SAML Basics for Teem
SAML allows you to have a Teem account without needing to know another login and makes logging into Teem effortless and secure, as users are automatically logged in so long as they’re simultaneously logged in to the SAML account. It can also automatically provision/de-provision users as they’re activated/deactivated within your SAML provider.
Teem’s SAML Integrations
- Office 365 SSO
- Google SSO
- Google SAML
- Azure AD SAML
- Other SAML (continue on)
Setting Up SAML for Teem
1. Set Your Unique Teem Sub-Domain
Navigate to teem.com and click on Manage from the menu to the left. Click on Teem Account, then Company Details. In the field for Teem SSO Sub-Domain enter your preferred sub-domain. This is typically the name of your organization. For example, if my company was called Orca Panda, I'd enter "orcapanda" in the sub-domain field, and it would make my sub-domain site https://orcapanda.teem.com. Heads up: spaces and symbols are not allowed in sub-domains.
2. Look Up Your SAML Settings
From your SAML provider, you will need the following: Entity ID, Login URL, and the X509 certificate. Depending on your provider these may come from different areas, but these standard pieces of information should be readily accessible for you.
3. Add SAML Settings to Teem
Navigate to your Teem admin dashboard. Select the Apps & Integrations tab from the left menu. A new stackable menu will appear, select the 3rd Party Apps tab. Locate SAML and click the Activate button under the SAML logo.
You will then see the Integration Settings form:
Enter the following into the Integration Settings form:
- Friendly Name to call this SAML Provider: a nickname that you’ll use to identify this account. Please note: you should only have one SAML account, and we won't be able to differentiate between the two.
- Entity ID: the Entity ID retrieved in Step 2
- Sign-in URL: the Login URL retrieved in Step 2
- X509 certificate: the text (possibly from the .cert file) copied from the X509 certificate retrieved in Step 2. If the X509 certificate is a file, open the file with TextEdit, Notepad, or your favorite text editor, copy the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- (do not include those markers) and paste that in the X509 certificate box.
4. Test your login
Navigate to your sub-domain page that you set up in the first step (https://<subdomain>.teem.com/login). This will bring you to your identity provider and if your email matches up and you are authenticated via your SAML provider, you will be automatically logged in to Teem.
5. Enabling IdP-initiated Login
Now, we need to get your default relay state. Navigate back to the 3rd Party Apps and click on the Settings button under the SAML logo. Copy the Uuid from the Details box on the right side of the screen.
The location for changing the default relay state varies by provider. Refer to your identity provider’s documentation for details on changing the default relay state to enable IdP-Initiated Login.
Your SAML provider may request a few more variables, in addition to those above. The following list provides additional variables that we’ve seen SAML providers request in the past, but if a field is missing please reach out to us and let us know.
ACS (Consumer)URL= https://app.teem.com/sso/complete/saml/
LoginURL= https://<your subdomain>.teem.com/login/
urn:oid:18.104.22.168= Last Name
urn:oid:22.214.171.124= First Name
X.509 CertificateStrength= 2048 bit
**Replace <your sub-domain> with the sub-domain that you set in Step 1.
There are two options for provisioning users. First is Just In Time provisioning, which you can optionally turn on by selecting the checkbox at the bottom of the SAML integration settings page. If you do not want to turn on JIT provisioning, you can send us a CSV of users and we can pull that into your account for you.
Logging In With SAML
To log in simply to go the sub-domain specific to your account. Your Teem Administrator should be able to provide this to you.
To use, please go to your sub-domain. For instance, if my sub-domain was orcapanda.teem.com, I would navigate to https://orcapanda.teem.com/login. This would immediately initiate the login process, and send you to the login URL of your Identity Provider, and after success immediately log you into Teem.