Single Sign-On (SSO) Setup

Single Sign-On (SSO) lets your users access ClickTime with the same credentials they use elsewhere (Google Workspace, Microsoft Entra ID/Azure AD, Okta, OneLogin, or a custom SAML 2.0 provider). SSO reduces password fatigue and centralizes access control.

Jump to a section:

• SSO options
• What is SAML?
• Configure SSO in ClickTime
• Google Workspace (Google)
• Microsoft Entra ID (Azure AD)
• Okta
• OneLogin
• Custom SAML 2.0
• How users log in with SSO
• SCIM provisioning (Azure/Entra, OneLogin, Okta)
• Troubleshooting

SSO options

• Platform identity partner: Google Workspace (Google)
• SAML identity partners: Microsoft Entra ID (Azure AD), Okta, OneLogin
• Custom: Any SAML 2.0–compliant Identity Provider

What is SAML?

Security Assertion Markup Language (SAML) 2.0 is an open standard for exchanging authentication information between an Identity Provider (IdP) and a Service Provider (SP) like ClickTime. You can use SP-initiated sign-in (start at https://login.clicktime.com) or IdP-initiated sign-in (start from your IdP portal).

Configure SSO in ClickTime

Administrators configure SSO in Company > Preferences > Security.

1. Select a provider (Google, Azure/Entra, Okta, OneLogin, or Custom SAML 2.0).
2. Choose a policy:
   • Allow: Users may sign in with either ClickTime email/password or the selected SSO method. Recommended for testing.
   • Require: All users must sign in with the selected SSO method. ClickTime passwords are disabled.
3. Enter IdP details as prompted (Identity Provider Endpoint URL and X.509 certificate, where applicable).
4. Save your settings, then complete the steps in your IdP (see sections below).

Identity partner configuration — Google Workspace (Google)

Ensure each person in ClickTime has their Google‑hosted email address on their Person Detail page. From the ClickTime sign‑in screen, users can choose Sign in with Google.

Identity partner configuration — Microsoft Entra ID (Azure AD)

Configure ClickTime as an application in Entra ID (Azure AD) using Microsoft’s guide, then paste your Identity Provider Endpoint URL and X.509 Certificate into ClickTime’s Security settings.

After saving, you can choose to Allow or Require SSO for your company.

Identity partner configuration — Okta

In Okta, add ClickTime as an application and obtain the Identity Provider Endpoint URL and X.509 certificate. In ClickTime, select Okta as your provider and enter these values in the Company > Preferences > Security settings.

Identity partner configuration — OneLogin

In OneLogin, add ClickTime as an application and retrieve the Identity Provider Endpoint URL and X.509 certificate. In ClickTime, select OneLogin as your provider and enter these values in the Company > Preferences > Security settings.

Custom SAML 2.0 configuration

Enterprise customers may enable Custom SAML 2.0. Configure ClickTime as a Service Provider with:

• Entity ID: https://app.clicktime.com/sp/
• ACS URL: https://app.clicktime.com/App/Login/Consume.aspx
• SAML request method: POST
• NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

ClickTime metadata: SAML metadata XML.

For IdP‑initiated flows, direct users to your IdP portal. For SP‑initiated flows, you can also direct users to https://login.clicktime.com/?showCustomSAML=true.

How users log in with SSO

1. Go to login.clicktime.com.
2. Click Sign in with Google, Azure, and more.
3. Select your SSO method and complete authentication with your IdP.

SCIM provisioning

ClickTime supports SCIM (System for Cross‑domain Identity Management) provisioning for Microsoft Entra ID (Azure AD), OneLogin, and Okta. SCIM supports user creation, attribute updates, and deactivation. ClickTime uses one‑way sync from your IdP; edits made in ClickTime can be overwritten by SCIM.  SCIM is priced separately from SSO.  Please reach out to support@clicktime.com to learn more.

Requirements

• SSO policy set to Allow or Require for the target IdP (Azure/Entra, OneLogin, or Okta).
• Identity Provider Endpoint URL and X.509 certificate configured (where applicable).

Enable SCIM and generate a token

1. Go to Company > Preferences > Security and locate SCIM.
2. Click Generate Token and copy it. The token is shown once; store it securely.
3. Toggle which standard and custom fields your IdP will manage (Employment Type, Start Date, etc.). Save.

Azure AD / Microsoft Entra ID — SCIM setup

If your organization uses Microsoft Entra/Azure to manage your employees' access to tools and services, you can take advantage of Microsoft Entra/Azure's Active Directory feature to automatically grant access to ClickTime to your users.

The integration between Microsoft Entra/Azure and ClickTime that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management).

Features

ClickTime supports user creation, updates to user attributes, and user deactivation through SCIM.

The following fields in ClickTime are supported using SCIM:

• Name
• Email Address
• Status
• Start Date
• End Date
• Role
• Employment Type
• Employee Number
• Custom Fields on the Person

ClickTime respects a one-way sync from identity provider to ClickTime.  ClickTime does not lock SCIM managed fields, but any changes made in ClickTime will be overwritten by SCIM requests.

Subsequent changes to users in Microsoft Entra/Azure will carry through in ClickTime.  Here are some examples:

• When a person's name is updated in identity provider, their name will be updated in ClickTime
• When a person's email address is updated in identity provider, their email address will be updated in ClickTime
• Person custom field updates in the identity provider will be reflected in ClickTime

Requirements

Administrators in Enterprise Accounts will be able to enable SCIM on the company preferences page.

Before doing so, the following requirements must be met:

• You must be configured to Require or Allow SSO for Microsoft Entra/Azure AD
• The Identity Endpoint must be filled in
• The X.509 Certificate must be filled in 

Step-by-Step Configuration Guide

Administrators will be able to enable SCIM on the Company ---> Preferences page under the Security section.

1. Organizations that have Single Sign-On set to Require or Allow have the option to enable SCIM.  Clicking "Generate Token" will display a token".

2. Copy the Token.  This token will only be displayed once, and will be hidden once you leave this page in ClickTime.

3. Toggle all the optional ClickTime fields that you want to be managed by your Identity Provider.  These will be optional Standard ClickTime fields (Employment Type, Start Date, etc.), or noted as Custom ClickTime fields.  Save your Preferences page.

4. Create a new Microsoft Entra/Azure tenant in Microsoft Entra/Azure Directory (only necessary if there is not an existing Microsoft Entra/Azure AD tenant)

• Go to Microsoft Entra/Azure Portal
• Click on Microsoft Entra/Azure Active Directory
• Click on Manage tenants tab at the top
• Click Create
• Select Basic Microsoft Entra/Azure Active Directory tenant type
• Add configuration details
• Create

5. Adding users to the tenant (only necessary if there is not an existing Microsoft Entra/Azure AD tenant with users)

• On the Microsoft Entra/Azure AD tenant, click on Users in the left sidebar
• Click New user to add a new user, choose to Create a new user.
• Give the principal name
• In properties, fill in the First Name, Last Name, and especially the Email - this will be the ClickTime email
• Create

6. Create a new enterprise application in Microsoft Entra/Azure AD

• Open the Microsoft Entra/Azure AD tenant
• Click Enterprise applications in the left sidebar
• Select new application
• Select the Create your own application tab at the top
• Enter a name for the app and leave it as a Non-gallery application
• Create

7. Add users to Microsoft Entra/Azure enterprise application

• On the enterprise app's left panel, under Manage, click on Users and groups
• Assign the user/users you'd like (these must exist on the Microsoft Entra/Azure AD tenant)

8. Add Provisioning

• Click on Provisioning in the left sidebar in the enterprise application
• Get Started and start new provisioning
• Set to automatic provisioning
• Add the tenant URL as https://app.clicktime.com/scim and past in the bearer token as the secret token, when testing connection this should be successful

9. Basic provisioning mappings

• Back in provisioning, click Provisioning in the left sidebar
• Open the Mappings pane, click on Groups and disable Groups mapping, hit Save
• Open the Users back in the Mappings pane
• Update the first non-delete-able entry by clicking on the row, and change the source attribute to mail
• Delete all properties aside from the ones shown in the screenshot below:
• 
• Hit Save
• Click on Show Advanced Options and Edit attribute list for customappsso
• Update the list so that it looks like the screenshot below
• 
• Hit save

10. Custom provisioning mappings

• Back in the User Mappings under the Mappings pane, click on Show Advanced Options and Edit attribute list for customappsso
• Add the standard attributes that are being managed with SCIM
  • Start Date: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:startDate set as String
    • Use Expression as the mapping type
  • End Date: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:endDate set as String
  • Role: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:role set as String
  • Employment Type: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:employmentType set as String - ensure that this is marked as "Required"
  • Employee Number: urn:ietf:params:scim:schemas:extension:clicktime:1.0:User:employeeNumber set as String
  • Hit Save
• Add the Custom Fields from ClickTime being managed with SCIM
  • Make sure the "name" of the custom field has no spaces or non-alphanumeric characters
  • Add the attribute as urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User:<customFieldNameHere>
    • Example: urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User:country
  • Set this as a Boolean type if Yes/No field in ClickTime, an Integer if Currency in ClickTime, and otherwise a String
  • Mark as required if the field is required in ClickTime
  • Hit Save
• Add mappings for the field(s)
  • Back in User Attribute Mappings, click Add New Mapping under the table
  • Add a new mapping for each standard and custom field, set as a Direct map from an Microsoft Entra/Azure attribute to one of the custom attributes for our enterprise application created
    • Exceptions: Start Date and End Date.  Rather than Direct , set this to be an Expression style mapping, and map from an existing Date attribute in Microsoft Entra/Azure to the field for ClickTime.  The expression should look like: FormatDateTime([employeeHireDate], , , "yyyy-MM-dd") for employeeHireDate, for example

11. Provisioning Users

• Microsoft Entra/Azure does this automatically over time and batches, so it's easiest to check for the updates by forcing this process to happen on demand.  This can only be done for a limited set of users.
• Inside our Enterprise Application in Microsoft Entra/Azure AD, click on Provisioning in the left sidebar.
• Click on Provisioning on Demand in the left sidebar.
• Enter a user and provision as necessary (do this after creates or updates for testing rather than waiting for Microsoft Entra/Azure to do this eventually).

OneLogin — SCIM setup

If your organization uses OneLogin to manage your employees' access to tools and services, you can take advantage of OneLogin's "Provisioning" feature to automatically grant access to ClickTime to your users.

The integration between OneLogin and ClickTime that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management).

Features

ClickTime supports user creation, updates to user attributes, and user deactivation through SCIM.  The following fields in ClickTime are support using SCIM:

• Name
• Email Address
• Status
• Start Date
• End Date
• Role
• Employment Type
• Employment Number
• Custom Fields on the Person

ClickTime respects a one-way sync from the identity provider to ClickTime.  ClickTime does not lock SCIM managed fields, but any changes made in ClickTime will be overwritten by SCIM requests.

Subsequent changes to user in OneLogin will carry through in ClickTime.  Here are some examples:

• When a person's name is updated in identity provider, their name will be updated in ClickTime
• When a person's email address is updated in identity provider, their email address will be updated in ClickTime
• Person custom field updates in the identity provider will be reflected in ClickTime

Requirements

Administrators in Enterprise Accounts will be able to enable SCIM on the company preferences page.

Before doing so, the following requirements must be met:

• You must be configured to Require or Allow SSO for OneLogin
• The Identity Endpoint must be filled in
• The X.509 Certificate must be filled in

Step-by-Step Configuration Instructions

Administrators will be able to enable SCIM on the Company ---> Preferences page under the Security section.

1. Organizations that have Single Sign-On set to Require or Allow have the option to enable SCIM.  Clicking "Generate Token" will display a token.
2. Copt the token.  This token will only be displayed once, and will be hidden once you leave this page in ClickTime.
3. Toggle on all the optional ClickTime fields that you want to be managed by your Identity Provider.  These will be Standard ClickTime fields (Employment Type, Start Date, etc.), or noted as Custom ClickTime fields.  Note that Custom Fields that are marked as Required must be toggled "On" to be managed by SCIM.  Save your Preferences page.
4. Navigate to your organization's Identity Provider and find the ClickTime app.
5. Sign into your OneLogin account as an Administrator.  Navigate to the Applications tab and select Applications.  Click Add App.  Search for and select SCIM Provisioner with SAML (SCIM v2 Core).  Give your SCIM app a display name value that will help you recognize it and click Save.
6. Select the Configuration tab
   1. Provide the SCIM Base URL value https://app.clicktime.com/scim and paste the token into the SCIM bearer Token field.
   2. Provide the SCIM JSON Template for ClickTime.  This will look something like the example provided below
      1. Each of the standard ClickTime fields that are managed by SCIM will fall under the urn:ietf:params:scim:schemas:extension:clicktime:1.0:User object, and the properties must be named as provided.  Remove the fields not being managed, or the entire object if none of the fields are being used.
      2. ClickTime custom fields that are managed by SCIM will fall under the urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User object, and the properties must be named matching the custom field in ClickTime (this is the name, not the display name).  abcName is provided as an example, which would likely need to be removed.
         {
         "schemas": [
         "urn:ietf:params:scim:schemas:core:2.0:User",
         "urn:ietf:params:scim:schemas:extension:clicktime:1.0:User",
         "urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User"
         ],
         "userName": "{$parameters.email}",
         "name": {
         "givenName": "{$user.firstname}",
         "familyName": "{$user.lastname}"
         },
         "emails": [
         {
         "value": "{$user.email}",
         "primary": true,
         "type": "work"
         }
         ],
         "urn:ietf:params:scim:schemas:extension:clicktime:1.0:User": {
         "startDate": "{$parameters.startDate}",
         "endDate": "{$parameters.endDate}",
         "role": "{$parameters.role}",
         "employeeNumber": "{$parameters.employeeNumber}",
         "employmentType": "{$parameters.employmentType}"
         },
         "urn:ietf:params:scim:schemas:extension:clicktimecf:1.0:User": {
         "abcName": "{$parameters.abcName}"
         }
         }
          
      3. Click Enable to allow the SCIM app to make an initial connection to the SCIM Base URL defined.
      4. Click Save
7. Select the Parameters tab
   1. Click the SAML NameID (Subject) to change the value to Email
   2. For each of the values following in the JSON, such as startDate, endDate, etc. add a new field with the same name.  Add a mapping to a user property for each field.
   3. Click Save
   4. Click More Actions > Reapply entitlement mappings
8. Select the Provisioning tab and enable provisioning.  Select the boxes next to Create user, Delete User, and Update user.
   1. Update the dropdown so that When users are delete in OneLogin, or the user's app access is removed, perform the below action is set to Suspend
   2. Click Save
   3. Click More Actions > Reapply entitlement mappings
9. You can create a new user in OneLogin and assign them to this application
   1. Make sure that the scimusername when adding the person is set to their full email.
   2. Each time we assign / update / delete a user, you may need to approve the action (creation / updates / deletes).

Okta — SCIM setup

Troubleshooting

• Users can still sign in with email/password when SSO is on. Set policy to Require instead of Allow.
• Can’t log in after switching to Require. Verify the IdP configuration values (Endpoint URL, certificate) and try IdP‑initiated sign‑in.
• SCIM updates aren’t appearing. Confirm the token in your IdP, verify attribute mappings and namespaces, and run a targeted push (Provision on demand / Force sync).
• Custom field not syncing. Ensure the field name (not display name) matches exactly in the SCIM attribute and contains no spaces.
• Approver deactivated via SCIM. If a timesheet approver is inactivated, their assignees are reassigned to the first Admin in alphabetical order.

Need help? If you’d like assistance configuring Custom SAML or SCIM, contact ClickTime Professional Services or reach Support at support@clicktime.com.