Read this article in: ChineseJapanese | Spanish


This article applies to TeamViewer customers with an Enterprise/Tensor license.

TeamViewer Single Sign-On (SSO) aims to reduce the user management efforts for large companies by connecting TeamViewer with identity providers and user directories.

Requirements

To use TeamViewer Single Sign-On, you need

  • a TeamViewer version 13.2.1080 or newer
  • a SAML 2.0 compatible identity provider (IdP)*
  • a TeamViewer account to access the Management Console and add domains
  • access to the DNS management of your domain to verify the domain ownership
  • a TeamViewer Tensor license.

TeamViewer Management Console (MCO) Configuration

Single Sign-On (SSO) is activated on a domain level for all TeamViewer accounts using an email address with this domain. Once activated, all users that sign into a corresponding TeamViewer account are redirected to the identity provider that has been configured for the domain.

For security reasons and to prevent abuse, it is required to verify the domain ownership before the feature is activated.

Add a new domain

To activate SSO, log in to Management Console and select the Single Sign-On menu entry. Click on Add domain and enter the domain you want to activate SSO for.

You also need to provide you identity provider’s metadata. There are three options available to do so:

  • via URL: enter your IdP metadata URL into the corresponding field
  • via XML: select and upload your metadata XML
  • Manual configuration: manually enter all necessary information. Please note that the public key must be a Base64 encoded string.

Add domain.png

Create custom identifier

After the domain has been added, the custom identifier can be generated. This custom identifier is not stored by TeamViewer, but is used for the initial configuration of SSO. It must not be changed at any point in time, since this will break Single Sign-On and a new setup will be necessary. Any random string can be used as customer identifier. This string is later required for the configuration of the IdP.

CustomIdentifier1.png  CustomIdentifier2.png  

Verify domain ownership

After a domain has been added successfully, you need to verify the domain ownership.
Single Sign-On will not be activated before the domain verification is completed.

To verify the domain, please create a new TXT record for your domain with the values shown on the verification page.

Note: The verification process can take several hours because of the DNS system.

20180910_domain_verification.png

The dialog to add a TXT record might look similar to:

AddDNSrecord.png

Note: Depending on your domain management system, the description of the input fields may vary.

After creating the new TXT record, start the verification process by clicking on the “Start Verification” button.

Please note that the verification process can take several hours because of the DNS system.

Hint: TeamViewer will look for the TXT verification record for 24 hours after starting the verification. In case we cannot find the TXT record within 24 hours, the verification fails and the status is updated accordingly. You need to restart the verification through this dialog in this case. 

Hint: When adding a domain for Single Sign-On, it is recommended to add the owning account to the exclusion list. The reason for this is a fallback scenario that you keep the access to the domain configuration even if the IdP is not working.
Example: The TeamViewer Account "admin@example.com" adds domain „example.com“ for Single Sign-On. After adding the domain, the email address "admin@example.com" should be added to the exclusion list.

Identity Provider Setup Azure Active Directory

To connect TeamViewer with Microsoft Azure Active Directory as identity provider, it is required to create an application for your Azure AD. The steps to create and configure an enterprise application are described below.

Creating the application

  1. Please follow the instructions from the Microsoft Azure AD documentation to create an Azure AD application for TeamViewer: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps and configure the application for SAML based Sign-On.
  2. Configure the following values in the Domain and URLs section:

    Field

    Value

    Issuer URL / Identifier (Entity ID)

    https://sso.teamviewer.com/saml/metadata

    Reply URL

    https://sso.teamviewer.com/saml/acs

    Please leave the fields Sign on URL and Relay State empty.

  3. Check to View and edit all other user attributes checkbox to be able to add the following custom SAML Token Attributes: 

    Name

    Value

    Namespace

    emailadress

    user.email

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims

    customeridentifier

    "Your Generated Customer ID"

    http://sso.teamviewer.com/saml/claims

     

    AAD_Attributes.png

    Please use a generated value for "customeridentifier". Note that the double-quotes for the "Value" column are added automatically when adding the attribute.

    AAD_EditAttribute.png

    Please note that the email address of the Azure AD user must match with the email address of the corresponding TeamViewer account.

  4. Click Save

The last step is to configure TeamViewer to work with Azure AD.

The easiest way is to download the metadata XML from Azure and upload the file in the TeamViewer Management Console. Please refer to the section Domain Management in MCO.

TeamViewer Client Configuration

TeamViewer is compatible to Single Sign-On starting from version 13.2.1080.
Previous versions do not support Single Sign-On and can not redirect users to your identity provider during the login. The client configuration is optional, but allows to change the used browser for the SSO login of the IdP.

The TeamViewer client will use an embedded browser for the identity provider authentication by default. If you would prefer to use the default browser of the operating system, you can change this behavior via the following registry key:

HKEY_CURRENT_USER\Software\TeamViewer\SsoUseEmbeddedBrowser = 0 (DWORD)

Note: You need to restart the TeamViewer client after creating or changing the registry.

Version history
Revision #:
6 of 6
Last update:
May
Updated by:
 
Contributors