Is it possible to set up SSO for multiple accounts with separate subscriptions under one identity provider?
Yes, if your company has purchased different DeepL subscriptions, you can enable SSO login for all (potential) team members of these subscriptions under the same identity provider.
This can be beneficial for companies with different subsidiaries or other instances related to the same company that each have their own DeepL subscription.
To enable this option, we make use of Microsoft Azure Active Directory (AAD) multi-ACS (Assertion Consumer Service) capability.
Important: The suggested process is currently only supported for Microsoft Azure Active Directory (P1, P2, or higher) as other identity providers do not yet support multi-ACS.
Also, this process is currently only available for SAML 2.0 as authentication protocol.
1) Domain names
Before starting with the SSO setup, please make sure you've purchased a DeepL subscription.
To set up SSO login for your teams, you need to define a domain name for each subscription.
To do so:
- Reach out to your Sales Manager to request a domain name
- Wait for approval of your domain name
More information about how to set up a domain name and the stages of the approval process can be found here.
If you already have approved domain names for all subscriptions, you can start with step 2 right away.
2) Setting up an application in your identity provider
Next, in AAD, you need to configure one single DeepL SAML application with multiple ACS URLs, where each one corresponds to a single DeepL subscription.
You can download an in-depth step-by-step guide including troubleshooting instructions for Microsoft Azure Active Directory (AAD) here.
Currently, DeepL doesn't support IdP-initiated (Identity Provider) SSO login.
3) Testing the configuration
Having completed the previous step, you will be able to test the SP-initiated login.
If you haven't set up SSO for one of your subscriptions yet, you first need to complete step 2 described in this article.
To test the SP-initiated login as a team member (instead of a team admin), you can choose between the following options:
- Go to deepl.com > Log in > Continue with SSO > Enter the company SSO domain.
Result: Your DeepL user is created in the corresponding DeepL subscription for which you entered the SSO domain. - Use the SSO domain (company.sso.deepl.com)
Please note that if you haven’t set up SSO for your team already, your team shouldn't log in via SSO yet and still has to use the standard login with email address and password.
If you successfully logged in with SSO, you can proceed to SSO activation for the organizations that haven’t completed the SSO setup yet. You can learn more about SSO activation for SAML under step 4 in this article.