Single Sign-On - SAML Setup Guide

Single Sign-On - SAML Setup Guide

Using SAML authentication to provide a single sign-on experience for your organisation’s users can enhance your users’ experience in using Teamgage.


Note that for users who only use Teamgage to submit their results and comments, we do not require authentication and so nothing will change.  The users who will benefit from a SSO experience are the managers, report viewers and administrators.


Once configuration is complete, when your organisation’s managers log in to Teamgage they will be asked to enter their email address, but will then be redirected to your SAML provider for authentication. If they are already authenticated with SAML, they should automatically be redirected back to Teamgage with their expected access.


Not using SAML? Teamgage also supports Single Sign-On with Azure AD.


Setup Process

Configuring your Teamgage account for SSO proceeds in two phases:

Each phase consists of the following steps:

  1. IdP configuration: Your IT staff configure your Identity Provider with the Teamgage settings.
  2. SSO setup request: You provide Teamgage with the required information:
    • email domains used within your organisation (through this identity provider)
    • your SAML IdP metadata URL
  3. SP configuration: Teamgage configures your organisation for SSO and performs cut-over.
  4. ValidationYou and Teamgage test for successful login using SSO.

Configuration Guides

Step-by-step configuration guides are available for the following platforms:

Other SAML 2.0 Identity Providers can be set up using the configuration details below.


Configuration Details

To connect to Teamgage, configure a new SAML 2.0 Application (or SP/Relying Party) in your Identity Provider as follows:


Metadata URL

Attributes


Manual Configuration

If you need to provide manual SAML SP configuration, the following additional details may be useful. This is also encoded in the metadata file (URL linked above).

Important: Manual configurations will require you to manually reconfigure the signing certificate from time to time. Please contact support to ensure that you are notified when we rotate to a new certificate.

Configuration SettingUAT ValueProduction Value
Entity ID
Audience URI
SP Issuer
https://uat.teamgage.com/Saml2https://www.teamgage.com/Saml2
Single Sign-on URL
ACS Endpoint
POST
https://uat.teamgage.com/Saml2/Acs
POST
https://www.teamgage.com/Saml2/Acs
Single Log-out URLhttps://uat.teamgage.com/Saml2/Logouthttps://www.teamgage.com/Saml2/Logout
Signing certificateuat.teamgage.com-saml-20??????.pem
Available for download here
www.teamgage.com-saml-20??????.pem
Available for download here


Additional Information

  • Which SAML Profile and methods are supported?
    Teamgage currently supports the Web Browser SSO Profile with SP Redirect Request and IdP POST Response.
  • Which sign-in flows are supported?
    Teamgage supports both SP-initiated and IdP-initiated SSO.
  • What is the NameID format, behaviour and restrictions?
    The NameID value must be sufficiently unique to the user and no longer than 128 characters.
    We recommend using the user's object GUID; if this is not possible then the username or email could be used.
    The NameID format is unspecified, and will behave correctly with both persistent and transient semantics. Each new NameID received is associated to a user account using the email attribute, and will be reused for subsequent requests.
  • How are signing certificates rotated?
    • SP (Teamgage) certificate
      When our existing signing certificate is approaching expiry, a new certificate will be generated and published in our metadata (alongside the existing certificate).
      We will switch to signing with this certificate no earlier than 1 month after it is published to our metadata.
      If you have configured your IdP using the metadata URL with polling (at least once a month) then this rotation will occur automatically.
      If you have performed manual configuration, please contact support to ensure that you are notified when we rotate to a new certificate.
    • IdP (customer) certificate
      We will periodically poll your application's metadata URL, and will trust authorisation responses signed by any signing certificate listed in this metadata.
      Please ensure new certificates are included in your metadata at least 1 week before it is used for signing, and that the old certificate is also included until it is no longer being used for signing.
      If you are not able to publish the new certificate in advance, please contact support to schedule a manual certificate update.

    • Related Articles

    • Single Sign-On - SAML Setup Guide for ADFS

      This guide demonstrates how to configure Active Directory Federation Services (ADFS) as an Identity Provider for Single Sign-On with Teamgage. Not using ADFS? See Single Sign-On - SAML Setup Guide for more general guidance. Before You Begin To ...
    • Microsoft Integration – SSO and Teams - Azure AD Setup Guide

      The Teamgage and Microsoft Teams integration allows your employees to access reports, leave feedback and collaborate without ever leaving Microsoft Teams. With Single Sign-On enabled, the app is seamlessly accessible, without any requirement to ...
    • Leader Quick Start Guide

      Information for a leader or manager to make a strong start in Teamgage Teamgage puts you and your team at the heart of the improvement process. It’s your process to own and shape with the team but we’ve a good idea of what works well. Ensure you ...
    • Email whitelisting - Technical Guide

      There are three steps which should be performed by your organisation's IT team to reliably receive Teamgage reminder/notification emails: IP Whitelisting on the inbound mail gateway Domain/Sender Whitelisting on the spam filtering appliance Safe ...
    • Can't access your dashboard?

      Information on the steps needed to gain access to your Teamgage dashboard Can’t access your dashboard? Follow the link in your welcome email from ‘mail@teamgage.com’ Tip: check your junk folder or you "other" (non-focused) inbox if you can’t locate ...