Single Sign On (SSO) Prerequisites
This page explains the information required to configure SSO for your company. This document can be shared directly with your IT teams.
Once this information is sent back to your Customer Success Manager, it will be implemented shortly, followed by a testing session to confirm the login flow.
Security Disclaimer
Some information may be sensitive (called "secrets"). Please share them through a secure and encrypted channel. Do not use public messaging (emails, Slack, Teams) and do not store them locally.
Required Information
Following a Single Sign On, we require the presence of several fields, while others are optional to improve the Out Of The Box Experience (OOBE):
Field | Details | Is required? |
|---|---|---|
Identity Provider Unique Id | Unique ID used to identify the user in your system. We use this to bridge your account with ours. | ✅ Yes |
Either personal (preferred) or professional email. | ✅ Yes | |
First Name | N/A | No |
Last Name | N/A | No |
Groups | Allows provisioning of groups dynamically. Must be identifiers. | No |
Dedicated Email Domains
If you use dedicated email domains (e.g., @teale.io), please provide the list. We will use them to automatically prompt users to use your Identity Provider.
Insurance Providers
If you are an insurance provider serving users with personal emails (any domain), you can skip providing a domain list.
Auth Method Override
When a user claims a license, we disable their password. They will only be able to login using your configured SSO method.
Supported Protocols
We support multiple SSO protocols, with OpenID Connect (OIDC) being our preferred method.
🔺 Preferred - OpenID Connect (OIDC)
OpenID Connect is the standard used by most modern Identity Providers like Google or Microsoft. You are expected to create a dedicated OAuth application for Teale.
Technical Requirements
- Fully compliant with OAuth 2 and OIDC specifications
- Provides a JWKS endpoint for on-the-fly key retrieval
- Supports PKCE challenges with S256 method
- Supports nonces
Information to provide:
Name | Details |
|---|---|
Client ID | The Client ID from your OAuth application |
Client Secret | The Client Secret from your OAuth application |
Authorization Endpoint | Endpoint to start authentication |
Token Endpoint | Endpoint to retrieve tokens |
JWKS URI | URI to the JSON Web Key Set used to sign tokens |
OIDC Token Mapping:
Field | OIDC Token Claim | Type |
|---|---|---|
Identity Provider Unique Id | sub | string |
string | ||
First Name | given_name | string |
Last Name | family_name | string |
Groups | groups | string[] |
🔸 Experimental - SAML 2.0
We can support SAML 2.0, but strongly advise using OIDC when possible. Please note that this integration is experimental and might delay the enablement schedule.
Next Steps
1. Allow our redirection URL
After you provide the required info, we will share the redirection URL you need to allow on your end.
2. Live test session
We will schedule a live session to test the full authentication funnel and license linking.
Ready to go!
If all tests are successful, your SSO integration is complete and ready for your employees!