As a System Admin of an Enterprise account, you can turn on single sign-on (SSO) and allow your employees to login to Deputy via the company's identity provider (IdP). This means employees will only need to remember one password.

Using SSO, you can ensure your employees can use and access Deputy securely.

Getting Started

This feature is only available for Enterprise accounts.
C
heck out our FAQ guide for any questions.

Supported Identity Providers

You will need to use an identity provider that supports SAML 2.0.
Deputy supports, but is not limited to, the following IdP Providers:

  • Okta
  • Microsoft Azure
  • PingIdentity
  • Oracle Identity Management

---

Setting up single sign-on in the Identity Provider

  1. Go to your identity provider's site and follow the instructions to configure SSO
  2. The Single Sign On URL or Login URL should be:
    your deputy subdomain + /exec/devapp/samlacs.php e.g.https://comany.au.deputy.com/exec/devapp/samlacs.php
  3. Download the public certificate (X.509 certificate) from your IdP

Setting up single sign-on in Deputy

  1. In Deputy, go to the Enterprise tab and under 'General Settings', click 'Single sign on settings'
  2. You will need the following information from your Identity Provider to configure SSO in Deputy:
    - Identity Provider login (SSO) URL
    - Identity Provider Issuer / Entity ID
    - X.509 certificate
    (downloaded from the Identity Provider)

Paste the above information to the following fields in the SSO settings

---

Setting up single logout (SLO) in Deputy

  1. In Deputy, go to the Enterprise tab and under 'General Settings', click 'Single sign on settings'
  2. Download the 'Deputy public certificate' (X.509 certificate) from the Deputy SSO settings and paste the certificate into your IdP setup

Setting up single logout in the Identity Provider

  1. You will need the following information from Deputy to configure SLO in the IdP:
  2. Service Provider logout (SLO) URL:
    your deputy subdomain + /exec/devapp/saml-slo
    e.g. https://company.au.deputy.com/exec/devapp/saml-slo
  3. Service Provider Issuer / Entity ID
    e.g. https://company.au.deputy.com
  4. Upload the X.509 certificate (downloaded from Deputy)

---

Choose whether you want to make SSO optional or required

Making SSO required for your employees ensures the following:

  • For mobile and web users: Prevents employees from using the supplied email address as set up in the SSO provider with other Deputy accounts
  • Employees need to be authenticated by your company's IdP to access the Deputy account
  • Your team must login to Deputy with SSO. They won't be able to create or use a Deputy password to login.

To enforce SSO login

Once you've Enabled single sign-on, tick the 'Single sign-on login required' checkbox.

Remember to click the 'Apply changes' button when you're finished.

---

Just-in-time (JIT) Provisioning

Similar to our payroll and HR employee sync, we can add users into Deputy when they are added in your IdP.

JIT eliminates the need to create users (in Deputy) in advanced.

Getting Started

You can set this up in the 'Single sign on settings' page.
Scroll down to 'Just-in-time provisioning' and mark the toggle to 'ON'.

A number of fields will appear after toggling this to 'ON'.

Mapping Deputy Attributes to your Identity Provider Attributes

You will need to map Deputy user attributes to the IdP user attributes.
In your IdP config, find the attribute values that match with the following:

  • First name
  • Last name
  • Location
  • Access level

Fill these in under 'Identity provider attribute'. These mappings will tell the IdP which user attribute values will populate into Deputy when provisioning users.

You have the option to choose the default value for Location and Access Level.
Location will default to the first location created in the account.
Access Level will default to the lowest access level, this is usually 'Employee'.

Mapping Additional Attributes

If you have more than one location and access level, you can map these as well. Select 'Map locations' and 'Map access levels',

Here you can add the other locations / access levels you want mapped.

Select 'Add new' and a new field will appear.

Fill in that location's attribute (found in the IdP) and make sure it is accurate (case sensitive). If the IdP attribute isn't recognised or there's an error, it will be mapped to the default value i.e. Warehouse.

Click 'Done' to save the changes.

Back in the main SSO settings, click 'Apply Changes' at the top of the page to make sure all changes are saved.

---

Single Sign-On for Mobile

For businesses that use a single set of login credentials for their employees, the Single Sign-On for mobile allows for a more secure and seamless login experience.

Before you begin

To use SSO on mobile, you will need to provide your Deputy URL (subdomain) to your employees. For example, if your URL is exampleurl.au.deputy.com, you will only need to send them 'exampleurl.au'. To learn how to change your URL, check out our help doc here.

First, download the Deputy app. Click the links below depending on your phone's operating system:

After opening the app, tap 'Log In to Deputy.

After that, tap 'Single sign-on'.

Here, enter your account's subdomain.

Now you can enter your SSO details to log into Deputy.

Did this answer your question?