Set up JIT group synchronization: SAML and Microsoft Entra ID

Prerequisites

• Single sign on (SSO) is setup for DeepL. If you haven't set up SSO, follow the instructions in this article.
• Protocol: SAML 2.0
• Identity provider: Microsoft Entra ID (formerly AzureAD)

To use Just-In-Time (JIT) provisioning with group synchronization, you need to update your SSO configuration in both DeepL and your Microsoft Entra ID instance. 

Set the JIT group synchronization in Microsoft Entra ID

1. Go to your Microsoft Entra ID instance and the DeepL application under Enterprise applications.
2. Select Single sign-on under Manage.
   Under Attributes & Claims you see the current list of attributes that are being passed in the SAML token for SSO login.
3. To add the groups attribute, click on Edit.
   
4. Click on Add a group claim.
   
5. In the Group Claims dialog, select Groups assigned to the application and Group ID under Source attribute.
   After saving the changes, the user.groups attribute is displayed in the list.
6. Save the changes.
   The group attribute is now included in the SSO reference.
   
7. Click on Edit next to SAML Certificates to check if SHA-256 or SHA-512 is enabled.
   

Enable JIT group synchronization in DeepL account

1. Go to the Settings tab in your DeepL admin account and log in.
   Under Team and Single sign-on SSO is already configured and activated. JIT Group Sync is still Deactivated.
   
2. Click Edit next to Single sign-on (SSO).
   In the Set up SSO form you see two new fields: Assertion Attribute: User Groups and JIT Group Sync.
3. Select Import from URL and enter the Federation Metadata XML URL from the Microsoft Entra ID instance which you find under Single sign-on and SAML Certificates.
   

4. Enter the following under Assertion Attribute: User Groups and enable JIT Group Sync.

   http://schemas.microsoft.com/ws/2008/06/identity/claims/groups

   The user’s group memberships will be read by DeepL during the login.

   Leave the values of the other assertion attributes unchanged. They don't need to be changed to enable JIT group synchronization.

   

5. Confirm and Save changes.

Set up groups

1. Go to Microsoft Entra ID.
2. Create groups for DeepL access.
3. Add users to the groups.
4. Assign the groups to the Enterprise application.
   
5. Go to your DeepL account.
6. Create the same groups that you created in your Microsoft Entra ID instance to manage your users.

7. Go to tab Groups and click on Create Group.

   JIT Provisioning Group Sync doesn't create groups based on the user's SAML assertion. If a user's SAML assertion includes groups that don't exist in DeepL, that group information will be ignored and the user will be added to the default group. For more information, see this article. 

   

8. Enter a Group name.
   We recommend using the same name that you used for your groups in Microsoft Entra ID. However, you may choose a different name, e.g., if your organization uses concealed group names in the identity provider.
9. Enter the group’s Object ID from Microsoft Entra ID under Group ID.
   You find the ID on the Group properties page.
   
10. Select one or several subscriptions the user group should have access to.
    
11. Click on Create group to save the changes.
12. Repeat this process for each group from your Microsoft Entra ID instance.
    As a result, the groups you have granted access to the DeepL application will be reflected in your DeepL account.
13. Test the SSO login with a user. Once the user logs in, they will be automatically assigned to the DeepL group or groups that match the Microsoft Entra ID group based on the configured group ID.