Teamtailor lets you use Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Teamtailor using their existing corporate credentials.

Once SSO is enforced, all users will have to log in via SSO. The ability to log in with an email and password will be disabled. In this article, you will find information about:

To enable an SSO activation, start by contacting our support via chat or support@teamtailor.com. Once this is done, you can head over to Settings→ General→ Security.

To configure the SSO integration you will need to configure your SSO provider (often AzureAD, Google or Okta) with the following information from Teamtailor:

You will also need to configure Teamtailor with the following information from your SSO provider:

This is done by either

1) upload the metadata file from your Identity Provider (IdP) or
2) enter the url from where the metadata file can be fetched

Having some issues? Please see our article about SSO configuration errors and recommended solutions to get some help with your troubleshooting.

Teamtailor uses the SSO Auto-join domain value to identify which company account(s) a user should be signed in to when signing in via the Teamtailor general login page. The SSO Auto-join domain will be identified automatically based on the information provided in the SAML response message from your IdP.
In case you have another domain from what we picked up, or if you use several, reach out to our support at support@teamtailor.com, and we will help you configure it.

When the configuration is completed and you have ensured it works for users to login, you can go ahead and enable SSO on all users. You do this by clicking on → Enforce SSO.

In some cases, you may want to exclude users from logging in via SSO, maybe they are external consultants or recruiters, or for other reasons lack a company login. In order to exclude users, you must make sure they are added as an Employee, and then simply search for the email or the name in the list of users.

Please note that users invited as External Recruiters are always excluded from the SSO.

The first time a new user login to the system using Single Sign-on, they will automatically be created as a user of the company account. You will be able to decide which level of access new users should be created with. To better understand our different access roles, see more information here: Invite users and select the right access.

All users that are created via SSO are assigned the 'Default user' role in Teamtailor by default. However, you can decide what access role new users at your company should be given. Simply pick the role from this list that suits your company the best:

In case you prefer to give users different access roles upon creation, you can do this with User mappings→ Add user mapping.

Please see the table below to better understand the information requested when adding your mapping:

Please note that you can always change a user role manually and you can add as many mappings as you like. We only support user mapping upon creation, we never perform any updates of the mapping during logins.