- Which Deputy plans support SSO?
- Which identity providers (IdP) do Deputy support?
- Can I login with a username instead of email?
- If I have 2FA activated in Deputy, does it still work when SSO is configured?
- Can I login via SSO on my mobile?
- What happens if I'm having issues logging in via SSO or locked out?
- What is the difference between SSO enabled and SSO required?
- Will employees need to re-login if the account is switched from SSO enabled to required?
- What if I belong to multiple businesses? Can I switch between them?
- Will I need to create new employees in Deputy or will they be automatically created the first time they login with SSO?
- Will employees be removed from Deputy if they are removed from the identity provider (e.g. Okta)?
- Does Deputy support just-in-time (JIT) provisioning/modification/deletion?
- How do I troubleshoot any login issues?
- How do I integrate Microsoft Azure with Deputy?
Which Deputy plans support SSO?
You can enable SSO on Deputy Enterprise plans.
Deputy customers on the Enterprise plan can enable SSO by going to the Enterprise tab and under General Settings, click Single sign-on settings.
Which identity providers (IdP) do Deputy support?
Deputy supports, but is not limited to, the following IdPs:
Oracle Identity Management
The IdP is required to support SP initiated SSO and SAML 2.0.
Can I login with a username instead of email?
Yes, you can use an SSO username instead of an email to login. All you need to do is ensure the employees' username has been added to their profile and it matches with the username in the IdP.
If I have 2FA activated in Deputy, does it still work when SSO is configured?
No, if 2FA has been setup in Deputy you won't be able to use it when logging in via SSO. Although, you can set up 2FA through the identity provider if you would like your employees to have that extra layer of security.
Two-factor authentication (2FA) will continue to work if the employee uses their Deputy username and password.
Can I login via SSO on my mobile?
Yes, instructions on how to login to Deputy's mobile apps via SSO can be found at this handy help article.
What happens if I'm having issues logging in via SSO or locked out?
For System Admins: you may select 'Forget Password' on the login page and an email will be sent prompting you to create / reset a password OR contact support
For other employees: please contact your System Admins
What is the difference between SSO enabled and SSO required?
SSO enabled: users have the option to login with their Deputy password (if they have one), social login (Google and Facebook) or via SSO
SSO required: users will only be able to login with their SSO credentials. Deputy password authentication and social logins will be removed from the account login page.
Will employees need to re-login if the account is switched from SSO enabled to required?
No, users will still be logged into their existing session. The only time they will need to login again is if they logout or the session has expired.
What if I belong to multiple businesses? Can I switch between them?
Logged in via SSO: you won't see any other businesses in the Business List and therefore will not be able to switch.
Logged in using Deputy password: you will only be able to switch to accounts where SSO is not configured or enabled. Switching to a SSO required account will need authentication by the IdP
Will I need to create new employees in Deputy or will they be automatically created the first time they login with SSO?
New employees should first be created in the identity provider, and then you have two options:
Manually add the employees into Deputy
Enable just-in-time (JIT) provisioning. A guide to setting up JIT can be found in this help article. After setting this up, new employees will be created in Deputy on their first login to Deputy
Will employees be removed from Deputy if they are removed from the identity provider (e.g. Okta)?
Removing access to Deputy needs to be managed in Deputy. Deputy currently does not support the ability to sync users between Deputy and the SSO provider.
Does Deputy support just-in-time (JIT) provisioning / modification / deletion?
Deputy does support JIT. User accounts can be provisioned automatically the first time a user logs into Deputy. The following attributes can be mapped:
Location (first location created)
Access Level (lowest access level)
The user's profile is updated each time they login via SSO. The following attributes will be updated:
We do not update Location because an employee may be assigned to multiple locations.
Deputy does not currently support the ability to sync users between Deputy and the SSO provider.
Employees need to exist within your identity provider to use JIT. If you are removing employees from the business, they will need to be removed from Deputy as well as the identity provider.
How do I troubleshoot any login issues?
Here are a few things to check out if you can not login via SSO:
In the SSO settings, make sure SSO is enabled
Check the SSO login URL is correct - you can do this by copying into your browser
Check the user exists and / or assigned to the correct app in the IdP
If you are allowing the user to create a Deputy password, check to see if the employee has accepted the invitation email
If just-in-time provisioning is Disabled, check if the user is Active in Deputy. User may be Archived or Deleted
How do I integrate Microsoft Azure with Deputy?
Check out this tutorial for more assistance.