Teamtailor lets you use Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Teamtailor using their existing corporate credentials.
Once SSO is enforced, all users will have to log in via SSO. The ability to log in with an email and password will be disabled. In this article, you will find information about:
To enable an SSO activation, start by contacting our support via chat or firstname.lastname@example.org. Once this is done, you can head over to Settings→ General→ Security.
To configure the SSO integration you will need to configure your SSO provider (often AzureAD, Google or Okta) with the following information from Teamtailor:
Assertion Consumption Service (ACS) URL
You will also need to configure Teamtailor with the following information from your SSO provider:
Signing certificate (in Base64 encoded format)
This is done by either
1) upload the metadata file from your Identity Provider (IdP) or
2) enter the url from where the metadata file can be fetched
Having some issues? Please see our article about SSO configuration errors and recommended solutions to get some help with your troubleshooting.
The SSO Auto-join domain
Teamtailor uses the SSO Auto-join domain value to identify which company account(s) a user should be signed in to when signing in via the Teamtailor general login page. The SSO Auto-join domain will be identified automatically based on the information provided in the SAML response message from your IdP.
In case you have another domain from what we picked up, or if you use several, reach out to our support at email@example.com, and we will help you configure it.
Manage access via SSO
Enforce SSO on all users
When the configuration is completed and you have ensured it works for users to login, you can go ahead and enable SSO on all users. You do this by clicking on → Enforce SSO.
Exclude individual users from SSO login
In some cases, you may want to exclude users from logging in via SSO, maybe they are external consultants or recruiters, or for other reasons lack a company login. In order to exclude users, you must make sure they are added as an Employee, and then simply search for the email or the name in the list of users.
Please note that users invited as External Recruiters are always excluded from the SSO.
User creation and role mappings
The first time a new user login to the system using Single Sign-on, they will automatically be created as a user of the company account. You will be able to decide which level of access new users should be created with. To better understand our different access roles, see more information here: Invite users and select the right access.
Decide the Default user role
All users that are created via SSO are assigned the 'Default user' role in Teamtailor by default. However, you can decide what access role new users at your company should be given. Simply pick the role from this list that suits your company the best:
Assign different user roles via User mappings
In case you prefer to give users different access roles upon creation, you can do this with User mappings→ Add user mapping.
Please see the table below to better understand the information requested when adding your mapping:
The attribute in Teamtailor that you would like to map
The values available for the attribute in Teamtailor
The attribute provided by your Identity Provider (IdP)
The value provided by your Identity Provider (IdP) that will determine the Target value in Teamtailor
Please note that you can always change a user role manually and you can add as many mappings as you like. We only support user mapping upon creation, we never perform any updates of the mapping during logins.
If you using our Group solution, please reach out to firstname.lastname@example.org or your CSM if you need support with any of the following:
Additional user mappings for users to be created on the correct Teamtailor company account
Configuring additional Single sign-on(s) for unique sub-company account(s)