Most SSO problems come down to five checks. This blog shows you how to quickly diagnose and resolve the most common login issues that appear after launch by focusing on five critical checks. It’s designed for TeamViewer Tensor admins responsible for secure access at scale, offering clear, practical insight so you can troubleshoot faster.
Why SSO fails: Five key checks for TeamViewer Tensor admins
1. Check that your domain is verified
TeamViewer needs to know that your company actually owns the domain before SSO can work. The most common issues we see are:
- The TXT record was added incorrectly
- Verification was started but never completed
Quick check: Go to Admin Settings ➜ Company Administration ➜ Single sign-on and confirm the domain shows as verified.
2. Confirm your IdP settings match exactly
Even tiny mismatches can break SSO. Common culprits include:
- Wrong ACS/Reply URL
- Incorrect Entity ID
- NameID format not set to email
- Expired or outdated certificates
Quick check: Compare your IdP configuration with the values shown in the TeamViewer SSO setup page. They must match character‑for‑character.
3. Ensure the users' email addresses belong to the verified domain
If a user’s email doesn’t match the verified domain, SSO will reject them, even if everything else is correct.
Some real-world examples:
- Users still have older email domains after a company rebrand
- Contractors try to log in with external emails
- Azure AD contains mixed domains, but only one of them is verified in TeamViewer
Quick check: Ensure every user’s email address in your IdP matches the domain you verified in TeamViewer.
4. Make sure the impacted users have a Tensor license assigned
SSO is a Tensor‑only feature. If a user doesn’t have a Tensor license assigned, SSO will fail.
What it might look like:
- SSO works for some users but not others
- Admins can log in, but regular users can’t
- Users get stuck in login loops or land back on the IdP without a clear error
Nothing is broken. The user just isn’t licensed correctly.
Quick check: Go to Admin Settings → User Management and confirm the affected user:
- Exists in TeamViewer
- Is activated
- Has a Tensor license assigned. No Tensor license means no access to Tensor features, including SSO.
5. Are you using SCIM? SCIM and SSO issues are often connected
If you use SCIM and a user cannot log in via SSO, one of the first things to check is whether the user was successfully provisioned via SCIM.
One of the most common errors is:
- Error 500: The user already exists as a free account
This occurs when the user already has a standalone TeamViewer account, preventing SCIM from provisioning and blocking SSO access.
Quick check: There are ways to add the user to your company profile.
- User deletes their existing account
The user logs in and deletes their account via profile settings
→ Delete your account - Manually invite the user
Send the user an invitation to join your company profile
→ Add users to your company
Important: For both options, add the user to your SSO exception list so they can still log in if SSO is enforced.
If the user is unable to delete their account themselves or cannot be added via a manual invitation, you can contact TeamViewer Support. Our team will be happy to assist.
Expert tip: Use the SSO inclusion list during rollout
Before enabling SSO company‑wide, make use of the SSO inclusion list.
The inclusion list allows you to limit SSO enforcement to a specific set of users while you’re still testing. This helps you validate if your set up is working, without risking a company‑wide lockout.
It’s especially useful during the testing phase or phased rollouts, where not all users are licensed or ready to switch to SSO yet. Once you’re confident everything works as expected, you can gradually expand the inclusion list or remove it entirely.
Have these checks helped you troubleshoot SSO already in the past? Or have you encountered scenarios where they didn’t apply?
Share your experience in the Community and let other Tensor users benefit from your insights.
