Additional SSO profile settings
Once your SSO profile has been reviewed and approved, you can specify additional settings.
Go to 'Manage SSO profiles' to open your SSO profile and scroll down to the settings section:
Enforce SSO-only login
Enforcing SSO will restrict users with this domain to only using SSO for logging in. They will not be able to use email and password combinations, or Google, or Apple logins.
It will also prevent individual new signups from emails with this domain. When a new person joins your team, you must invite them from within your Team page (we are also working on allowing automatic user creation, but that’s not available just yet).
When this is enabled, you can also whitelist specific users to be able to log in with other methods. All SSO profile administrators are by default whitelisted as well.
Add additional administrators
This will give your team the flexibility of allowing multiple members to manage SSO-related settings.
The users you add here will have all the same access to the SSO profile as you - editing, deleting, enabling, disabling, and assigning it to workspaces. Like the profile creator, their account will be whitelisted to be able to log in with other methods, too.
They will also be able to remove any admins (including yourself) from this SSO profile.
Use legacy mode (IdP)
You will only see this, if you set up SSO with Toggl prior to April 29, 2024; and you are still using the old configuration. If this is enabled, you’ll also see a badge ‘legacy mode’ next to your SSO profile name.
We have released a new version of single sign-on, with extended flexibility and security. To maintain your team’s access to Toggl, we migrated your previous SSO setup, and you are able to keep using it.
To switch over to the new system, you need to change the Toggl application settings in your identity provider (IdP), this is how:
Find the Toggl application settings in your IdP
Go back to your Toggl SSO page, Integration details section near the top.
Copy the new ACS URL and Entity ID from that section into your Identity provider’s settings. Save in IdP.
Back in Toggl SSO, disable the ‘Use legacy mode (IdP)’ toggle on the Profile settings section. Save changes.
→ Now, your team will be able to log in with the new setup.
Activity logs
You can find it at the top right of your SSO profile page:
The activity log contains a log of all events related to this SSO profile within Toggl, going back up to 3 months. Use this to troubleshoot any issues your team might have with authentication.
Automatic user creation
To simplify user management for admins. It is an optional setting that is turned off by default.
How does it work?
To enable automatic new user creation in your workspace, you must connect your SSO profile to a workspace. Once they are connected, when someone without a Toggl account logs in with your SSO setup, their account will automatically be created in your organisation.
Important to note:
This functionality does not include automatic user removal.
Users are only created when they authenticate via SSO. If they try logging with through different methods, new accounts will not be created for them.
As this could increase your team size in Toggl, it could have an impact on your subscription cost.
How to enable it?
To enable automatic user creation, you must connect an SSO profile to a workspace.
To be able to do that, you must be an administrator of the SSO profile, and an administrator in the organisation where this workspace belongs to. Then:
Find the SSO profile in the list on the bottom and toggle it on
Confirm the change and new users shall be added automatically on their next SSO login
If you still have questions about SSO, please contact our Support team by clicking on the purple chat icon in the bottom right corner of this page to start a chat.