Skip to main content
Eptura Knowledge Center

SAML Basics for Teem

  1. Last updated
  2. Save as PDF

SAML allows you to have a Teem account without needing to know another login and makes logging into Teem effortless and secure, as users are automatically logged in so long as they’re simultaneously logged in to the SAML account. It can also automatically provision/de-provision users as they’re activated/deactivated within your SAML provider.

Teem’s SAML Integrations

Setting Up SAML for Teem

1. Set Your Unique Teem Sub-Domain

Navigate to teem.com and click on Manage from the menu to the left. Click on Teem Account, then Company Details. In the field for Teem SSO Sub-Domain enter your preferred sub-domain. This is typically the name of your organization. For example, if my company was called Orca Panda, I'd enter "orcapanda" in the sub-domain field, and it would make my sub-domain site https://orcapanda.teem.comHeads up: spaces and symbols are not allowed in sub-domains. 

1_teem-saml-subdomain.png

2. Look Up Your SAML Settings

From your SAML provider, you will need the following: Entity ID, Login URL, and the X509 certificate. Depending on your provider these may come from different areas, but these standard pieces of information should be readily accessible for you.

3. Add SAML Settings to Teem

Navigate to your Teem admin dashboard. Select the Apps & Integrations tab from the left menu. A new stackable menu will appear, select the 3rd Party Apps tab. Locate SAML and click the Activate button under the SAML logo.

2_teem-saml-activate.png

You will then see the Integration Settings form:

 3_teem-saml-form.png

Enter the following into the Integration Settings form:

  • Friendly Name to call this SAML Provider: a nickname that you’ll use to identify this account. Please note: you should only have one SAML account, and we won't be able to differentiate between the two.
  • Entity ID: the Entity ID retrieved in Step 2
  • Sign-in URL: the Login URL retrieved in Step 2
  • X509 certificate: the text (possibly from the .cert file) copied from the X509 certificate retrieved in Step 2. If the X509 certificate is a file, open the file with TextEdit, Notepad, or your favorite text editor, copy the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- (do not include those markers) and paste that in the X509 certificate box.

Select Save.

4. Test your login

Navigate to your sub-domain page that you set up in the first step (https://<subdomain>.teem.com/login). This will bring you to your identity provider and if your email matches up and you are authenticated via your SAML provider, you will be automatically logged in to Teem.

5. Enabling IdP-initiated Login

Now, we need to get your default relay state. Navigate back to the 3rd Party Apps and click on the Settings button under the SAML logo. Copy the Uuid from the Details box on the right side of the screen.

 4_saml-uuid.jpg

The location for changing the default relay state varies by provider. Refer to your identity provider’s documentation for details on changing the default relay state to enable IdP-Initiated Login.

Additional variables

Your SAML provider may request a few more variables, in addition to those above. The following list provides additional variables that we’ve seen SAML providers request in the past, but if a field is missing please reach out to us and let us know.

Audience= https://teem.com
Recipient= https://app.teem.com/sso/complete/saml/
ACS (Consumer)URL= https://app.teem.com/sso/complete/saml/
LoginURL= https://<your subdomain>.teem.com/login/
MetaURL= https://app.teem.com/sso/saml/meta/
Custom Parameters:
Email= Email
urn:oid:0.9.2342.19200300.100.1.1= Email
urn:oid:0.9.2342.19200300.100.1.3= Email
urn:oid:2.5.4.4= Last Name
urn:oid:2.5.4.42= First Name
X.509 CertificateStrength= 2048 bit

**Replace <your sub-domain> with the sub-domain that you set in Step 1.

Provisioning Users

There are two options for provisioning users. First is Just In Time provisioning, which you can optionally turn on by selecting the checkbox at the bottom of the SAML integration settings page. If you do not want to turn on JIT provisioning, you can send us a CSV of users and we can pull that into your account for you.

Logging In With SAML

To log in simply to go the sub-domain specific to your account. Your Teem Administrator should be able to provide this to you.

To use, please go to your sub-domain. For instance, if my sub-domain was orcapanda.teem.com, I would navigate to https://orcapanda.teem.com/login. This would immediately initiate the login process, and send you to the login URL of your Identity Provider, and after success immediately log you into Teem.