All Categories > Setup your Timetac account > How do I set up Single Sign-On?

How do I set up Single Sign-On?

TimeTac offers the opportunity to configure Single Sign-On (SSO) as authentication method for your account. Single Sign-On allows your employees to sign in using their corporate credentials instead of their TimeTac credentials.

Advantages of SSO

  • Leverage existing company’s authentication
  • Better security when employees use company’s established password
  • policies rather than their individual accounts
  • Seamless user experience due to the ability for employees to log in just one time with one set of credentials to get access to all corporate apps


Currently, TimeTac supports any identity provider which supports SAML 2.0 protocol. We offer tutorials and technical support for the following identity providers: Microsoft Azure and Google GSuite.

If you are interested in configuring SSO with an identity provider where we do not provide technical documentation yet, you can contact us via email (support@timetac.com) for further information.



Configuring Single Sign-On

To set up SSO configuration in your Next account, take the following steps:

1Login to your TimeTac account on https://app.timetac.com/ with an administrator user
2In the menu Settings, navigate to Integration
3Select Single Sign On (SSO).<p>Select <em>Single Sign On (SSO</em>).</p>
4Start configuring the SSO by filling in the Service Provider Details provided by your Identity Provider. Enter the data in the following fields:
  • Entity ID: globally unique name for an Identity Provider
  • Login URL: identity provider’s endpoint (URL) that is responsible for handling a SAML transaction
  • Logout URL: redirect URL where the user will be redirected to after logging out of the service provider
  • Certificate: required to encrypt and decrypt a SAML assertion. Open the certificate that you have downloaded from your Identity Provider with a text editor and copy/paste it into the certificate field.
  • Usage: Here you have an option to choose if the SSO Login will be optional or required. 
  • We strongly recommend keeping this setting on optional until you verify that the SSO setup works properly.
  • If you select the Optional option, you will have the possibility to login in both ways, via SSO and with email and password. If you select the option required, the SSO will be the only possibility to login.
end certificate expiry reminders to Technical Contact: Since the certificate has the expiry date, by selecting this checkbox, the reminder will be automatically sent to the person you specified as the Technical Contact in the Contact Persons page.

5After you have completed your configuration, enable SSO by clicking on the Update button.
6Test the SSO login by logging out of your account and try to login again.   Please make sure that the SSO is configured to be optional, this means you will be able to log in with your TimeTac credentials again, in case the SSO is not configured properly. Instead of filling in your TimeTac credentials, click on the button Single Sign On (SSO). You will get redirected to your identity provider's login screen for authentication. When you are successfully authenticated, you will be redirected to your TimeTac account.<p>Test the SSO login by logging out of your account and try to login again. &nbsp; <strong>Please make sure that the SSO is configured to be optional</strong>, this means you will be able to log in with your TimeTac credentials again, in case the SSO is not configured properly. Instead of filling in your TimeTac credentials, click on the button Single Sign On (SSO). You will get redirected to your identity provider's login screen for authentication. When you are successfully authenticated, you will be redirected to your TimeTac account.</p>


Verifying your SSO Setup

Verify that you have correctly integrated with your Identity Provider:

  • A TimeTac application is configured in your Identity Provider
  • Your employees are granted access to the TimeTac application configured in your IdP
  • The SAML Subject NameID value that is sent in the SAML response is configured to be the email address of the employee
  • The email address of your employees is maintained and unique in TimeTac, as it will be used as a matching key to identify a user.

Deactivate an existing SSO configuration

In case your existing SSO configuration is not working, or you would like to switch to a different Identity Provider, take the following steps to deactivate an existing SSO configuration:

  • In the menu Settings, navigate to Integration
  • Select Single Sign On (SSO).
  • Click on the Deactivate button to remove the existing SSO configuration.

If you need any help configuring SSO for your TimeTac company account, we are looking forward to your request via email: support@timetac.com.

Supported SSO Protocols

Currently, TimeTac supports any identity provider which supports SAML 2.0 protocol. We offer tutorials and technical support for the following identity providers: Microsoft Azure and Google GSuite.

If you are interested in configuring SSO with an identity provider where we do not provide technical documentation yet, you can contact us via email (support@timetac.com) for further information.


Was this Article useful for you?

Yes, this was useful

No, this was not useful