Deputy have teamed up with Microsoft Azure to bring additional functionality to Deputy! This new feature allows for single sign-on so you can centralise business management and user access to Deputy within Azure Active Directory.
Ensure you have a Microsoft Azure account with Active Directory configured for your organisation before proceeding. You can create an account here.
Adding Deputy from the Gallery
In the Azure portal, select 'Azure Active Directory' in the left navigation panel.
Head to 'Enterprise applications', then select 'All applications'.
Click 'New Application' at the top of the dialog window.
Type 'Deputy' in the search box.
Select 'Deputy' from the results, then click 'Add' to add Deputy.
Enable Single Sign-On with Microsoft Azure AD
When you click ‘Configure single sign-on’, you will be given two options:
- Microsoft Azure AD Single Sign-On
- Existing Single Sign-On
For the purpose of this guide, we will go through the steps of ‘Microsoft Azure AD Single Sign-On’.
Select the checkbox and click the Arrow icon in the bottom right to continue.
Configure App Settings
In the following section, mark the ‘Show advanced settings (optional)’ and ‘Configure the certificate used for federated single sign-on (optional)’ checkboxes. The following will details what to enter in the boxes:
‘SIGN ON URL (OPTIONAL)’: https://[your-subdomain].[location-code].deputy.com/. An example of this would be https://rnobletestenvironment.au.deputy.com/.
‘IDENTIFIER’: https//[your-subdomain].[location-code].deputy.com. This is the same as your sign-on URL without the forward slash (/) at the end. If you keep the forward slash, Microsoft Azure will see this as an invalid identifier URL.
‘REPLY URL’: https://[your-subdomain].[location-code].deputy.com/exec/devapp/samlacs. An example of this would be https://rnobletestenvironment.au.deputy.com/exec/devapp/samlacs
Configure Federated SSO Certificate
This step will allow you to choose an SSO Certificate to use. If you have already configured one, select ‘Use the currently configured certificate’ or ‘Use a previously generated certificate. Otherwise, select ‘Generate a new certificate’, and in the ‘Certificate valid for:’ drop down box, select the desired number of years.
Configure Single Sign-On at Deputy
You will now need to collect some details to enter into Deputy. These are found on the page following ‘Configure Federated SSO Certificate’. On this page, click ‘Download Certificate’, which will download a file named, ‘deputy.car’. Under ‘SAML SSO URL’, copy the link in the box.
Now navigate to your Deputy System configuration page. This is accessible by adding ‘exec/config/system_config’ to your Deputy URL, for example: https://[your-subdomain].[region-code].deputy.com/exec/config/system_config (example w/ a URL: https://rnobletestenvironment.au.deputy.com/exec/config/system_config). Select ‘Edit’ next to ‘Security Settings’.
Open up the ‘deputy.car’ file using a text editor (on Mac use TextEdit, on PC use NotePad). Copy the entire thing and paste it into the ‘OpenSSL Certificate’ box.
‘Deputy Token to create user on the fly’ will create a user automatically if they attempt to log in via SSO. To generate this token, follow these instructions:
- Click the here link, or go to https://[your-subdomain].[region-code].deputy.com/exec/devapp/oauth_clients
- Click New OAuth Client
- Enter the following:Name: Enter Okta.Redirect Uri: Enter okta.com.Click ‘Save This OAuth Client’.
- Click ‘Get An Access Token’
- Copy your Access Token from the popup message’
- Enter your Access Token on the Security Settings page.
In the SAML SSO URL box, enter: https://[your-subdomain].[au].deputy.com/exec/devapp/samlacs?dpLoginTo= then paste in the URL that was provided in the ‘Configure single sign-on at Deputy page’ under SAML SSO URL. Your page should look similar to the following:
Simply hit ‘Save Settings’ and you’re done!
Adding Users to Microsoft Azure
Now we can add users to Deputy via Microsoft Azure. First, navigate to the Users tab in the Default Directory and click 'Add User' in the bottom bar.
In the following box, click the dropdown box and select 'User with an existing Microsoft account'. Enter the user's email under 'Microsoft Account'. At the time of writing, other consumer emails such as Gmail do not work.
In the following box, enter the employee's details. You can also select the employee's permission levels from the dropdown 'Role' box.
Now make your way to the Deputy dashboard and copy the link in the 'Single Sign-On URL' box and send this to the newly created employees.
Configure and Testing Azure AD Single Sign-On
To test Azure AD single sign-on, we recommend checking out the steps outlined in Microsoft Azure's help guide:
Follow-Up Topics/Useful Links
Deputy System Configuration page: