How to set up single sign-on?

Single sign-on (SSO) is available on our paid plans, providing members access to Toggl tools through Identity Providers that support the SAML2 protocol.*

What is single sign-on (SSO)?

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. It allows for simplifying login, enhancing security, and managing user accounts.

Why enable SSO for your domain?

Enhanced security

  • Enforcing SSO-only login ensures that access to Toggl is controlled solely by single sign-on via your identity provider. This minimizes the risk of password theft, prevents access from users no longer recognized by the identity provider, and enhances compliance with IT security policies.

  • Prevent users from manually creating accounts with domains that are configured for single sign-on (SSO) to enhance control over your organization’s security.

  • Activity logs will help you troubleshoot SSO-related issues from the past three months.

Convenience for your whole organization

Forget password fatigue—your teams can access Toggl using the same credentials they already use for other tools, simplifying their daily logins.

Administrative setup flexibility

Customize SSO to best suit your organization’s needs. Options include multi-domain setups, access across multiple workspaces with a single domain, whitelisting emails outside of enforced SSO login, and assigning additional users who can modify SSO settings.

Simplified user management

Automatically create user accounts. If someone from your specified domains logs in via SSO but isn’t yet a user of Toggl, we’ll automatically set up their account and add them to all relevant workspaces linked to this SSO profile. (optional setting)

To learn more about the customizable advanced settings, see this article.

How does Toggl SSO work?

In Toggl products, SSO is available on various pricing plans:

  • Toggl Track - Premium and Enterprise subscriptions

  • Toggl Plan - Business subscription

Toggl SSO allows connecting with any identity provider (IdP) that supports the SAML2 protocol (for example Okta, Auth0, Google Workspace, and others).

In short, it works like this:

  1. An administrator configures an SSO profile for your team’s domain (access to the identity provider is needed)

  2. Our team reviews the administrator’s access within Toggl, to enable the SSO profile

  3. Once an SSO profile is enabled:

  • all users with this domain can use the ‘Company login (SSO)’ button on our login pages to access Toggl via SSO.

  • SSO profile administrators can also configure additional settings for this SSO profile (e.g. enforcing SSO-only login, or allowing additional administrators)

How to set up (configure) an SSO profile?

NB: For your SSO profile to be approved, you must be an administrator in at least one paid organisation or workspace, and we must have reasonable confidence that you own the domain you set in the profile.

To configure an SSO profile:

Start by finding the Single sign-on (SSO) section in the Toggl tool that you use:

  • In Toggl Track, scroll down on your My Profile page to the single sign-on (SSO) section, or use this direct link

  1. Click + Create SSO profile

  2. Fill out the necessary information in these three sections:

  • SSO profile configuration

  • SSO profile name → this name will be displayed in your SSO profiles list (which you’ll see if you have more than one of them)

  • Domain → this is the email domain that your team members use to log in with SSO. For example, if your user’s email address is jane@organization.com, the domain would be organization.com

  • Integration details

  • Enter info from this section into your identity provider’s page (e.g. Azure, Okta, Google, etc). You can copy the text by simply clicking on it.

  • NB. Make sure that in your IdP:

    • Unique User Identifier is set to user’s email

    • For SAML Signing Certificate, the Signing Option value is Sign SAML response

  • Each identity provider has their own ways of setting up SSO profiles, most often you will need to set up a new “application” on their page with this information. Consult with your identity provider if you have questions on that.

  • Identity provider (IdP) information

  • You need to get these details from your IdP. They will usually be available somewhere within the page where you just set up the new Toggl application.

  • Copy a metadata URL, or untick the box and enter each field separately: a sign-in URL, entity ID, and X.509 certificate. You can either upload the certificate from your computer or drag and drop the file into the box.

  • If you use multiple identity providers for the same domain, you can click + Another configuration and add that too. When a person with this domain clicks to ‘Log in with SSO’, they will now pick between Configuration name 1, and Configuration name 2 - it will help if you give them useful custom names. If you just have one configuration, the configuration name will not be exposed to the users.

  1. Click Submit for review from the bottom.

SSO profile review

During an SSO profile review, our team will manually check that the person who set up this SSO profile:

  1. Is an administrator in a workspace or organisation with a necessary pricing plan (Premium or Enterprise in Toggl Track, and Business in Toggl Plan)

  2. Should have legitimate claim for the domain that they have assigned to the SSO profile.

This can take up to 2 business days (mostly it’s less). Once we’ve completed the review, we will send you an email. The results will be reflected on your SSO profile page:

  • If everything is OK, we will approve and enable the profile. You can now:

  • If there is something we can’t verify, the SSO profile will go back to Draft status, and a reason for not approving will be shown on the SSO profile page. You can make changes and re-submit at any time.

Multiple domains for SSO

If you have other domains that you would like to set up single sign on for, click + New SSO profile and start again. Once you’ve submitted for review, you will now see the list of all your SSO profiles.

If you have questions or helpful tips for others feel free to post below :slight_smile: