Single Sign-On

Only for paying customers

This feature is currently in test mode. If you want to join and help to test, please contact the support!

Users of your Kimai-Cloud can authenticate using an identity provider that support SSO (Single Sign-On) via SAML (Security Assertion Markup Language).

You find the configuration after login at: My Kimai-Cloud > SSO Authentication.

Currently, we support the following provider:

  • Google Workspace

The next providers on our roadmap are:

  • Azure AD (Microsoft Cloud)
  • Keycloak

If you are using one of them, we need you for testing this integration. Please get in touch!

Configure your Identity provider

Google Workspace

  • Go to https://admin.google.com/ac/apps/unified
  • Choose "Add app" followed by "Add custom SAML app"
  • Choose your name (e.g. "Kimai-Cloud Live") and add this image
  • Copy & paste the values from the Google Step-by-Step (page 2) guide into your Kimai-Cloud SAML configuration screen:
    • SSO-URL into Single Sign-On URL
    • Entity-ID into Entity ID
    • Certificate into X.509 Certificate
  • Copy & paste the values from the Kimai-Cloud SAML configuration screen into Google Step-by-Step guide (page 3):
    • ACS-URL into ACS-URL
    • Entity ID into Entity-ID
    • Choose the Name-ID Format: "X509_SUBJECT"
    • Select the Name-ID: "Basic Information > Primary Email"
  • On page 4 Attributes you have to define the attribute mapping

    • The User attribute mapping should be defined like this (correct case is important!):

      Google directory attribute App attribute
      Basic Information > Primary email Email
      Basic Information > First name FirstName
      Basic Information > Last name LastName
      Employee Details > Employee ID AccountNumber
      Employee Details > Title Title
  • Back on the overview page: activate the new application for your users
  • As last configuration you need to take care of the User role mapping, which must be defined like this:
    • Create a User defined attribute called SAML Group
    • Add a field UserRole as text type with multi-value
    • Edit your users and apply the values within the new attribute:
      • The value Kimai-System maps to the Kimai role System-Admin (or ROLE_SUPER_ADMIN internally)
      • The value Kimai-Admin maps to the Kimai role Administrator (or ROLE_ADMIN internally)
      • The value Kimai-Teamlead maps to the Kimai role Teamlead (or ROLE_TEAMLEAD internally)
  • Now you go back to edit your SAML application and configure one more attribute mapping:
    • The Google directory attribute SAML Group > UserRole to the App-Attribute Roles

You can use another internal name for the role attribute, but right now you have to use the pre-made role names.

Cloud configuration

Costs

There are no additional costs involved, it is included in your paid plan.

Start time-tracking today with Kimai

30-days trial for free!

or check our feature comparison