Please note that this information was correct as of 22nd February 2024 and Teamtailor is not responsible for any changes made within OneLogin. Any questions outside the scope of this article should be sent directly to OneLogin's support team.
Setting up SSO on a single account
To set up SSO on Teamtailor, the first step that you will need to take is to let our support team or your dedicated CSM know that you would like to go ahead with this. They will then activate it for you, and it will become available for you to set up in your Settings > Security > Single Sign-on (SSO). Note that this will need to be completed by a user with Company Admin access. Then, please follow the next steps below:
As Teamtailor is not currently listed as an existing app in OneLogin, you'll need to create a custom app. Click on Applications at the top > Applications > Add App > search and select "SAML Custom Connector (Advanced).
Add a display name, icons, and description if you wish, then click "Save".
In the menu on the left-hand side, select "Configuration". The only fields that you need to fill out are (screenshot of the completed version below):
Recipient - this is the ACS URL found in your Teamtailor settings
ACS (Consumer) URL Validator - this is a specific version of the ACS URL.
ACS (Consumer) URL - this is also the ACS URL found in your Teamtailor settings.
SAML nameID format - select Persistent.
Leave all other fields blank or as preset, then click Save.
In the menu on the left-hand side, click SSO. Here, you select your SAML Signature Algorithm (Teamtailor has successfully tested SHA-256 and SHA-512). Then, copy your Issuer URL, and paste this into your Teamtailor settings under the field IdP Metadata XML URL:
In Teamtailor, click "Parse metadata". This will complete the setup on Teamtailor's side, so now you'll need to test that it's working as expected.
Back in OneLogin, you'll then need to assign a User to test that it is working. Click "Users" in your top menu bar, then Users again, and click on the user that you would like to test this on. Next, click "Applications" down the left-hand menu, and add the application that you have just created to this user's profile, then click "Save user".
To test that it is working, head to your careers site, then scroll to the bottom where you'll have "SSO" listed in the footer.
9. Upon clicking SSO, you should be redirected to the page where you can enter your credentials. Once completed, you'll be directed to the homepage of your Teamtailor dashboard. If you are a new user, this will be as a Default User, and if you are an existing user, this will be at the level that you were added as previously.
10. To complete the setup, you can add more users and groups on your side, then in Teamtailor, click "Enforce SSO", then your users will only be able to log in with SSO going forward. You can also ask our support team or CSM to add auto-join domains for you so that your team can log in via https://tt.teamtailor.com/en/login/sso instead.
Setting up SSO on a group account
Note that this section only applies to companies that have more than one Teamtailor account and would like to use the same SSO setup across all their accounts.
When setting up a group solution, you'll need to ensure that you complete all of the steps above, making sure that on Teamtailor this is all set up on the "parent" account.
In Teamtailor, by default, if a new user logs in for the first time without having been added to any existing account previously, they will automatically be added to the parent account. To avoid this, you will need to send us an additional claim, which we can use to identify to which account the new user should be added.
To add a new claim in OneLogin, go to the application that you have created, then find Parameters down the left-hand side. Click the "+" icon to add a new field. The field that you select here will be the field that you use to separate your users into different Teamtailor accounts. Most commonly, this is a country or company.
If using company, add this as the field name and tick "include in SAML assertion" then Save. Next, find the Company field in your Value dropdown box. It will then look like the below:
The next step is to let Teamtailor know the name of the claim that you have created, alongside the possible values that would be used as the identifier for your Teamtailor account, as well as any auto-join domains linked to those accounts. This could look something like this:
claim = country
Teamtailor account A: value = TeamtailorA, domain = @teamtailora.com
Teamtailor account B: value = TeamtailorB, domain = @teamtailorb.com
To test this, you can follow the same steps as previously for a single account, but ensure that your user is then logged into the correct account.
It's important to note here that this is only for new users. Existing users will automatically log in to the accounts where they are already set up.
Additionally, using Group SSO does not mean that all users will then have access to the other accounts. New users will only automatically be added to one account, but if they need access to more than one, they will need to be manually added in the Employees tab of the other accounts.
Common error messages
Most commonly with OneLogin, the error message that you see in Teamtailor is "A valid subject confirmation was not found on this response". This will be because you have added the incorrect URL to the Recipient field in your Configuration settings. Ensure that you have added the ACS URL from Teamtailor here.
This error message means that the Teamtailor application has not been added to your User account. Please ask your OneLogin admins to add this for you.
This means that auto-join domains have not been set up on your SSO account. Please speak to our support team or your CSM to add these.