✔ Available with
the paid Advanced Security
add-on
| What | Set up single sign-on
(SSO) to
Teamwork.com via AD FS (Active
Directory Federation Services)
management
portal. |
| Who |
|
| What | Set up single sign-on
(SSO) to
Teamwork.com via AD FS (Active
Directory Federation Services)
management
portal. |
| Who |
|
Before you
start
SSO is included as
part of Teamwork.com's paid Advanced Security
add-on. You can purchase the add-on in
addition to your main Teamwork.com subscription.
You will need to send your AD FS
server's metadata to Teamwork.com via an SSO submission request in order to complete your site's SSO setup.
Your metadata may be located at:
AD FS SSO
setup
Step 1: Configure
Teamwork.com on your AD FS
server
- Open Server Manager.
- Under Tools,
select AD FS
Management.
- Select Add Relying Party
Trust on the AD FS view's
right.
- Click Start.
- Choose Import data about the
replying party published online or
on a local network.
- Enter your Teamwork.com site's metadata URL in the following format:https://yoursitename.teamwork.com/singlesignon/v1/saml/metadata
- Enter Teamwork.com as the
relying party.
- Add any additional notes, if
relevant.
- Configure multi-factor
authentication and issuance
rules as desired. Do
not enable MFA and permit all
users to authenticate.
- Review the settings pulled in from the
federation metadata. This can
be found under the Ready
to Add Trust subsection.
- Check the edit claim rules checkbox to edit claims and finish the
setup. We cover how to edit
the claim rules in the next
section.
Step 2: Edit
claim
rules
In the Edit Rule window:
- Select the Issuance Transform
Rules tab.
- Click Add
Rule. This is where
you'll set up the information you
want to pass to
Teamwork.com.
- Select the Send LDAP
Attributes as Claims template.
- Click Next.
- Enter a name for the rule.
- Click the Attribute store dropdown and select Active
Directory.
- Map the attributes you want to pass to Teamwork.com. We recommend at minimum passing the following:
LDAP Attribute → Outgoing Claim Type Given-Name → givennameSurname → lnameE-Mail-Addresses → email LDAP Attribute → Outgoing Claim Type Given-Name → givennameSurname → lnameE-Mail-Addresses → email - Click OK to save the
rule.
- Click Add Rule to
create an additional rule.
- Select Transform an Incoming
Claim.
- Enter a name for the rule. Ex.
"Name ID."
- Set the Incoming Claim
type to UPN.
- Set the Outgoing claim
type to Name
ID.
- Set the outgoing name ID format to Transient Identifier.
- Click OK.
Any users with email addresses
defined in the Active Directory can log in
to Teamwork.com via the SSO process.
Another
option...
You can set up a group membership
claim rule in AD FS to restrict who
can log in to
Teamwork.com. Use issuance authorization
directly at AD FS-level and let the
application handle
authorizing users. This is a
recommended way
to handle
Active Directory group-based
roles.
- Select the Issuance
Transform
Rules tab.
- Click Add
Rule. This is
where
you'll set up the information
you
want to pass to
Teamwork.com.
- Choose the Send group
membership as a
claim template.
- Select the group you want to
utilize
in Active Directory.
- Set an outgoing claim
value. Tip: Send the Group
SID.
Logging in
to Teamwork.com
- Existing Teamwork.com users can log in to Teamwork.com using AD FS SSO or their standard login (using email and password).
- When an existing Teamwork.com user
signs in
via SSO, the sign-in process
connects to
the existing user based on their
email
address.
- If the email address used as
part of
the SSO process is different
to the
existing user in Teamwork.com, you
can add
an the user's Active Directory
email
address as an
alternative email address in
their
Teamwork.com profile to connect
them.
- The
AD FS SSO process will
only work
for a user if that
user
has an email
address defined in the
Active
Directory.
- If someone signs in to Teamwork.com
via SSO and
does not
exist in Teamwork.com, the user is
created
automatically in Teamwork.com.