TeamViewer Single Sign-On (SSO) aims to reduce user management efforts for large companies by connecting TeamViewer with identity providers and user directories.
This article applies to TeamViewer customers with an Enterprise/Tensor license.
Requirements
To use TeamViewer Single Sign-On, you need
- a TeamViewer version 13.2.1080 or newer
- a SAML 2.0 compatible identity provider (IdP)*
- a TeamViewer account to access the Management Console and add domains
- access to the DNS management of your domain to verify the domain ownership
- a TeamViewer Tensor license.
TeamViewer configuration
Single Sign-On (SSO) is activated on a domain level for all TeamViewer accounts using an email address with this domain. Once activated, all users who sign into a corresponding TeamViewer account are redirected to the identity provider that has been configured for the domain.
For security reasons and to prevent abuse, it is required to verify the domain ownership before the feature is activated.
Add a new domain
To activate SSO, log in to Management Console select Company administration and then the Single Sign-On menu entry. Click on Add domain and enter the domain you want to activate SSO for.
You also need to provide your identity provider’s metadata. There are three options available to do so:
- via URL: enter your IdP metadata URL into the corresponding field
- via XML: select and upload your metadata XML
- Manual configuration: manually enter all necessary information. Please note that the public key must be a Base64 encoded string.
Once it's done, click Continue.
Now, select the e-mail addresses or user groups you want to exclude from SSO and click Add domain.
Create custom identifier
After the domain has been added, the custom identifier can be generated. This custom identifier is not stored by TeamViewer but is used for the initial configuration of SSO. It must not be changed at any point in time since this will break Single Sign-On, and a new setup will be necessary. Any random string can be used as a customer identifier. This string is later required for the configuration of the IDP. To generate the custom identifier, click Generate.
Verify domain ownership
After a domain has been added successfully, you need to verify the domain ownership.
Single Sign-On will not be activated before the domain verification is completed.
To verify the domain, please create a new TXT record for your domain with the values shown on the verification page.
📌Note: The verification process can take several hours because of the DNS system.
📌Note: Depending on your domain management system, the description of the input fields may vary.
After creating the new TXT record, start the verification process by clicking on the Start verification button.
📌Please note that the verification process can take several hours because of the DNS system.
💡Hint: TeamViewer will look for the TXT verification record for 24 hours after starting the verification. If we cannot find the TXT record within 24 hours, the verification fails, and the status is updated accordingly. You need to restart the verification through this dialog in this case.
Identity Provider Setup with G Suite
1) Open the Google Admin console: https://admin.google.com
2) Create a custom user attribute for holding the TeamViewer Customer Identifier:
- Navigate to Directory > Users
- In the upper-right corner, press the Manage custom attributes button.
- Press Add Custom Attribute (upper-right corner)
- Enter a category name (e.g. "Single Sign-On") and an optional description.
- In the custom fields section enter a name for the new custom attribute, for example TeamViewer Customer Identifier.
- Choose Info Type to be Text
- Choose Visibility to be Visible to admin
- Choose No. of values to be Single Value
- Press "Add"
3) Navigate to Apps > SAML Apps, click Add (+) in the bottom-right corner.
4) Choose Setup My Own Custom App
5) Press Next to confirm the Google IdP Information dialog. All information can also be accessed again later.
6) Enter a name for the application, for example "TeamViewer" (Description and Logo can optionally be added, too).
7) On the "Service Provider Details", enter the following information:
- ACS URL: https://sso.teamviewer.com/saml/acs
- Entity ID: https://sso.teamviewer.com/saml/metadata
- Name ID: "Basic Information" > "Primary Email"
- Name ID Format: "UNSPECIFIED"
8) On the "Attribute Mapping" section, add the following mappings:
- Attribute Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressCategory: "Basic Information"
- User Attribute: "Primary Email"
- Attribute Name: http://sso.teamviewer.com/saml/claims/customeridentifierCategory: "Single Sign-On" (created in step 1)
- User Attribute: "TeamViewer Customer Identifier" (created in step 1)
📌Please note that the "TeamViewer Customer Identifier" attribute must be set for users that want to login to TeamViewer via Single Sign-On.
TeamViewer Client Configuration
TeamViewer is compatible with Single Sign-On starting from version 13.2.1080.
Previous versions do not support Single Sign-On and can not redirect users to your identity provider during the login. The client configuration is optional but allows changing the used browser for the SSO login of the IdP.
The TeamViewer client will use an embedded browser for the identity provider authentication by default. If you prefer to use the default browser of the operating system, you can change this behavior:
Windows:
HKEY_CURRENT_USER\Software\TeamViewer\SsoUseEmbeddedBrowser = 0 (DWORD)
macOS:
defaults write com.teamviewer.teamviewer.preferences SsoUseEmbeddedBrowser -int 0
📌Note: You need to restart the TeamViewer client after creating or changing the registry.