Single Sign-On
What is single sign-on (SSO)?
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials. It allows for simplifying login, enhancing security, and managing user accounts.
In Toggl products, SSO is available on various pricing plans:
- • Toggl Track - Premium and Enterprise subscriptions
- • Toggl Plan - Business subscription
Toggl SSO allows connecting with any identity provider (IdP) that supports the SAML2 protocol (for example Okta, Auth0, Google Workspace, and others).
How does Toggl SSO work?
In short, it works like this:
- An administrator configures an SSO profile for your team’s domain (access to the identity provider is needed)
Our team reviews the administrator’s access within Toggl, to enable the SSO profile
Once an SSO profile is enabled:
- • all users with this domain can use the ‘Company login (SSO)’ button on our login pages to access Toggl via SSO.
• SSO profile administrators can also configure additional settings for this SSO profile (e.g. enforcing SSO-only login, or allowing additional administrators)
How to set up (configure) an SSO profile?
NB: For your SSO profile to be approved, you must be an administrator in at least one paid organisation or workspace, and we must have reasonable confidence that you own the domain you set in the profile.
To configure an SSO profile, please follow these steps:
- Find the Single sign-on (SSO) section in the Toggl tool that you use:
• In Toggl Track, scroll down on your My Profile page to the single sign-on (SSO) section, or use this direct link
- • In Toggl Plan, go to your workspace Settings → Single sign-on
- Click
+ Create SSO profile
Fill out the necessary information in these three sections:
SSO profile configuration
- • SSO profile name → this name will be displayed in your SSO profiles list (which you’ll see if you have more than one of them)
- • Domain → this is the email domain that your team members use to log in with SSO. For example, if your user’s email address is jane@organization.com, the domain would be
organization.com
Integration details
- • Information from this section should be entered into your identity provider’s page (e.g. into Azure, Okta, Google, etc). You can copy the text by simply clicking on it.
- • Each identity provider has their own ways of setting up SSO profiles, most often you will need to set up a new “application” on their page with this information. Consult with your identity provider if you have questions on that.
Identity provider (IdP) information
- • You need to get these details from your IdP. They will usually be available somewhere within the page where you just set up the new Toggl application.
- • You can copy a metadata URL, or untick the box and enter each field separately: a sign-in URL, entity ID, and X.509 certificate. You can either upload the certificate from your computer or drag and drop the file into the box.
- • If you use multiple identity providers for the same domain, you can click + Another configuration and add that too. When a person with this domain clicks to ‘Log in with SSO’, they will now pick between Configuration name 1, and Configuration name 2 - it will help if you give them useful custom names. If you just have one configuration, users won’t need to pick anything, and the configuration name won’t be exposed to them.
- Click
Submit for review
from the bottom. - Our team will review your access and claim to the domain you entered. Once that’s done, they will be in touch with the next steps. This will usually take up to 2 business days.
- When the SSO profile is approved, it goes into an ‘Enabled’ state automatically so you can test that the configuration works. If we can’t approve it, there will be a message on the SSO profile page, you can edit and re-submit for review at any time.
Multiple SSO profiles
If you have other domains that you would like to set SSO up for, click + New SSO profile and start again. Once you’ve submitted for review, you will now see the list of all your SSO profiles.
Additional SSO profile settings
Once your SSO profile has been reviewed, you can specify additional settings:
Enforce SSO-only login
- • This will restrict users with this domain to only using SSO for logging in. They will not be able to use email and password combinations, or Google, or Apple logins.
- • It will also prevent individual new signups from emails with this domain. When a new person joins your team, you must invite them from within your Team page (we are also working on allowing automatic user creation, but that’s not available just yet).
- • When this is enabled, you can also whitelist specific users to be able to log in with other methods. All SSO profile administrators are by default whitelisted as well.
Add additional administrators
- • This will give your team the flexibility of allowing multiple members to manage SSO-related settings.
- • The users you add here will have all the same access to the SSO profile as you - editing, deleting, enabling, disabling, and assigning it to workspaces. Like the profile creator, their account will be whitelisted to be able to log in with other methods, too.
- • They will also be able to remove any admins (including yourself) from this SSO profile.
Use legacy mode (IdP)
You will only see this, if you set up SSO with Toggl prior to April 29, 2024; and you are still using the old configuration. If this is enabled, you’ll also see a badge ‘legacy mode’ next to your SSO profile name.
• By now, we have released a new version of single sign-on, with extended flexibility and security. To maintain your team’s access to Toggl, we migrated your previous SSO setup, and are able to keep using it.
To switch over to the new system, you need to change the Toggl application settings in your identity provider, this is how:
- Find the Toggl application settings in your IdP
- Go back to Toggl SSO, Integration details section near the top.
- Copy the new ACS URL and Entity ID from that section into your Identity provider’s settings. Save in IdP.
Back in Toggl SSO, disable the ‘Use legacy mode (IdP)’ toggle on the Profile settings section.
→ Now, your team will be able to log in with the new setup.
NB: make sure to click Save changes when you’ve made your choices, so that they can be activated.
SSO profile review process
As part of this process, we will manually check that the person who set up this SSO profile:
- Is an administrator..
- …in a workspace or organisation with a necessary pricing plan (Premium or Enterprise in Toggl Track, and Business in Toggl Plan)
- Should have legitimate claim for the domain that they have assigned to the SSO profile.
This will usually take up to 2 business days. Once we’ve completed the review, we will send you an email. The results will be reflected on your SSO profile page:
- • If everything is OK, we will approve and enable the profile. You can now:
- try to log in with SSO to make sure everything works
- configure additional settings for your SSO profile
- • If there is something we can’t verify, the SSO profile will go back to Draft status, and a reason for not approving will be shown on the SSO profile page. You can make changes and re-submit at any time.