{"id":25047,"date":"2025-08-01T08:10:10","date_gmt":"2025-08-01T08:10:10","guid":{"rendered":"https:\/\/clockify.me\/help\/?p=25047"},"modified":"2026-01-16T13:05:33","modified_gmt":"2026-01-16T13:05:33","slug":"troubleshooting-sso","status":"publish","type":"post","link":"https:\/\/clockify.me\/help\/troubleshooting\/troubleshooting-sso","title":{"rendered":"Troubleshooting SSO Login Issues in Clockify (SAML 2.0 &#038; OAuth2)"},"content":{"rendered":"\n<p>If you or your team encounter issues while logging into Clockify using SSO (via SAML 2.0 or OAuth2), use this guide to quickly identify and resolve the most common problems.<\/p>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table class=\"has-fixed-layout\"><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\"><strong>Issue<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>Possible Cause<\/strong><\/td><td class=\"has-text-align-center\" data-align=\"center\"><strong>Solution<\/strong><\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">You don\u2019t have permission to access this workspace<\/td><td class=\"has-text-align-center\" data-align=\"center\">User not added to the Clockify workspace<\/td><td class=\"has-text-align-center\" data-align=\"center\">Manually invite the user, check if the user is assigned to the Clockify app on IdP, or enable auto-provisioning<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">SAML Authentication Failed \/ Invalid response<\/td><td class=\"has-text-align-center\" data-align=\"center\">Misconfigured SAML metadata or missing email claim<\/td><td class=\"has-text-align-center\" data-align=\"center\">Check Entity ID, SSO URL, and ensure email attribute is present<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">No email received in SAML response<\/td><td class=\"has-text-align-center\" data-align=\"center\">Email claim not configured in IdP<\/td><td class=\"has-text-align-center\" data-align=\"center\">Add claim named email mapped to user.mail or user.userprincipalname<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">OAuth2 login redirects but fails silently<\/td><td class=\"has-text-align-center\" data-align=\"center\">Missing scopes or misconfigured redirect URI<\/td><td class=\"has-text-align-center\" data-align=\"center\">Verify client settings in the OAuth2 provider and ensure the redirect URI is correct<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">The user exists but can&#8217;t log in via SSO<\/td><td class=\"has-text-align-center\" data-align=\"center\">The user belongs to a different workspace<\/td><td class=\"has-text-align-center\" data-align=\"center\">Verify the user is added to the correct Clockify workspace<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Expired certificate or token<\/td><td class=\"has-text-align-center\" data-align=\"center\">IdP certificate\/token not renewed<\/td><td class=\"has-text-align-center\" data-align=\"center\">Rotate certificate or regenerate tokens as needed<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"note\">Owner can always log in using the original credentials at&nbsp;<strong>https:\/\/mysubdomain.clockify.me\/login-owner<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Troubleshooting SAML 2.0 Issues<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>&#8220;You don\u2019t have permission to access this workspace&#8221;<\/strong><\/h3>\n\n\n\n<p>Clockify can\u2019t authenticate the user because they haven\u2019t been added to the workspace.<\/p>\n\n\n\n<p>&nbsp;<strong>Fix<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\">Invite the user manually from <strong>Team \u2192 Invite<\/strong><\/li>\n\n\n\n<li class=\"translation-block\">Or enable <strong>Auto-provisioning<\/strong> under <strong>SSO settings<\/strong><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Incorrect or Incomplete SAML Setup<\/strong><\/h3>\n\n\n\n<p><strong>Verify the following in both Clockify and your IdP:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\"><strong>Entity ID<\/strong>, <strong>SAML SSO URL<\/strong>, <strong>Metadata URL<\/strong>, <strong>Relay State<\/strong> and <strong>X.509 Certificate<\/strong> are correct<\/li>\n\n\n\n<li class=\"translation-block\">The <strong>email<\/strong> attribute is included in the SAML assertion<\/li>\n\n\n\n<li class=\"translation-block\">Clockify workspace domain matches what&#8217;s configured in IdP<\/li>\n\n\n\n<li class=\"translation-block\"><strong>NameID Format<\/strong> is set to emailAddress<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Missing Email Claim<\/strong><\/h3>\n\n\n\n<p><strong>Fix (Azure AD example)<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\">Go to <strong>Enterprise applications \u2192 your app \u2192 Single sign-on<\/strong><\/li>\n\n\n\n<li class=\"translation-block\">Under <strong>Attributes &amp; Claims<\/strong>, add a claim:\n<ul class=\"wp-block-list\">\n<li>Name: email<\/li>\n\n\n\n<li>Source attribute: user.mail<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>User Belongs to a Different Workspace<\/strong><\/h3>\n\n\n\n<p><strong>Fix<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm the user is invited to the correct workspace<\/li>\n\n\n\n<li>Workspace SSO settings only apply to that specific workspace<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>&#8220;SAML Authentication Failed&#8221; or &#8220;Invalid Response&#8221;<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\">Check if the signature is valid<\/li>\n\n\n\n<li class=\"translation-block\">NameID is set to email<\/li>\n\n\n\n<li class=\"translation-block\">Response is within valid time range (NotBefore, NotOnOrAfter)<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Troubleshooting OAuth2 Issues (e.g., Google, Microsoft)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>User can&#8217;t log in via Oauth2&nbsp;<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check that the email used with OAuth2 matches the one in Clockify<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Redirect URI Mismatch<\/strong><\/h3>\n\n\n\n<p>If you&#8217;re using a custom OAuth2 app (e.g., for enterprise Microsoft login), the redirect URI might not be correctly set.<\/p>\n\n\n\n<p><strong>Fix<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\">Go to your OAuth2 provider\u2019s app settings<\/li>\n\n\n\n<li class=\"translation-block\">Make sure to add relevant redirect URI is:<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/yoursubdomain.clockify.me\/login\n<\/div><\/figure>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/app.clockify.me\/login\n<\/div><\/figure>\n\n\n\n<p class=\"translation-block\"><a href=\"https:\/\/app.clockify.me\/login\/android\/oauth2\">https:\/\/app.clockify.me\/login\/android\/oauth2<\/a> For Android<\/p>\n\n\n\n<p class=\"translation-block\"><a href=\"https:\/\/clockify.me\/login\/ios\/oauth2\">https:\/\/clockify.me\/login\/ios\/oauth2<\/a> For iOS app<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Invalid Token \/ Expired Session<\/strong><\/h3>\n\n\n\n<p>Tokens issued by the provider may expire or become invalid.<\/p>\n\n\n\n<p><strong>Fix<\/strong>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Try logging out and back in again<\/li>\n\n\n\n<li>If using Microsoft, ensure consent has been granted for required scopes (like openid, email, profile)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Best Practices for Admins<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"translation-block\">Regularly check for <strong>certificate expiration<\/strong><\/li>\n\n\n\n<li>Always match users by email address across all platforms<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Need More Help?<\/h2>\n\n\n\n<p class=\"translation-block\">If you\u2019re still having trouble, reach out to <strong>Clockify Support<\/strong> with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A screenshot of the error<\/li>\n\n\n\n<li>A screenshot from Developer tools Console<\/li>\n\n\n\n<li>The user\u2019s email address<\/li>\n\n\n\n<li>Timestamp of the login attempt<\/li>\n\n\n\n<li>(For SAML) A copy of the SAML response or debug log<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"If you or your team encounter issues while logging into Clockify using SSO (via &#8230;","protected":false},"author":41,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_helpful_status":1,"_searchwp_excluded":"","footnotes":""},"categories":[95],"tags":[],"class_list":["post-25047","post","type-post","status-publish","format-standard","hentry","category-other"],"acf":[],"featured_image_src":null,"author_info":{"display_name":"Milena Dimic Vlajic","author_link":"https:\/\/clockify.me\/help\/author\/millenaclockify-me"},"_links":{"self":[{"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/posts\/25047","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/comments?post=25047"}],"version-history":[{"count":27,"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/posts\/25047\/revisions"}],"predecessor-version":[{"id":28535,"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/posts\/25047\/revisions\/28535"}],"wp:attachment":[{"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/media?parent=25047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/categories?post=25047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/clockify.me\/help\/wp-json\/wp\/v2\/tags?post=25047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}