Logging into TeamSupport requires a secure username and password to sign in. Typically the user is prompted to enter this information upon signing in. While this works fine for some TeamSupport customers, requiring a password creates a problem if TeamSupport is being accessed from within another application which already has authentication.

TeamSupport solves this problem by utilizing SAML (Security Assertion Markup Language) to provide authentication to users via secure tokens.

When SAML is properly configured, the user still goes through the same validation that they would for standard login, although a password is not required to be entered on the login screen. For example, if the user is inactive inside TeamSupport even when using SAML SSO, they will still be unable to login. Additionally, SAML login attempts are recorded in the user history similar to the standard login process.

Two methods of authentication are available:

  • IDP Initiated: Authentication starts by a user of TS app authenticating through their company Identity Provider (IDP). Multiple IDP options are available including Active Directory (AD).
  • Link initiated: Also referred to as Service Provider Initiated SSO, this authentication starts by a user clicking on a link their company provides to them.

In either of these cases, you can use SAML over HTTPS to generate and pass an authentication token to TeamSupport which will provide the credentials needed to automatically log the user into the app without further login requirements. The user email in the IDP and in TeamSupport must match in order for the authentication to work.

Step 1: SSO Setup

From within TeamSupport, navigate to Admin->My Company -> Single Sign On Tab.

Field Definitions

  • Enable SAML Login: Check this box to enable/disable the SAML in your account.
  • Identity Provider Sign In URL: Identity provider endpoint that TeamSupport will use to redirect the user when a request to authenticate is received.
  • Identity Provider Sign Out Redirect URL : Optional. The URL that identifies where users that have been signed out of TeamSupport via the Identity Provider will be redirected.
  • x509 Certificate : The certificate can be obtained from your Identity Provider and is used to verify the authenticity of SAML requests to TeamSupport.

Step 2: Configuring Your Identity Provider

Once the form above is populated, click save and “Configuring your identity provider for TeamSupport” will populate with information necessary to configure your Identity Provider. How to configure your IDP will vary based on which IDP you are using.

Field Definitions

  • SAML Identifier/Audience: Unique identifier for TeamSupport to your Identity Provider.
  • Assertion Consumer Service URL: Your Identity Provider will use this URL for posting SAML after user validation.
  • Logout Assertion URL: Your Identity Provider will use this URL to post to for TeamSupport logout.

Code Snippets

Below is an example in XML of what TeamSupport expects to be included in the IDP generated SAML when calling the sign in endpoint.

<AttributeStatement>
      <Attribute Name=“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”>
        <AttributeValue>{email@gmail.com}</AttributeValue>
      </Attribute>
    </AttributeStatement>
<AttributeStatement>
      <Attribute Name=“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”>
        <AttributeValue>{email@gmail.com}</AttributeValue>
      </Attribute>
    </AttributeStatement>

Need more help with this?
Customer Support

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.