Enable single sign-on (SSO) to allow your team members to login into Deputy via your company's Identity Provider (IdP). SSO enables users to remember just one password while ensuring secure access to Deputy.
In this article we will cover:
- How to enable SSO in Deputy
- Supported IDPs
- Setting up SSO in the Identity Provider
- Setting up SSO in Deputy
- Setting up Single Log Out (SLO) in Deputy
- Setting up Single Log Out (SLO) in Identity Provider
- Just-In-Time provisioning
- How to login to Deputy on the web using SSO
- How to log in to Deputy mobile app using SSO
How to Enable SSO in Deputy
SSO is available on Deputy Enterprise plans. Ensure you are logged into Deputy with either System Administrator or Advisor access before proceeding.
To get started:
- Navigate to the Enterprise tab.
- Under the General Settings section, click Single Sign-On Settings.
Supported Identity Providers
Deputy supports IdPs that comply with SAML 2.0. This includes but is not limited to:
- Okta
- Microsoft Azure
- PingIdentity
- Oracle Identity Management
OpenID Connect (OIDC) is supported for limited social SSO options (e.g., Google, Facebook), only.
Dual sign-in options for different user groups (e.g., SSO for some and non-SSO for others) are not supported within the same Deputy instance.
Setting up SSO in the Identity Provider
- Log into your IdP / go to your identity provider's site.
- Follow the instructions provided by your IdP to configure SSO.
- Use the following Deputy-specific values:
- Single Sign-On (SSO) URL / Login URL / Assertion Consumer Service (ACS) URL:
- Download the X.509 certificate from your IdP (for Microsoft Azure, ensure it is the Base64 version).https://[your-subdomain].deputy.com/exec/devapp/samlacs.php
(e.g.,https://company.au.deputy.com/exec/devapp/samlacs.php
)
It's very important to ensure there are no trailing or leading spaces when copying and pasting strings of text such as URLs and certificates. For that reason, we recommend pasting into a text editor first to check.
Setting up SSO in Deputy
- In the Single Sign-On Settings section of Deputy (Enterprise tab > General section > Single Sign-On), enter the following information into its corresponding field:
- Identity provider login (SSO) URL
- Identity provider issuer / Entity ID
- X.509 certificate (downloaded earlier)
Setting up Single Log Out (SLO) in Deputy
- Download the Deputy public certificate (X.509 certificate) from the Deputy SSO settings page by clicking the Download certificate button (pictured below).
- Paste the certificate into your IdP setup.
Setting up Single Log Out (SLO) in the Identity Provider
You will need the following information from Deputy to configure SLO in the IdP:
-
Service Provider Logout (SLO) URL:
https://[your-subdomain].deputy.com/exec/devapp/saml-slo
(e.g.,https://company.au.deputy.com/exec/devapp/saml-slo
). -
Service Provider Issuer/Entity ID:
https://[your-subdomain].deputy.com
(e.g.,https://company.au.deputy.com
)
Upload the X.509 certificate (downloaded from Deputy).
Choose whether you want to make SSO optional or required
Making SSO required for your team members ensures the following:
- For mobile and web users: Prevents team members from using the supplied email address as set up in the SSO provider with other Deputy accounts
- Team members need to be authenticated by your company's IdP to access the Deputy account
- Your team must log in to Deputy with SSO. They won't be able to create or use a Deputy password to log in.
Warning: Do NOT tick this check box to require SSO to log in until you have tested that your SSO configuration works and you can successfully log in via SSO. Otherwise, if your SSO configuration is not correct, you will be locked out of your account and will have to contact Deputy Support to unlock your account.
Once you have tested your SSO configuration and are ready to require your team members to log in via SSO only then please tick the check box and click Apply changes when done.
Just-in-time (JIT) Provisioning
Enable JIT provisioning to create users in Deputy automatically when they are added to your IdP.
Using JIT provisioning eliminates the need to create users in Deputy in advance.
- On the Single sign-on settings page, scroll down to the Just-in-time provisioning section and toggle Enable Just-in-time provisioning to ON.
2. A number of fields will appear after toggling this to ON.
Mapping Deputy Attributes to your Identity Provider Attributes
You will need to map Deputy user attributes to the IdP user attributes.
In your IdP config, find the attribute values that match with the following:
- First name
- Last name
- Location
- Access level
Fill these in under 'Identity provider attribute'. These mappings will tell the IdP which user attribute values will populate into Deputy when provisioning users.
You have the option to choose the default value for Location and Access Level.
- Location will default to the first location created in the account.
- Access Level will default to the lowest access level, this is usually 'Employee'.
Note: Archiving of users via JIT is not supported. This must be performed manually within Deputy.
Mapping additional attributes
If you have more than one location and access level, you can map these as well.
- Select the Map locations and/or Map access levels buttons as required.
- From here, select Add new and a new field will appear.
- Fill in that location's attribute (found in the IdP) and make sure it is accurate (case sensitive). If the IdP attribute isn't recognised or there's an error, it will be mapped to the default value.
- Click Done to save changes.
Continue to map any other Locations or Access levels you need to complete.
Back in the main SSO settings page, once you are finished don't forget to click Apply Changes at the top of the page to make sure all changes are saved.
How to login to Deputy on the web using SSO
Log in to your Identity Provider (in this example, Okta) and click on the Deputy app to be automatically logged into Deputy.
How to log in to Deputy mobile app using SSO
1. To use SSO on mobile, you will need to provide your Deputy URL (subdomain) to your team members.
For example, if your URL is exampleurl.au.deputy.com, you will only need to send them exampleurl.au.
To learn how to change your URL, check out our help doc here.
2. Your team member will need to download the Deputy Mobile App for either iOS or Android as appropriate to their device.
3. After opening the app, tap Log in and then on the next screen tap on Single Sign On.
4. Your team members then need to type your organisation's URL provided in step 1 and tap on Continue.
5. Enter the credentials you need to log into your Identity Provider (in this example Okta) and then tap Sign in. You will be logged into Deputy.
Check out our FAQ guide for any questions on SSO.