Start by configuring Single Sign-on (SSO) on the Parent account, following the set-up guide in Use SSO Single Sign-On with Teamtailor. This setup will then automatically apply to all connected child accounts. However, some additional configuration may still be required, which we will go through in this article.
Company mapping (configured via your CSM or support@teamtailor.com)
Auto-join domains
The inherited settings include the SSO auto-join domain(s). These domains determine which company account(s) a user should be signed into when using the general Teamtailor login page.
If you use additional domains beyond the one automatically detected (for example, domains specific to certain child accounts), please contact your Customer Success Manager or our Support team via chat or at support@teamtailor.com, and we’ll help you configure them.
Company mapping
By default, new users are created on the parent account the first time they log in using SSO. To ensure users are created and granted access to the correct Teamtailor account, we support User mapping.
To have this configured, reach out to your dedicated Customer Success Manager or our Support team via chat or at support@teamtailor.com.
Please see the table below for an overview of the information required when adding your mapping:
Field | Description |
Target company | The Teamtailor company account where the user should be create |
Source key | The attribute provided by your Identity Provider (IdP) |
Source value | The value(s) from your Identity Provider (IdP) that determine the Target company in Teamtailor |
Additional notes:
A single source value can be connected to multiple Target companies, allowing a user to be created on several accounts at first login.
Multiple source values can be connected to the same Target company.
Users can always be invited manually by Company Admins to gain access to specific accounts within the Group.
Additional configurations
Configure additional SSO for accounts within the Group solution
In some cases, one or more child accounts may have their own IdP or SSO setup that you want them to use. To do so, please provide the following information to your dedicated Customer Success Manager or our Support team via chat or at support@teamtailor.com.
Metadata URL
Metadata file
Auto-join domain(s)
Role mapping / Exclusion of individual users
As with the standard SSO solution for individual users, it is possible to add role mapping and exclude users from SSO.
It is important to note that SSO must be enforced on the parent account, not just added. Only enforced SSO settings will be applied to the child accounts.
For role mapping, the roles set on the parent account will automatically apply to the child accounts.
For user exclusion, it is possible to specify users unique to each individual account.