This FAQ looks at Single Sign-On support with Deputy.
Which identity providers (IdP) do we support?
Deputy supports, but not limited to, the following IdPs:
- Microsoft Azure
- Oracle Identity Management
The IdP is required to support SP initiated SSO and SAML 2.0
If I have 2FA activated in Deputy, does it still work when SSO is configured?
No, if 2FA has been setup in Deputy you won't be able to use it when logging in via SSO. Although, you can setup 2FA through the identity provider if you would like your employees to have that extra layer of security.
Two-factor authentication (2FA) will continue to work if the employee uses their Deputy username and password.
Can I login via SSO on my mobile?
Yes, instruct them to select "Single sign-on" on the login screen. You will need to provide the subdomain including the country code to your employees, i.e. company.au.deputy.com - you would provide "company.au". This is the same address you type into your browser.
What happens if I'm having issues logging in via SSO or locked out?
- For System Admins: you may select 'Forget Password' on the login page and an email will be sent prompting you to create / reset a password OR contact support
- For other employees: please contact your System Admins
What is the difference between SSO enabled and SSO required?
- SSO enabled: users have the option to login with their Deputy password (if they have one), social login (Google and Facebook) or via SSO
- SSO required: users will only be able to login with their SSO credentials. Deputy password authentication and social logins will be removed from the account login page
Will employees need to re-login if the account is switched from SSO enabled to required?|
No, users will still be logged into their existing session. The only time they will need to login again is if they logout or session has expired.
What if I belong to multiple businesses? Can I switch between them?
- Logged in via SSO: you won't see any other businesses in the Business List and therefore will not be able to switch.
- Logged in using Deputy password: you will only be able to switch to accounts where SSO is not configured or enabled. Switching to a SSO required account will need authentication by the IdP.
Will I need to create new employees in Deputy or will they be automatically created the first time they login with SSO?
New employees should first be created in the identity provider, and then you have two options:
- Manually add the employees into Deputy
- Enable just-in-time (JIT) provisioning, here's a guide on setting up JIT. After setting this up, new employees will be created in Deputy on their first login to Deputy.
Will employees be removed from Deputy if they are removed from the identity provider (e.g. Okta)?
Removing access to Deputy needs to be managed in Deputy. At this stage we don't have the ability to sync users between Deputy and the SSO provider, therefore require manual removal of users from Deputy.
Does Deputy support just-in-time (JIT) provisioning / modification / deletion?
User accounts can be provisioned automatically the first time a user logs into Deputy. The following attributes can be mapped:
- First name
- Last name
- Email address
- Location (first location created)
- Access Level (lowest access level)
Re. User Modification: The user's profile is updated each time they login via SSO. The following attributes will be updated:
- First name
- Last name
- Access Level
We do not update Location because an employee may be assigned to multiple locations.
Re. User Deletion: at this stage we don't have the ability to sync users between Deputy and the SSO provider, therefore require manual removal of users from Deputy. Removing access to Deputy needs to be managed in Deputy.
Employees need to exist within your identity provider to use JIT. If you are removing employees from the business, they will need to be removed from Deputy as well as the identity provider.
How do I troubleshoot any login issues?
Here are a few things to check out if you can not login via SSO
- In the SSO settings, make sure SSO is enabled
- Check the SSO login URL is correct - you can do this by copying into your browser
- Check the user exists and / or assigned to the correct app in the IdP
- If you are allowing the user to create a Deputy password, check to see if the employee has accepted the invitation email
- If just-in-time provisioning is Disabled, check if the user is Active in Deputy. User may be Discarded or Deleted