Single Sign-On for Azure Active Directory - TeamViewer Support
<main>
<article class="userContent">
<p><br></p><h2 data-id="general">General</h2><div class="blockquote"><div class="blockquote-content"><p class="blockquote-line"><em>This article applies to TeamViewer customers with an Enterprise/Tensor </em><a href="https://www.teamviewer.com/en/teamviewer-tensor/" rel="nofollow noreferrer ugc"><em>license</em></a><em>.</em></p></div></div><p>TeamViewer Single Sign-On (SSO) aims to reduce user management efforts for large companies by connecting TeamViewer with identity providers and user directories.</p><p>📌<strong>Note</strong>: The TeamViewer Single Sign-On is based on the domain which you set up. This means all TeamViewer accounts in your company or outside your company will be forwarded to the Identity Provider.</p><p>📌<strong>Note</strong>: The email address of the Azure AD user must match the email address of the corresponding TeamViewer account.</p><p><br></p><h3></h3><h2 data-id="requirements">Requirements</h2><p>To use TeamViewer Single Sign-On, you need</p><ul><li>a TeamViewer version 13.2.1080 or newer</li><li>a SAML 2.0 compatible identity provider (IdP)<strong>*</strong></li><li>a TeamViewer account to access the Management Console and add domains</li><li>access to the DNS management of your domain to verify the domain ownership</li><li>a TeamViewer Tensor license.</li></ul><p><br></p><h3 data-id="-1"></h3><h2 data-id="1.-create-your-custom-identifier">1. Create your custom identifier</h2><p>This custom identifier is not stored by TeamViewer but is used for the initial configuration of SSO. It must not be changed at any point in time since this will break Single Sign-On and a new setup will be necessary. </p><p>Any random string can be used as a customer identifier. It is recommended not to use special characters in the custom identifier.</p><p>📌 <strong>Note</strong>: You can use for example an online password generator or your internal password generator if your company has one.</p><p>📌 <strong>Note</strong>: This string is later required for the configuration of the IdP.</p><p><br></p><h3 data-id="-2"></h3><h2 data-id="2.-identity-provider-setup-azure-active-directory">2. Identity Provider Setup Azure Active Directory</h2><p>To connect TeamViewer with Microsoft Azure Active Directory as the identity provider, it is required to create an application for your Azure AD. The steps to create and configure an enterprise application are described below:</p><p>1.) Open a Browser and login to "portal.azure.com" with an Account that has <strong>Global Admin</strong> Permissions.</p><p>2.) You will see a Home Screen. Select there the Azure Service "Azure Active Directory"</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/N42NG8ATWK8H/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/N42NG8ATWK8H/image.png" alt="image.png" height="147" width="1078" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>3.) After you have selected the Azure Service <strong>Azure Active Directory</strong> you will see an overview, please select on the left side under the section Manage the option <strong>Enterprise applications</strong></p><div class="embedExternal embedImage display-medium float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/N8NQ2BF1SNKK/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/N8NQ2BF1SNKK/image.png" alt="image.png" height="355" width="351" loading="lazy" data-display-size="medium" data-float="none"></img></a>
</div>
</div>
<p><br></p><p>4.) Now, the overview with all your Enterprise Applications that you have in your Azure AD will open.</p><p>5.) Click <strong>All application (1) </strong>followed by</p><p>6.) Click <strong>New Application (2)</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/NTY11RV2OJOQ/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/NTY11RV2OJOQ/image.png" alt="image.png" height="256" width="1157" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>7.) In the next window, please click <strong>Create your own application</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/NWY0JZWF0L4K/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/NWY0JZWF0L4K/image.png" alt="image.png" height="148" width="439" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>8.) Now you can create your own application:</p><p>(1) Enter a name for your application</p><p>(2) Select <strong>Integrate any other application you don't find in the gallery (Non-gallery)</strong></p><p>(3) 📌<strong>Note</strong>: Please don't select the suggested TeamViewer App from Azure.</p><p>(4) Click <strong>Create</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/7C14DL0SKBYA/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/7C14DL0SKBYA/image.png" alt="image.png" height="528" width="571" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p><br></p><p>9.) After you created the application, you will see the overview of this application.</p><p>10.) Click under the <strong>Manage Section</strong> the Option <strong>Single sign-on</strong> and select the <strong>SAML</strong> Method</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/AEWILGV7RSFM/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/AEWILGV7RSFM/image.png" alt="image.png" height="824" width="1473" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>11.) Now you can <strong>Edit</strong> the SAML Configuration</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/3RVRN6LISKU2/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/3RVRN6LISKU2/image.png" alt="image.png" height="178" width="772" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>(1) Enter the <strong>Entity ID</strong> -> <a href="https://sso.teamviewer.com/saml/metadata" rel="nofollow noreferrer ugc">https://sso.teamviewer.com/saml/metadata</a></p><p>(2) 📌 <strong>Note</strong>: Delete the <strong>Predefined URL</strong> from Microsoft</p><p>(3) Enter the <strong>Reply URL</strong> -> <a href="https://sso.teamviewer.com/saml/acs" rel="nofollow noreferrer ugc">https://sso.teamviewer.com/saml/acs</a></p><p>(4) Click <strong>Save</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/9D5RBIKP7TBD/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/9D5RBIKP7TBD/image.png" alt="image.png" height="827" width="824" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>12.) After you save the first step, you get the question, whether you want to test the single sign-on. Click <strong>No, I'll test later</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/PGPCROOZSP0D/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/PGPCROOZSP0D/image.png" alt="image.png" height="129" width="1200" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>13.) In the next section you must <strong>edit </strong>the <strong>Attributes & Claims</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/HZ7IEQX0BKFG/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/HZ7IEQX0BKFG/image.png" alt="image.png" height="193" width="770" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>14.) Click <strong>Add new claim</strong> to add a new claim</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/8EUJ9E94OGHG/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/8EUJ9E94OGHG/image.png" alt="image.png" height="439" width="800" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>(1) Enter as <strong>Name </strong>the value <strong>customeridentifier</strong></p><p>(2) For the <strong>Namespace </strong>the value <a href="http://sso.teamviewer.com/saml/claims" rel="nofollow noreferrer ugc">http://sso.teamviewer.com/saml/claims</a></p><p>(3) In the <strong>Source attribute</strong> enter the custom identifier, which you have created at the beginning</p><p>(4) Click <strong>Save</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/6LXF5T1262DI/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/6LXF5T1262DI/image.png" alt="image.png" height="304" width="886" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>15.) You will see the new added claim in the Overview</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/TTPIKZUC7IB5/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/TTPIKZUC7IB5/image.png" alt="image.png" height="466" width="798" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>16.) In the next step, you download the <strong>Metadata XML File</strong> or you copy the <strong>Metadata URL</strong></p><p>(1) You need one of them for the following steps in the TeamViewer Management Console.</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/HIID2BLEB3RY/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/HIID2BLEB3RY/image.png" alt="image.png" height="252" width="762" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>17.) Before you finish the TeamViewer Management Console Setup, please add Groups / Users to the Application.</p><p>📌 <strong>Note</strong>: This is required so that users can successfully sign into their TeamViewer Accounts and the Groups / Users will be used for the AD SCIM Sync later.</p><p>(1) Click in the Application on <strong>Users and groups</strong></p><p>(2) Click <strong>Add user/group</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/S508VQEFXECI/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/S508VQEFXECI/image.png" alt="image.png" height="384" width="1003" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p><br></p><h3 data-id="-3"></h3><h2 data-id="3.-teamviewer-management-console-(mco)-configuration">3. TeamViewer Management Console (MCO) Configuration</h2><p>1.) Open a web browser and sign with your licensed TeamViewer Account into the <a href="https://login.teamviewer.com/" rel="nofollow noreferrer ugc">TeamViewer Management Console</a>.</p><p>📌 <strong>Note</strong>: The TeamViewer Account User Permissions must be <strong>Company Administrator</strong></p><p>(1) Click <strong>Company administration</strong></p><p>(2) Click <strong>Single Sign-On</strong></p><p>(3) Click <strong>Add first domain</strong>"</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/40AZTMGB1X1L/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/40AZTMGB1X1L/image.png" alt="image.png" height="658" width="2331" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>2.) In the next window you can enter the domain that you want to use for Single Sign-On.</p><p>📌 <strong>Note</strong>: Repeat this step if you want to use multiple domains for TeamViewer Single Sign-On. Use the same XML File or XML URL for the different Domains. The only requirement here, the domains are linked to the same Azure Tenant.</p><p>(1) Enter your <strong>Domain</strong></p><p>(2) Select the <strong>Configuration Type</strong></p><p>(3) Upload the <strong>Metadata XML File</strong></p><p>(4) Activate additional <strong>Options</strong></p><p>📌 <strong>Note for Subdomains</strong>: This feature allows not only to include the domain (example.com) for the SSO login, but also all subdomains (such as sub.example.com)</p><p>📌 <strong>Note for Disable Activation Emails</strong>: SSO accounts that are created under this domain will or will not receive activation emails depending on this option. Newly created accounts will not receive activation emails if this option is enabled</p><p>(5) Click "Next"</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/K4L7KQNNCDT4/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/K4L7KQNNCDT4/image.png" alt="image.png" height="594" width="660" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>3.) In the next section, you can add accounts to the Single Sign-On Exclusion List. If you don't have something to add, click <strong>Next</strong>.</p><p>⚠ <strong>Important Note</strong>: It is highly recommended to add all domain owners to the exclusion list so that they can still log in if SSO needs a new configuration. Tests of the SSO login should be executed with a second account.</p><p>📌 <strong>Note for Email Exclusions</strong>: You can specify email addresses that will be excluded from Identity Provider Connection. These accounts can sign in to TeamViewer as usual without identity provider authentication. It is recommended to exclude the owner of a domain as a fallback, in case that the configuration is not correct or the identity provider is not available.</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/1AWQ7487AMIO/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/1AWQ7487AMIO/image.png" alt="image.png" height="922" width="673" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>4.) This step (Single Sign-On Custom Identifier) can be skipped with the Click on <strong>Next </strong>as you have already created the Custom Identifier at the beginning</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/OF6Z4Z11BYRK/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/OF6Z4Z11BYRK/image.png" alt="image.png" height="349" width="627" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p><br></p><h3 data-id="-4"></h3><h2 data-id="4.-domain-verification">4. Domain Verification</h2><p>📌 <strong>Note 1</strong>: You will see on this Screen the Information for your DNS Server Management. You need the information from the field <strong>Name / Host</strong> and the information from the field <strong>Value / Data</strong></p><p>📌 <strong>Note 2</strong>: Copy from the field <strong>Value / Data</strong>, you need this information later.</p><p>1.) On the domain verification window, do the following</p><p>(1) You can click <strong>Start Verification</strong></p><p>(2.) You can click <strong>Skip</strong></p><p>📌 <strong>Note</strong>: If you follow this guide from start to the end, you click <strong>Skip</strong> in this Window</p><p>📌 <strong>Note</strong>: You can come back to the verification page any time and see the values when the domain isn't verified</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/DM874G48SIWS/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/DM874G48SIWS/image.png" alt="image.png" height="622" width="675" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>2.) Go back to <a href="https://login.teamviewer.com/" rel="nofollow noreferrer ugc">TeamViewer Management Console</a>.</p><p>📌 <strong>Note</strong>: The TeamViewer Account User Permissions must be "Company Administrator"</p><p>(1) Click <strong>Company administration</strong></p><p>(2) Click <strong>Single Sign-On</strong></p><p>(3) Click the <strong>Pen</strong> to edit the domain</p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/4GHUOM5NL4V9/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/4GHUOM5NL4V9/image.png" alt="image.png" height="497" width="2518" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>3.) Click <strong>Domain Verification</strong></p><p>4.) Click <strong>Copy for the Value</strong></p><p>5.) Click <strong>Start Verification</strong> after you completed the steps on your DNS Server Management</p><p>📌 <strong>Note</strong>: The TXT Entry has to be visible in public. You can check this by using a <strong>DNS TXT Lookup Tool</strong>. Google will help you in this case.</p><p>📌 <strong>Note</strong>: TeamViewer will look for the TXT verification record for 24 hours after starting the verification. In case we cannot find the TXT record within 24 hours, the verification fails and the status is updated accordingly. You need to restart the verification through this dialog in this case. </p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/MGE0GXXBMDS9/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/MGE0GXXBMDS9/image.png" alt="image.png" height="603" width="2271" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p>📌 <strong>Note</strong>: The following shows the DNS Server Management for a Domain which is managed by Cloudflare. Your DNS Server Management might look different!</p><p>After you have signed in to the Cloudflare Dashboard, select the domain.</p><p>(1) Click <strong>DNS</strong> and click <strong>Add record</strong></p><p>(2) Select as <strong>Type</strong> -> <strong>TXT</strong></p><p>(3) Enter for the <strong>Name</strong> -> <strong>@</strong></p><p>(4) Enter for <strong>Content</strong> -> <strong>The TeamViewer SSO Verification Value</strong> from the Step above</p><p>(5) Click <strong>Save</strong></p><div class="embedExternal embedImage display-large float-none">
<div class="embedExternal-content">
<a class="embedImage-link" href="https://us.v-cdn.net/6032394/uploads/6CAOMA4PP8QD/image.png" rel="nofollow noreferrer noopener ugc" target="_blank">
<img class="embedImage-img" src="https://us.v-cdn.net/6032394/uploads/6CAOMA4PP8QD/image.png" alt="image.png" height="681" width="1920" loading="lazy" data-display-size="large" data-float="none"></img></a>
</div>
</div>
<p><br></p><h3 data-id="-5"></h3><h2 data-id="teamviewer-client-configuration">TeamViewer Client Configuration</h2><p>TeamViewer is compatible with Single Sign-On starting from version 13.2.1080.</p><p>Previous versions do not support Single Sign-On and can not redirect users to your identity provider during the login. The client configuration is <strong>optional</strong> but allows changing the used browser for the SSO login of the IdP.</p><p>The TeamViewer client will use an embedded browser for the identity provider authentication by default. If you prefer to use the default browser of the operating system, you can change this behavior:</p><p><strong>Windows:</strong></p><pre class="code codeBlock" spellcheck="false" tabindex="0">HKEY_CURRENT_USER\Software\TeamViewer\SsoUseEmbeddedBrowser = 0 (DWORD)
</pre><p><strong>macOS:</strong></p><pre class="code codeBlock" spellcheck="false" tabindex="0">defaults write com.teamviewer.teamviewer.preferences SsoUseEmbeddedBrowser -int 0
</pre><p><strong>📌Note</strong>: You need to restart the TeamViewer client after creating or changing the registry.</p>
</article>
</main>