All Collections
Login & Authentication
Using SSO (Single sign-On) with Teamtailor
Using SSO (Single sign-On) with Teamtailor

Learn how to set up and start using SSO on your Teamtailor account

Evelina Lundmarck avatar
Written by Evelina Lundmarck
Updated over a week ago

Teamtailor lets you use Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Teamtailor using their existing corporate credentials.

Once SSO is enforced, all users will have to log in via SSO. The ability to log in with an email and password will be disabled. In this article, you will find information about:


SSO Configuration

To enable an SSO activation, start by contacting our support via chat or support@teamtailor.com. Once this is done, you can head over to Settings→ General→ Security.

To configure the SSO integration you will need to configure your SSO provider (often AzureAD, Google or Okta) with the following information from Teamtailor:

  • Entity ID

  • Assertion Consumption Service (ACS) URL

You will also need to configure Teamtailor with the following information from your SSO provider:

  • Sign-in URL

  • Signing certificate (in Base64 encoded format)

This is done by either

1) upload the metadata file from your Identity Provider (IdP) or
2) enter the url from where the metadata file can be fetched

Please note that we expect you to send the name-id attribute in the persistent format;
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Having some issues? Please see our article about SSO configuration errors and recommended solutions to get some help with your troubleshooting.

The SSO Auto-join domain

Teamtailor uses the SSO Auto-join domain value to identify which company account(s) a user should be signed in to when signing in via the Teamtailor general login page. The SSO Auto-join domain will be identified automatically based on the information provided in the SAML response message from your IdP.
In case you have another domain from what we picked up, or if you use several, reach out to our support at support@teamtailor.com, and we will help you configure it.

Manage access via SSO

Enforce SSO on all users

When the configuration is completed and you have ensured it works for users to login, you can go ahead and enable SSO on all users. You do this by clicking on → Enforce SSO.

Exclude individual users from SSO login

In some cases, you may want to exclude users from logging in via SSO, maybe they are external consultants or recruiters, or for other reasons lack a company login. In order to exclude users, you must make sure they are added as an Employee, and then simply search for the email or the name in the list of users.

Please note that users invited as External Recruiters are always excluded from the SSO.

User creation and role mappings

The first time a new user login to the system using Single Sign-on, they will automatically be created as a user of the company account. You will be able to decide which level of access new users should be created with. To better understand our different access roles, see more information here: Invite users and select the right access.

Decide the Default user role

All users that are created via SSO are assigned the 'Default user' role in Teamtailor by default. However, you can decide what access role new users at your company should be given. Simply pick the role from this list that suits your company the best:

Assign different user roles via User mappings

In case you prefer to give users different access roles upon creation, you can do this with User mappings→ Add user mapping.

Please see the table below to better understand the information requested when adding your mapping:

Target key

The attribute in Teamtailor that you would like to map

Target value

The values available for the attribute in Teamtailor

Source key

The attribute provided by your Identity Provider (IdP)

Source value

The value provided by your Identity Provider (IdP) that will determine the Target value in Teamtailor

Please note that you can always change a user role manually and you can add as many mappings as you like. We only support user mapping upon creation, we never perform any updates of the mapping during logins.

If you using our Group solution, please reach out to support@teamtailor.com or your CSM if you need support with any of the following:

  • Additional user mappings for users to be created on the correct Teamtailor company account

  • Configuring additional Single sign-on(s) for unique sub-company account(s)

Did this answer your question?