SSO is available on Professional and Business plans. SAML 2.0 is Business only.
Supported providers
Microsoft 365 / Entra ID (Professional+) Employees sign in with their Microsoft work account. Requires the Microsoft 365 integration to be connected first.
Google Workspace (Professional+) Employees sign in with their Google Workspace account. Requires the Google Workspace integration to be connected first.
SAML 2.0 (Business) Connect any SAML 2.0-compatible identity provider (Okta, OneLogin, PingIdentity, Azure AD via SAML, etc.).
Enabling Microsoft or Google SSO
Once the Microsoft 365 or Google Workspace integration is connected (see Integrations section), go to Settings -> Security -> Single Sign-On and toggle Enable SSO for the provider.
You can choose whether SSO is optional (employees can still use email/password) or required (password login is disabled for all employees).
SAML 2.0 setup
Go to Settings -> Security -> SAML 2.0. You'll need to provide:
- Identity Provider SSO URL
- Identity Provider Entity ID
- x509 Certificate (public key)
TimeLeaf's Service Provider details (to enter in your IdP):
- ACS URL:
https://[slug].timeleaf.io/auth/saml/callback - Entity ID:
https://[slug].timeleaf.io/auth/saml - Name ID format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Just-in-time provisioning
With JIT provisioning enabled, new employees who sign in via SSO are automatically created in TimeLeaf with the Employee role and assigned the default leave policy. No manual invite needed.