Teamtailor lets you use Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Teamtailor using their existing corporate credentials.
In this article, you will find information about:
With SSO enabled, all users will access the platform using their corporate credentials rather than a Teamtailor-specific email and password. New users added to the platform won’t receive email invitations, as they will log in directly with their corporate credentials.
SSO Configuration
To enable an SSO activation, start by contacting our support via chat or support@teamtailor.com. Once this is done, you can head over to Settings → Company → Security.
To configure the SSO integration you will need to configure your SSO provider (often AzureAD, Google or Okta) with the following information from Teamtailor:
Entity ID
Assertion Consumption Service (ACS) URL
You will also need to configure Teamtailor with the following information from your SSO provider:
Sign-in URL
Signing certificate (in Base64 encoded format)
This is done by either:
1) Uploading the metadata file from your Identity Provider (IdP) or
2) Entering the URL from where the metadata file can be fetched
Please note that we expect you to send the name-id attribute in the persistent format;
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Encountering any issues? Please see our article about SSO configuration errors and recommended solutions to get further help.
The SSO Auto-join domain
Teamtailor uses the SSO Auto-join domain value to identify which company account(s) a user should be signed in to when signing in via the Teamtailor general login page. The SSO Auto-join domain will be identified automatically based on the information provided in the SAML response message from your IdP.
In case you have another domain from what we picked up, or if you use several, reach out to our support at support@teamtailor.com, and we will help you configure it.
Manage access via SSO
Enforce SSO on all users
When the configuration is completed and you have ensured it works for users to log in, you can go ahead and enable SSO on all users. You do this by clicking on → Enforce SSO.
Exclude individual users from SSO login
In some cases, you may want to exclude users from logging in via SSO, maybe they are external consultants or recruiters, or for other reasons lack a company login. In order to exclude users, you must make sure they are added as an Employee, and then simply search for the email or the name in the list of users.
Please note that users invited as External Recruiters are always excluded from the SSO.
User creation and role mappings
The first time a new user login to the system using Single Sign-on, they will automatically be created as a user of the company account. You will be able to decide which level of access new users should be created with. To better understand our different access roles, see more information here: Invite users and select the right access.
Decide the Default user role
All users that are created via SSO are assigned the 'Default user' role in Teamtailor by default. However, you can decide what access role new users at your company should be given. Simply pick the role from this list that suits your company the best:
Assign different user roles via User mappings
In case you prefer to give users different access roles upon creation, you can do this with User mappings → Add user mapping.
Please see the table below to better understand the information requested when adding your mapping:
Target key | The attribute in Teamtailor that you would like to map |
Target value | The values available for the attribute in Teamtailor |
Source key | The attribute provided by your Identity Provider (IdP) |
Source value | The value provided by your Identity Provider (IdP) that will determine the Target value in Teamtailor |
Please note that you can always change a user role manually and you can add as many mappings as you like. We only support user mapping upon creation, we never perform any updates of the mapping during logins.
If you using our Group solution, please reach out to support@teamtailor.com or your CSM if you need support with any of the following:
Additional user mappings for users to be created on the correct Teamtailor company account
Configuring additional Single sign-on(s) for a unique sub-company account(s)