Single Sign-On (SSO) gives ClickTime users the convenience of not needing to maintain a separate email/password combination in order to start their session. With SSO, a ClickTime user could, for example, sign in to the application by just using their Google Apps email address.
ClickTime currently offers the following single sign-on (SSO) options:
- Platform Identity Partner: Google Apps
- SAML Identity Partners: Azure AD, Okta, OneLogin
- Custom: Create your own custom authentication option for any other providers that support SAML 2.0
Click the following links to learn more about each option:
What is SAML?
Single Sign On Configuration
Identity Partner Configuration - Google Apps
Identity Partner Configuration - Azure AD, Okta, OneLogin
Custom SAML 2.0 Configuration
Logging into using Single Sign-On
Logging into ClickTime using Custom SAML Single Sign-On
Security Assertion Markup Language (SAML) is a standard that allows authentication credentials to be shared by multiple applications within a network. This allows you to access many applications under your network’s umbrella using one username and password.
While some organizations still use SAML 1.1, ClickTime only supports SAML 2.0 for our partner and customer SAML Single Sign-On implementations. You may configure your Identity Provider for SP-initiated (user starts of https://login.clicktime.com) or IdP-initiated (user starts from within your Identity Provider) login workflows.
Complete configuration requires ClickTime-side configuration and Identity Provider -side configuration. This section covers the configuration from the ClickTime side.
ClickTime Administrators can opt to allow or require Single Sign-On settings for their entire company on the Company --> Preferences page in the Security section:
Please note: Unless you have an Enterprise account, you will only see the option for "Google". You can read more about Google SSO here. If you'd like to discuss upgrading your account so you can use another SSO solution, please reach out to our Support Team.
By selecting "Allow", your company can sign into ClickTime with both their ClickTime email/password combination, as well as your company's selected Single Sign-On method. For example, if I select "Allow" for "sign-in using Single Sign-On", then I will grant the user the ability to log in with either their email/password or the selected Single Sign-On provider (Azure AD, Google Apps, Okta,, OneLogin, or Custom SAML 2.0) account.
Usually this setting can be helpful for previewing an authentication configuration before you commit to requiring it. By default, a new company will always default to the "Allow" setting for Single Sign-On.
With "Require", you will commit your entire company to the authentication method you select, and disallow users from signing on with ClickTime email/password credentials.
Remember, any settings you choose will be company-wide, and accessing your account to change your Security Preferences will require you to sign in in with your chosen method the next time you log in.
Complete configuration requires ClickTime-side configuration and Identity Provider -side configuration. The next sections cover the configuration from the Identity Provider -side.
For use of Google Apps, make sure that each person in your company has a corresponding Google hosted email address in the "Person Detail" page. Once that is set, signing into ClickTime is as simple as clicking on the Google Apps button from the sign-in screen.
If your organization is using Okta or OneLogin, one of the above identity providers, please configure ClickTime from your identify provider (Okta or OneLogin) as a new App and retrieve the following values:
- Identity Provider Endpoint URL
- X. 509 certificate
Log in to your ClickTIme account, and go to the Company --> Preferences page. In the Security section, select Okta or OneLogin as your provider. Next, fill in the Identity Provider Endpoint URL and X. 509 certificate from your Identity Provider.
If you’re using Azure AD, please follow this Azure tutorial to complete your SSO configuration.
Enterprise customers may have Custom SAML enabled in their account - please contact your Success Manager or our Support Team to have this enabled. Once this is enabled, please configure ClickTime as a service provider with the following settings in your Identity Provider:
As well, expect these settings from ClickTime:
- SAML request method: POST
- Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Be sure to retrieve the following information from your Identity Provider:
- Identity Provider Endpoint URL
- X. 509 certificate
You will need the Identity Provider Endpoint URL and X. 509 certificate values for input in the Company Preferences in your ClickTime account.
You may wish to consume our SAML metadata file here.
If you’re using an IdP-initiated login process, you may direct your users to your own portal. You may also opt to direct your users here for an SP-initiated login workflow.
If you are starting on the login screen, click "Sign in with Google, Azure, and more" for more sign in options:
Next, click the appropriate SSO method:
Then, log in (if necessary) with your SSO provider's credentials.
If your organization uses a Custom SAML provider, please try starting here or please consult with your ClickTime Administrator for your organization's specific sign on instructions.
If your organization needs additional assistance setting up Single Sign-On with ClickTime, please contact us here! We offer support engagements to facilitate Single Sign-On with Custom SAML.