The SAML integration for Teamgage allows your employees to log in seamlessly using Single Sign-On (SSO). With SSO, users can access Teamgage with one click, using their existing work credentials.
If your organisation does not use SAML, Teamgage also supports other SSO
options.
Setup Process
Configuring your Teamgage account for SSO proceeds in two phases:
Each phase consists of the following steps:
- IdP configuration: Your IT staff configure your Identity Provider with the Teamgage settings
SSO setup request: You provide Teamgage with the required information:
- Email domains used within your organisation (through this identity provider)
- Your SAML IdP metadata URL
- SP configuration: Teamgage configures your organisation for SSO and performs cut-over.
- Validation: You and Teamgage test for successful login using SSO.
Configuration Guides
Step-by-step configuration guides are available for the following platforms:
Other SAML 2.0 Identity Providers can be set up using the configuration details below.
Configuration Details
To connect to Teamgage, configure a new SAML 2.0 Application (or SP/Relying Party) in your Identity Provider as follows:
Metadata URL
Attributes
- NameID (some providers require this to be added explicitly)
Email:
Manual Configuration
If you need to provide manual SAML SP configuration, the following additional details may be useful. This is also encoded in the metadata file (URL linked above).
Important: Manual configurations will require you to manually reconfigure the signing certificate from time to time. Please contact support to ensure that you are notified when we rotate to a new certificate.
Which SAML Profile methods are support?
- Teamgage currently supports the Web Browser SSO Profile with SP Redirect Request and IdP POST Response
Which sign-in flows are support?
- Teamgage supports both SP-initiated and IdP-initiated SSO
What is the NameID format, behaviour and restrictions?
- The NameID value must be sufficiently unique to the user and no longer than 128 characters
- We recommend using the user's object GUID; if this is not possible then the username or email could be used
- The NameID format is unspecified, and will behave correctly with both persistent and transient semantics. Each new NameID received is associated to a user account using the email attribute, and will be reused for subsequent requests
How are signing certificates rotated?
- SP (Teamgage) certificate
- When our existing signing certificate is approaching expiry, a new certificate will be generated and published in our metadata (alongside the existing certificate)
- We will switch to signing with this certificate no earlier than 1 month after it is published to our metadata
- If you have configured your IdP using the metadata URL with polling (at least once a month) then this rotation will occur automatically
- If you have performed manual configuration, please contact support to ensure that you are notified when we rotate to a new certificate
- IdP (Customer) certificate
- We will periodically poll your application's metadata URL, and will trust authorisation responses signed by any signing certificate listed in this metadata
- Please ensure new certificates are included in your metadata at least 1 week before it is used for signing, and that the old certificate is also included until it is no longer being used for signing
- If you are not able to publish the new certificate in advance, please contact support to schedule a manual certificate update
Related Articles
Single Sign-On (SSO) Options
Single Sign-On simplifies your organisation's experience when using Teamgage. Teamgage support multiple SSO options, depending on what best suits your organisation's IT environment. Azure AD This is the simplest method for organisations with Azure ...
SAML Single Sign-On (SSO) Setup Guide (For ADFS)
The SAML (for ADFS) integration for Teamgage allows your employees to log in seamlessly using Single Sign-On (SSO). With SSO, users can access Teamgage with one click, using their existing work credentials. If your organisation does not use SAML, ...
Azure AD Single Sign-On (SSO) Setup Guide
The Azure Active Directory (Azure AD) integration for Teamgage allows your employees to log in seamlessly using Single Sign-On (SSO). With SSO, users can access Teamgage with one click, using their existing work credentials. You can choose to enable: ...
Azure AD Setup Guide (Single Sign-On & Microsoft Teams Integration)
The Azure Active Directory (Azure AD) integration with Microsoft Teams for Teamgage allows seamless access and engagement. With Single Sign-On (SSO), employees can log in with one click using their existing work credentials. Once connected, they can ...
Single-Sign-On (SSO) Login Issue - Access Denied
Sometimes you may encounter an issue logging into Teamgage when you're using Single Sign-On (SSO) - learn more about using SSO with Teamgage. A few things to check Firstly, ensure the your organisation has setup SSO with Teamgage *Check with your ...