Set up SSO: OpenID Connect and Microsoft Entra ID – DeepL Help Center | How Can We Help You?

Content is translated from English using DeepL Pro.

Required plan: DeepL Pro Advanced, Team, Ultimate, Business, Enterprise, Voice for Conversations, Voice for Meetings or Write Pro

These setup instructions are only available in English.

Prerequisites

Admin access to DeepL
Protocol: OIDC (Open ID Connect)
Identity provider: Microsoft Entra ID (formerly AzureAD)
A SSO domain has been defined in the Single sign-on section of your DeepL admin account. For more information, see this article.

You have two options to provision users after setting up SSO for your team.

Go to your Microsoft Entra ID instance and select Enterprise apps in the left-side panel.
Click on New application in the top panel.
Click on Create your own application in the top panel.
Enter DeepL SSO under What's the name of your app?.
Select Integrate any other application you don't find in the gallery (Non-gallery) and click Create.
Select App registration in the left-side panel.
Open the app registration of the app you just created.
Click on Add a Redirect URI on the Overview page.
Click on Add a platform under Platform configurations.
Select Web and enter https://w.deepl.com/auth/realms/prod/broker/ALIAS/endpoint.
(Replace ALIAS with your chosen company SSO domain. The ALIAS value can be found under Company SSO domain in the Single sign-on section in your DeepL admin account.)
Click Configure.

Select Certificates & secrets in the left-hand panel.
Under Client secrets, click on New client secret.
Add a description and select an expiration period.
Click Add and copy the secret value to a safe place. You will need it later in the DeepL set up.

You will not be automatically notified when the client secret expires. You need to monitor this on your own.

Select API permissions in the left-hand panel.
By default the permission User.Read should be listed below Microsoft Graph. If not, insert it manually.
Click Add a permission in the center panel.
Select Microsoft Graph, then select Delegated permissions.
Check the box for email and GroupMember.Read.All and click Add permissions.
Click Grant admin consent and confirm with Yes.

Go to Applications and select Enterprise applications in the left-hand menu.
Select your registered application.
Under Manage, select Properties in the left-hand panel.
Set Assignment required to Yes.

Go back to App registrations under Applications and select your registered application.
Select Overview in the left-hand panel.
Copy the Application (client) ID, which you need to enter in your DeepL account in the next step.
Select Endpoints from the top menu bar.
Copy the URL of the OpenID Connect metadata document from the list of endpoints.
You will need to enter them in your DeepL account in the next step.

Click on your user and select Account and go to the Settings tab.
Under Team and Single sign-on the SSO domain has the status Domain name approved.
Click Set up SSO next to Single sign-on.
Enter the following information from the configured application in OneLogin.
- OpenID Connect metadata
  Enter the URL from Microsoft Entra ID. For more information, see Collect endpoints.
- Client ID
  You find the Client ID in Microsoft Entra ID in your registered Application when you select Overview in the left-side menu under Application (client) ID.
- Client Secret
  For more information, see Create client secret.
Confirm and Save changes

You have two options to provision users after setting up SSO for your team.

If you only setting up SSO, test the configuration with a test user and activate SSO in your DeepL admin account.