TeamViewer Single Sign-On (SSO) aims to reduce user management efforts for large companies by connecting TeamViewer with identity providers and user directories.
ðNotes:
This article applies to TeamViewer customers with an Enterprise/Tensor license.
To use TeamViewer Single Sign-On, you need
This custom identifier is not stored by TeamViewer but is used for the initial configuration of SSO. It must not be changed at any point in time since this will break Single Sign-On and a new setup will be necessary.Â
Any random string can be used as a customer identifier. It is recommended not to use special characters in the custom identifier.
ð Notes:
To connect TeamViewer with Microsoft Entra ID as the identity provider, it is required to create an application for your Microsoft Entra ID. The steps to create and configure an enterprise application are described below:
1) Open a Browser and login to "portal.azure.com" with an Account that has Global Admin Permissions.
2) You will see a Home Screen. Select there the Azure Service "Azure Active Directory"
3) After you have selected the Azure Service Azure Active Directory you will see an overview, please select on the left side under the section Manage the option Enterprise applications
4) Now, the overview with all your Enterprise Applications that you have in your Azure AD will open.
5) Click All application (1) followed by
6) Click New Application (2)
7) In the next window, please click Create your own application
8) Now you can create your own application:
(1) Enter a name for your application.
(2) Select Integrate any other application you don't find in the gallery (Non-gallery).
(3) ðNote: Please don't select the suggested TeamViewer App from Azure.
(4) Click Create.
9) After you create the application, you will see the overview of this application.
10) Click under the Manage Section, the option Single sign-on, and select the SAML Method.
11) Now you can Edit the SAML Configuration.
(1) Enter the Entity ID â https://sso.teamviewer.com/saml/metadata
(2) ð Note: Delete the Predefined URL from Microsoft
(3) Enter the Reply URL â https://sso.teamviewer.com/saml/acs
(4) Click Save
12) After you save the first step, you get the question, whether you want to test the single sign-on. Click No, I'll test later
13) In the next section, you must edit the Attributes & Claims
14) Click Add new claim to add a new claim
(1) Enter as Name the value customeridentifier
(2) For the Namespace the value http://sso.teamviewer.com/saml/claims
(3) In the Source attribute enter the custom identifier, which you have created at the beginning
(4) Click Save
15) You will see the new added claim in the Overview
16) In the next step, you download the Metadata XML File or you copy the Metadata URL
(1) You need one of them for the following steps in the TeamViewer Management Console.
17) Before you finish the TeamViewer Management Console Setup, please add Groups / Users to the Application.
ð Note: This is required so that users can successfully sign into their TeamViewer Accounts and the Groups / Users will be used for the AD SCIM Sync later.
(1) Click in the Application on Users and groups
(2) Click Add user/group
1) Open a web browser and sign with your licensed TeamViewer account into the web app at https://web.teamviewer.com/.
ð Note: The TeamViewer account user permissions must be Company Administrator.
(1) Click Admin settings
(2) Click Single Sign-On
(3) Click Add domain
2) In the next window, you can enter the domain that you want to use for Single Sign-On.
ð Note: Repeat this step if you want to use multiple domains for TeamViewer Single Sign-On. Use the same XML File or XML URL for the different Domains. The only requirement here is that the domains are linked to the same Microsoft Entra ID Tenant.
(1) Enter your Domain
(2) Select the Configuration Type
(3) Upload the Metadata XML File
(4) Activate additional Options
ð Note for Subdomains: This feature allows not only to include the domain (example.com) for the SSO login, but also all subdomains (such as sub.example.com)
ð Note for Enable Activation Emails: SSO accounts that are created under this domain will or will not receive activation emails depending on this option. Newly created accounts will receive activation emails if this option is enabled.
(5) Click Continue.
3) In the next section, you can add accounts to the Single Sign-On Exclusion List. If you don't have something to add, click Add domain.
â Â Important Note: It is highly recommended to add all domain owners to the exclusion list so that they can still log in if SSO needs a new configuration. Tests of the SSO login should be executed with a second account.
ð Note for Email Exclusions: You can specify email addresses that will be excluded from Identity Provider Connection. These accounts can sign in to TeamViewer as usual without identity provider authentication. It is recommended to exclude the owner of a domain as a fallback, in case that the configuration is not correct or the identity provider is not available.
4) This step (Single Sign-On Custom Identifier) can be skipped with the Click on Continue as you have already created the Custom Identifier at the beginning.
ð Note 1: You will see on this Screen the Information for your DNS Server Management. You need the information from the field Name / Host and the information from the field Value / Data
ð Note 2: Copy from the field Value / Data, you need this information later.
1) On the domain verification window, do the following
(1) You can click Start Verification
(2) You can click Skip
ð Notes:
2) Go back to the web app at https://web.teamviewer.com/.
ð Note: The TeamViewer Account User Permissions must be "Company Administrator"
(1) Click Admin settings
(2) Click Single Sign-On
(3) Click the three dots icon (âŪ) to edit the domain
(4) Click Edit
3) Click Domain Verification
4) Click Copy for the Value
5) Click Start Verification after you completed the steps on your DNS Server Management
ð Notes:
ð Note: The following shows the DNS Server Management for a Domain, which is managed by Cloudflare. Your DNS Server Management might look different!
After you have signed in to the Cloudflare Dashboard, select the domain.
(1) Click DNS and click Add record
(2) Select as Type â TXT
(3) Enter for the Name â @
(4) Enter for Content â The TeamViewer SSO Verification Value from the Step above
(5) Click Save
TeamViewer is compatible with Single Sign-On starting from version 13.2.1080.
Previous versions do not support Single Sign-On and can not redirect users to your identity provider during the login. The client configuration is optional but allows changing the used browser for the SSO login of the IdP.
The TeamViewer client will use an embedded browser for the identity provider authentication by default. If you prefer to use the default browser of the operating system, you can change this behavior:
Windows:
HKEY_CURRENT_USER\Software\TeamViewer\SsoUseEmbeddedBrowser = 0 (DWORD)
macOS:
defaults write com.teamviewer.teamviewer.preferences SsoUseEmbeddedBrowser -int 0
ðNote: You need to restart the TeamViewer client after creating or changing the registry.