Teamtailor lets you use Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Teamtailor using their existing corporate credentials.

In this article, you will find information about:

As a Company Admin user, you can set up the SSO login methos in Teamtailor by navigating to Settings → Company → Security and opening the tab Single sign-on (SSO) in the security settings.

To configure the SSO integration you will first need to configure your SSO provider (often AzureAD, Google, or Okta) with the following information from Teamtailor:

You will also need to configure Teamtailor with the following information from your SSO provider:

This is done by either:

1) Uploading the metadata file from your Identity Provider (IdP) or
​2) Entering the URL from where the metadata file can be fetched

Encountering any issues? Please see our article about SSO configuration errors and recommended solutions to get further help.

Teamtailor uses the SSO Auto-join domain value to identify which company account(s) a user should be signed in to when signing in via the Teamtailor general login page. The SSO Auto-join domain will be identified automatically based on the information provided in the SAML response message from your IdP.
In case you have another domain from what we picked up, or if you use several, reach out to our support at support@teamtailor.com, and we will help you configure it.

When the configuration is completed and you have ensured it works for users to log in, you can go ahead and enable SSO on all users. You do this by clicking on → Enforce SSO.

In some cases, you may want to exclude users from logging in via SSO, maybe they are external consultants or recruiters, or for other reasons lack a company login. In order to exclude users, you must make sure they are added as an Employee, and then simply search for the email or the name in the list of users.

Please note that users invited as External Recruiters are always excluded from the SSO.

The first time a new user login to the system using Single Sign-on, they will automatically be created as a user of the company account. You will be able to decide which level of access new users should be created with. To better understand our different access roles, see more information here: Invite users and select the right access.

All users that are created via SSO are assigned the 'Default user' role in Teamtailor by default. However, you can decide what access role new users at your company should be given. Simply pick the role from this list that suits your company the best:

In case you prefer to give users different access roles upon creation, you can do this with User mappings → Add user mapping.

Please see the table below to better understand the information requested when adding your mapping:

Please note that you can always change a user role manually and you can add as many mappings as you like. We only support user mapping upon creation, we never perform any updates of the mapping during logins.