Single Sign-On (SSO) - TeamViewer Support
<main> <article class="userContent"> <h2 data-id="general">General</h2><div class="blockquote"><div class="blockquote-content"><p class="blockquote-line"><em>This article applies to TeamViewer customers with an Enterprise/Tensor </em><a href="https://www.teamviewer.com/en/credentials/enterprise-solutions/" rel="nofollow noreferrer ugc"><em>license</em></a><em>.</em></p></div></div><p>TeamViewer Single Sign-On (SSO) aims to reduce user management efforts for large companies by connecting TeamViewer with identity providers and user directories.</p><p><br></p><h3></h3><h2 data-id="requirements">Requirements</h2><p>To use TeamViewer Single Sign-On, you need</p><ul><li>a TeamViewer version 13.2.1080 or newer</li><li>a SAML 2.0 compatible identity provider (IdP)<strong>*</strong></li><li>a TeamViewer account to access the Management Console and add domains</li><li>access to the DNS management of your domain to verify the domain ownership</li><li>a TeamViewer Tensor license.</li></ul><p><strong>*</strong> Currently, we only support Centrify, Okta, Azure, OneLogin, ADFS, and G Suite, but we are working on supporting more IdPs in the future. The above IdPs have been tested, and detailed steps to set up one of these IdP can be found in these documents and other linked pages about SSO and the respective IdPs. </p><p><strong>📌Note</strong>: If you use a different IdP, please use the technical information to set up your IdP manually.</p><p><strong>💡Hint</strong>: When adding a domain for Single Sign-On, it is recommended to add the owning account to the exclusion list. The reason for this is a fallback scenario that you keep access to the domain configuration even if the IdP is not working. </p><p>Example: The TeamViewer Account "admin@example.com" adds domain „example.com“ for Single Sign-On. After adding the domain, the email address "admin@example.com" should be added to the exclusion list. This is required to make changes to the SSO configuration, even when Single Sign-On doesn't work due to misconfiguration.</p><p><strong>💡Hint2:</strong> When adding a single Sign-On domain, adding additional owners to the SSO domain is recommended since the SSO ownership is not inherited within your company. </p><p>Example: After the TeamViewer Account "admin@example.com" adds domain „example.com“ for Single Sign-On, they add multiple company administrators (e.g. "admin2@example.com") as domain owners so that they can also manage the domain and its SSO settings.</p><p>Single Sign-On (SSO) is activated on a domain level for all TeamViewer accounts using an email address with this domain. Once activated, all users that sign into a corresponding TeamViewer account are redirected to the identity provider that has been configured for the domain. This step is required independent of which IdP is used.</p><p>For security reasons and to prevent abuse, it is required to verify the domain ownership before the feature is activated.</p><p><br></p><h3 data-id="-1"></h3><h2 data-id="add-a-new-domain">Add a new domain</h2><p>To activate SSO, log in to Management Console and select the <strong>Single Sign-On</strong> menu entry. Click on <strong>Add domain</strong> and enter the domain you want to activate SSO for.</p><p>You also need to provide your identity provider’s metadata. There are three options available to do so:</p><ul><li><strong>via URL</strong>: enter your IdP metadata URL into the corresponding field</li><li><strong>via XML</strong>: select and upload your metadata XML</li><li><strong>Manual configuration</strong>: manually enter all necessary information. Please note that the public key must be a Base64 encoded string.</li></ul><div class="embedExternal embedImage display-medium float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/RO8SR7IUPAL8/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/RO8SR7IUPAL8/image.png" alt="image.png" height="640" width="800" loading="lazy" data-display-size="medium" data-float="none"></img></a> </div> </div> <p></p><p><br></p><h3 data-id="-2"></h3><h2 data-id="create-custom-identifier">Create custom identifier</h2><p>After the domain has been added, the <strong>custom identifier</strong> can be generated. This custom identifier is not stored by TeamViewer, but is used for the initial configuration of SSO. It must not be changed at any point in time, since this will break Single Sign-On and a new setup will be necessary. Any random string can be used as customer identifier. This string is later required for the configuration of the IdP.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/6K2GGD6TXZ3M/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/6K2GGD6TXZ3M/image.png" alt="image.png" height="339" width="750" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p> </p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/V30632DYLXRZ/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/V30632DYLXRZ/image.png" alt="image.png" height="470" width="750" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><h3 data-id="-3"> </h3><h2 data-id="verify-domain-ownership">Verify domain ownership</h2><p>After a domain has been added successfully, you need to verify the domain ownership.</p><p>Single Sign-On will not be activated before the domain verification is completed.</p><p>To verify the domain, please create a new TXT record for your domain with the values shown on the verification page.</p><p><strong>📌Note</strong>: The verification process can take several hours because of the DNS system.</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/PQKH3SPJJ3GW/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/PQKH3SPJJ3GW/image.png" alt="image.png" height="642" width="800" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><br></p><p>The dialog to add a TXT record might look similar to:</p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/ZJ35FFZEIOT4/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/ZJ35FFZEIOT4/image.png" alt="image.png" height="428" width="600" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><strong>📌Note</strong>: Depending on your domain management system, the description of the input fields may vary.</p><p>After creating the new TXT record, start the verification process by clicking on the “Start Verification” button.</p><p><strong>📌Please note</strong> that the verification process can take several hours because of the DNS system.</p><p><strong>💡Hint</strong>: TeamViewer will look for the TXT verification record for 24 hours after starting the verification. If we cannot find the TXT record within 24 hours, the verification fails, and the status is updated accordingly. You need to restart the verification through this dialog in this case. </p><p> </p><h3 data-id="-4"></h3><h2 data-id="identity-provider-setup">Identity Provider Setup</h2><p>Each identity provider requires its own configuration, which is covered in dedicated knowledge base articles:</p><ul><li>Active Directory Federation-Services (ADFS):</li></ul><div class="js-embed embedResponsive" data-embedjson="{"body":"TeamViewer Single Sign-On (SSO) aims to reduce the user management efforts for large companies by connecting TeamViewer with identity providers and user directories.","url":"https:\/\/community.teamviewer.com\/English\/kb\/articles\/59941-single-sign-on-with-active-directory-federation-services-adfs","embedType":"link","name":"Single Sign-On with Active Directory Federation Services (ADFS) - TeamViewer Support"}"> <a href="https://community.teamviewer.com/English/kb/articles/59941-single-sign-on-with-active-directory-federation-services-adfs" rel="nofollow noreferrer ugc"> https://community.teamviewer.com/English/kb/articles/59941-single-sign-on-with-active-directory-federation-services-adfs </a> </div><ul><li>Azure Active Directory</li></ul><div class="js-embed embedResponsive" data-embedjson="{"body":"TeamViewer Single Sign-On (SSO) aims to reduce the user management efforts for large companies by connecting TeamViewer with identity providers and user directories.","url":"https:\/\/community.teamviewer.com\/English\/kb\/articles\/60209-single-sign-on-with-azure-active-directory","embedType":"link","name":"Single Sign-On with Azure Active Directory - TeamViewer Support"}"> <a href="https://community.teamviewer.com/English/kb/articles/60209-single-sign-on-with-azure-active-directory" rel="nofollow noreferrer ugc"> https://community.teamviewer.com/English/kb/articles/60209-single-sign-on-with-azure-active-directory </a> </div><ul><li>Centrify</li></ul><div class="js-embed embedResponsive" data-embedjson="{"body":"TeamViewer Single Sign-On (SSO) aims to reduce the user management efforts for large companies by connecting TeamViewer with identity providers and user directories.","url":"https:\/\/community.teamviewer.com\/English\/kb\/articles\/60207-single-sign-on-with-centrify","embedType":"link","name":"Single Sign-On with Centrify - TeamViewer Support"}"> <a href="https://community.teamviewer.com/English/kb/articles/60207-single-sign-on-with-centrify" rel="nofollow noreferrer ugc"> https://community.teamviewer.com/English/kb/articles/60207-single-sign-on-with-centrify </a> </div><ul><li>G Suite</li></ul><div class="js-embed embedResponsive" data-embedjson="{"body":"TeamViewer Single Sign-On (SSO) aims to reduce the user management efforts for large companies by connecting TeamViewer with identity providers and user directories.","url":"https:\/\/community.teamviewer.com\/English\/kb\/articles\/59943-single-sign-on-with-g-suite","embedType":"link","name":"Single Sign-On with G Suite - TeamViewer Support"}"> <a href="https://community.teamviewer.com/English/kb/articles/59943-single-sign-on-with-g-suite" rel="nofollow noreferrer ugc"> https://community.teamviewer.com/English/kb/articles/59943-single-sign-on-with-g-suite </a> </div><ul><li>Okta</li></ul><div class="js-embed embedResponsive" data-embedjson="{"body":"TeamViewer Single Sign-On (SSO) aims to reduce the user management efforts for large companies by connecting TeamViewer with identity providers and user directories.","url":"https:\/\/community.teamviewer.com\/English\/kb\/articles\/60206-single-sign-on-with-okta","embedType":"link","name":"Single Sign-On with Okta - TeamViewer Support"}"> <a href="https://community.teamviewer.com/English/kb/articles/60206-single-sign-on-with-okta" rel="nofollow noreferrer ugc"> https://community.teamviewer.com/English/kb/articles/60206-single-sign-on-with-okta </a> </div><ul><li>OneLogin</li></ul><div class="js-embed embedResponsive" data-embedjson="{"body":"TeamViewer Single Sign-On (SSO) aims to reduce the user management efforts for large companies by connecting TeamViewer with identity providers and user directories.","url":"https:\/\/community.teamviewer.com\/English\/kb\/articles\/60203-single-sign-on-with-onelogin","embedType":"link","name":"Single Sign-On with OneLogin - TeamViewer Support"}"> <a href="https://community.teamviewer.com/English/kb/articles/60203-single-sign-on-with-onelogin" rel="nofollow noreferrer ugc"> https://community.teamviewer.com/English/kb/articles/60203-single-sign-on-with-onelogin </a> </div><p><br></p><h3 data-id="-5"> </h3><h2 data-id="teamviewer-client-configuration">TeamViewer Client Configuration</h2><p>TeamViewer is compatible with Single Sign-On starting from version 13.2.1080.</p><p>Previous versions do not support Single Sign-On and can not redirect users to your identity provider during the login. The client configuration is optional but allows changing the used browser for the SSO login of the IdP.</p><p>The TeamViewer client will default use an embedded browser for identity provider authentication. If you prefer to use the default browser of the operating system, you can change this behavior:</p><p><strong>Windows:</strong></p><pre class="code codeBlock" spellcheck="false" tabindex="0">HKEY_CURRENT_USER\Software\TeamViewer\SsoUseEmbeddedBrowser = 0 (DWORD) </pre><p><strong>macOS:</strong></p><pre class="code codeBlock" spellcheck="false" tabindex="0">defaults write com.teamviewer.teamviewer.preferences SsoUseEmbeddedBrowser -int 0 </pre><p><strong>📌Note</strong>: After creating or changing the registry, you need to restart the TeamViewer client.</p><p><br></p><h3 data-id="-6"></h3><h2 data-id="technical-information">Technical information</h2><p>This section lists the technical details of the TeamViewer SAML Service Provider (SP). This data might be relevant for adding other IdPs than the ones described above.</p><p><strong>SAML Service Provider Metadata:</strong></p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/9BHJFV2VC106/image.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/9BHJFV2VC106/image.png" alt="image.png" height="326" width="1304" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <h2 data-id="for-you-to-copypaste%3A">For you to copy/paste:</h2><p> <strong>SP Metadata URL: </strong> <a href="https://sso.teamviewer.com/saml/metadata.xml" rel="nofollow noreferrer ugc">https://sso.teamviewer.com/saml/metadata.xml</a></p><p> <strong>Entity ID: </strong> <a href="https://sso.teamviewer.com/saml/metadata" rel="nofollow noreferrer ugc">https://sso.teamviewer.com/saml/metadata</a></p><p> <strong>Audience: </strong> <a href="https://sso.teamviewer.com/saml/metadata" rel="nofollow noreferrer ugc">https://sso.teamviewer.com/saml/metadata</a></p><p> <strong>Assertion Customer Service URL: </strong> <a href="https://sso.teamviewer.com/saml/acs" rel="nofollow noreferrer ugc">https://sso.teamviewer.com/saml/acs</a></p><p> <strong>Assertion Consumer Service URL: </strong> <a href="https://sso.teamviewer.com/saml/acs" rel="nofollow noreferrer ugc">https://sso.teamviewer.com/saml/acs</a></p><p> <strong>Assertion Consumer Service Bindings</strong></p><pre class="code codeBlock" spellcheck="false" tabindex="0"> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirec </pre><p> <strong>SAML Request Signature Algorithm: </strong> <a href="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" rel="nofollow noreferrer ugc">http://www.w3.org/2001/04/xmldsig-more#rsa-sha256</a></p><p>TeamViewer supports SHA-256 as signature algorithm. We require the SAML assertion to be signed while signing the SAML response is optional but recommended.</p><p> <strong>NameID: </strong> Unspecified</p><p> </p><p> <strong>Required SAML Response Claims:</strong></p><ul><li><a href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" rel="nofollow noreferrer ugc"><strong>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier</strong></a></li></ul><p>This should be mapped to a unique user identifier within the scope of the IdP (and, therefore, within the scope of the corresponding company).</p><p><br></p><p>For example, this can be the Active Directory Object GUID for ADFS or the email address for Okta</p><ul><li><a href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" rel="nofollow noreferrer ugc"><strong>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</strong></a></li></ul><p>This attribute should be mapped to the email address of the user that wants to sign in. The email address needs to be the same as configured for the TeamViewer account. The mapping/comparison is done in a case-insensitive way.</p><ul><li><a href="http://sso.teamviewer.com/saml/claims/customeridentifier" rel="nofollow noreferrer ugc"><strong>http://sso.teamviewer.com/saml/claims/customeridentifier</strong></a></li></ul><p>This attribute should return a customer-specific identifier. The attribute must be named “customeridentifier.”</p><p>TeamViewer requires a customer identifier as a custom claim in the SAML response for the initial configuration of Single Sign-On accounts.</p><p><strong>TeamViewer does not store the customer identifier. Changing it later will break Single Sign-On, and a new setup will be necessary.</strong></p><p>Any random string can be used as a customer identifier.</p><p><br></p><p><strong>Signature & Encryption Certificate (Public Key)</strong></p><p>The public key of the certificate that is used to sign SAML requests and for the encryption of SAML responses can be obtained by executing the following PowerShell command:</p><pre class="code codeBlock" spellcheck="false" tabindex="0">"-----BEGIN PUBLIC KEY-----`n" + ` ((Select-Xml ` -Content ((Invoke-WebRequest ` https://sso.teamviewer.com/saml/metadata.xml).Content) ` -xpath "//*[local-name()='X509Certificate']").Node[0].'#text') + ` "`n-----END PUBLIC KEY-----" ` | Out-File -FilePath "sso.teamviewer.com - saml.cer" -Encoding ascii </pre><p>The command downloads the metadata extracts the public key, and writes it to a file.</p> </article> </main>
