- Which Deputy plans support SSO?
- Which identity providers (IdP) do Deputy support?
- Can I login with a username instead of email?
- If I have 2FA activated in Deputy, does it still work when SSO is configured?
- Can I login via SSO on my mobile?
- What happens if I'm having issues logging in via SSO or locked out?
- What is the difference between SSO enabled and SSO required?
- Will employees need to re-login if the account is switched from SSO enabled to required?
- What if I belong to multiple businesses? Can I switch between them?
- Will I need to create new employees in Deputy or will they be automatically created the first time they login with SSO?
- Will employees be removed from Deputy if they are removed from the identity provider (e.g. Okta)?
- Does Deputy support just-in-time (JIT) provisioning/modification/deletion?
- How do I troubleshoot any login issues?
- How do I integrate Microsoft Azure with Deputy?
- My business enabled SSO and now I'm unable to edit my profile using the mobile app. Why?
- We enabled SSO but want to use the Deputy Kiosk app. Is that possible?
Which Deputy plans support SSO?
You can enable SSO on Deputy Enterprise plans.
Deputy customers on the Enterprise plan can enable SSO by going to the Enterprise tab and under General Settings, click Single sign-on settings.
Which identity providers (IdP) do Deputy support?
Deputy supports, but is not limited to, the following IdPs:
- Okta
- Microsoft Azure
- PingIdentity
- Oracle Identity Management
The IdP is required to support SP initiated SSO and SAML 2.0.
Can I log in with a username instead of email?
Yes, you can use an SSO username instead of an email to log in. All you need to do is ensure the employees' username has been added to their profile and it matches with the username in the IdP.
If you need to edit or change the username, then select the Personal tab in the employee's profile then click on Edit. Don't forget to save your changes.
If I have 2FA activated in Deputy, does it still work when SSO is configured?
No, if 2FA has been set up in Deputy you won't be able to use it when logging in via SSO. Although, you can set up 2FA through the identity provider if you would like your employees to have that extra layer of security.
Two-factor authentication (2FA) will continue to work if the employee uses their Deputy username and password.
Can I login via SSO on my mobile?
Yes, instructions on how to log in to Deputy's mobile apps via SSO can be found in this help article.
What happens if I'm having issues logging in via SSO or locked out?
- For System Admins: you may select 'Forget Password' on the login page and an email will be sent prompting you to create / reset a password OR contact support
- For other employees: please contact your System Admins
What is the difference between SSO enabled and SSO required?
- SSO enabled: users have the option to log in with their Deputy password (if they have one), social login (Google and Facebook) or via SSO
- SSO required: users will only be able to log in with their SSO credentials. Deputy password authentication and social logins will be removed from the account login page.
Will employees need to re-login if the account is switched from SSO enabled to required?
No, users will still be logged into their existing session. The only time they will need to log in again is if they log out or the session has expired.
What if I belong to multiple businesses? Can I switch between them?
- Logged in via SSO: you won't see any other businesses in the Business List and therefore will not be able to switch.
- Logged in using Deputy password: you will only be able to switch to accounts where SSO is not configured or enabled. Switching to an SSO required account will need authentication by the IdP
Will I need to create new employees in Deputy or will they be automatically created the first time they login with SSO?
New employees should first be created in the identity provider, and then you have two options:
- Manually add the employees into Deputy
- Enable just-in-time (JIT) provisioning. A guide to setting up JIT can be found in this help article. After setting this up, new employees will be created in Deputy on their first login to Deputy.
Will employees be removed from Deputy if they are removed from the identity provider (e.g. Okta)?
Removing access to Deputy needs to be managed in Deputy. Deputy currently does not support the ability to sync users between Deputy and the SSO provider.
Does Deputy support just-in-time (JIT) provisioning / modification / deletion?
Deputy does support JIT. User accounts can be provisioned automatically the first time a user logs into Deputy. The following attributes can be mapped:
- First name
- Last name
- Email address
- Location (first location created)
- Access Level (lowest access level)
The user's profile is updated each time they login via SSO. The following attributes will be updated:
- First name
- Last name
- Access Level
We do not update Location because an employee may be assigned to multiple locations.
Deputy does not currently support the ability to sync users between Deputy and the SSO provider.
Employees need to exist within your identity provider to use JIT. If you are removing employees from the business, they will need to be removed from Deputy as well as the identity provider.
How do I troubleshoot any login issues?
Here are a few things to check out if you can not login via SSO:
General Setup:
- In the SSO settings, make sure SSO is enabled
- Check the SSO login URL is correct - you can do this by copying into your browser
- Check the user exists and / or assigned to the correct app in the IdP
- If you are allowing the user to create a Deputy password, check to see if the employee has accepted the invitation email
Just-in-time Provisioning:
- If just-in-time provisioning is Disabled, check if the user is Active in Deputy. User may be Archived or Deleted
How do I integrate Microsoft Azure with Deputy?
Check out this tutorial for more assistance.
My business enabled SSO and now I cannot edit my profile using the mobile app. Why?
This is expected behaviour. When SSO is enabled, you won't see an option to edit your profile on the mobile app. You can access your profile by logging into Deputy via a web browser and updating your profile.
We enabled SSO but want to use the Deputy Kiosk for iPad app. Is that possible?
The Deputy Kiosk for iPad app does not support SSO. A System Administrator will have to log into the Kiosk using an email and password, not SSO.