The inclusion list for SSO allows you to customize Single Sign-On (SSO) activation by selectively enabling it for specific users or user groups within your organization. This feature helps with a smoother onboarding process by facilitating a controlled test roll-out to a smaller group before implementing SSO across your entire organization. Depending on the company's structure and license setup, the inclusion list can streamline SSO activation by focusing on relevant user groups or email addresses, avoiding the need to exclude the majority of the company’s employees.

This article applies to all TeamViewer Tensor license holders.

How to set up the inclusion list for SSO

To set up the inclusion list for SSO, please follow the instructions below:

  1. Sign in to your TeamViewer account within the TeamViewer client or the web app and go to the Admin settings.
  2. Within the Authentication section, click Single Sign-On.
  3. Select your domain and click Edit.
  4. Click the locker icon called Exclusions and inclusions and click Inclusion list.
  5. Click the activate button.
  6. Define the inclusion list by adding the email addresses or user groups you want to activate SSO for.
  7. Click Save to apply the inclusion list.

SSO will only be activated for the users you have added to the inclusion list.

Going live with SSO

To ensure that SSO can help your organization prevent any unsupervised TeamViewer usage (aka “‘Shadow IT”), you will need to enable SSO globally for your domain once your testing is complete.

So, once you are done with your tests, make sure to deactivate the inclusion list by clicking the toggle again.

Hint: When SSO is enabled for all accounts, we recommend adding one or more "break-glass" accounts to the SSO exclusion list as a fallback in case of SSO issues. Learn more here.

How the inclusion list for SSO works

To understand how the inclusion list for SSO works, please follow the instructions below:

When the inclusion list is enabled:

  • If the exclusion list is empty, SSO login will be enabled only for the emails or user groups on the inclusion list.
  • If there are entries on the exclusion list, only the emails or user groups on the inclusion list will have SSO login enabled, except those excluded.

When the inclusion list is deactivated:

  • If the exclusion list is empty, SSO login is enabled for all users within the domain.
  • If there are entries on the exclusion list, SSO login is enabled for everyone except the emails or user groups on the exclusion list.

Errors will occur if an attempt is made to include a user on both lists simultaneously. Make sure to remove users from one list before adding them to another.

There is no check if an email from the inclusion list is also included in a user group on the exclusion list or vice versa. Please keep this in mind when setting up the inclusion list in combination with user groups on the exclusion list.