Within Teamwork, you can connect to your existing ADFS management portal.
Note: Teamwork’s SSO offering is part of the paid Advanced Security add-on which you can purchase in addition to your Teamwork subscription.
Setup steps
- In the ADFS management portal, choose the option to add Relying Party Trust.
- Click Start, then on the Select Data Source page choose the option to Import data about the relying party published online or on a local network.
- For the Federation metadata address, enter: https://{your teamwork site}/singlesignon
- Provide a name for the relying party ("Teamwork") and any notes desired.
- Configure Multi-factor Authentication and issuance authorization rules as desired (do not enable MFA, and permitted all users to authenticate)
- In the Ready to Add Trust subsection, you can review the settings pulled in from the Federation Metadata. These values should work by default.
- On the last page, select the checkbox to edit claims rules and finish the setup.
- In the Edit Claim Rules window, under the Issuance Transform Rules tab, you will want to use the Add Rule button to set up the information you will be passing along to Teamwork.
- After clicking Add Rule, choose the Send LDAP Attributes as Claims template and click Next. Enter a name for the rule, choose your Attribute Store (Active Directory), and map the attributes you want to pass along to Teamwork. Send the user's email address, first name and last name, also send the email address as the NameID.
Additional information
Optionally, you can set up the group membership claim rule to restrict who we allow to log in to Teamwork. This can technically be done at the ADFS level directly using issuance authorization rules, but you can chose to let the application handle authorizing users.
This is a good way to handle AD group-based roles. If you wish to do the same, add a new rule, select Send group membership as a claim as the template, select the group you want to utilize in AD and provide an outgoing claim value (for example, send the Group SID).
If a user signs in via SSO and does not exist in Teamwork, the user will be created automatically.
If the user already exists in Teamwork, the sign in process will connect to the existing user based on email address instead of creating a new user.
If the email address uses as part of the SSO process is different to the existing user in Teamwork and you want to match them up, you can update your User in Teamwork to add Alt email addresses so that the SSO process user will connect to an existing user.
A password for a User in Teamwork will continue to work, regardless of SSO if you have chosen to allow standard login and SSO log in to both remain available for users.
For more information, see: Single Sign-on (SSO) Overview