Set up JIT group synchronization: SAML and Okta

Prerequisites

• Single sign on (SSO) is setup for DeepL. If you haven't set up SSO, follow the instructions in this article.
• Admin access to DeepL
• Protocol: SAML 2.0
• Identity provider: Okta

To use Just-In-Time (JIT) provisioning with group synchronization, you need to update your SSO configuration in both DeepL and your Okta instance. 

Set the JIT group synchronization in Okta

1. Go to your Okta instance and open the Applications section.
2. Open your DeepL application and the General tab.
3. In section SAML Settings and click Edit.
4. Click Next to open the Configure SAML tab.
5. Under Group Attribute Statements click Add Another and enter the following
   
6. Click Next and Finish.

Get the XML information for the connection

1. In your Okta instance and the application for DeepL access, go to the Sign On tab
2. Click on View SAML setup instructions.

3. Scroll down to the bottom and copy the XML text under Optionaland save it as an xml file in a text.

   Use a text editor like Notepad or Visual Studio Code to save the XML file and ensure its validity when uploading it to your DeepL admin account. Do not use a rich text editor like Microsoft Word or TextEdit.

   

Enable JIT group synchronization in DeepL account

1. Go to the Settings tab in your DeepL admin account and log in.
   Under Team and Single sign-on SSO is already configured and activated. JIT Group Sync is still Deactivated. 
   
2. Click Edit next to Single sign-on (SSO).
   In the Set up SSO form there're two fields for JIT group synchronization: Assertion Attribute: User Groups and JIT Group Sync.
3. Select Import from file and upload the xml file you've saved from your Okta SAML configuration

4. Enter the following 

   • NameID policy format: Select the policy format you've chosen in your Okta configuration of step 8 of Set the SSO configuration in Okta.
   • Assertion attribute: First name = user.firstName
   • Assertion attribute: Last name = user.lastName
   • Assertion attribute: Email address = user.email
   • Assertion attribute: User Groups = groups

   

5. Enable JIT Group Sync. The user’s group memberships will be read by DeepL during the login.

Setup groups

1. Go to Okta.
2. Create groups for the DeepL access and add users to the groups.
3. Open the DeepL SSO application and select the Assignments tab.
4. Click on Assign and select Assign to Groups.
5. Go to your DeepL account.

6. Create the same groups that you created in your Okta instance to manage your users.

   JIT Provisioning Group Sync does not create groups based on the SAML assertion. If the assertion includes groups that do not exist in DeepL, that group information will be ignored, and the user is added only to the Default group. For more information about this default behavior, please see the Default group section in this article.
7. Go to the Groups tab and click on Create group.
8. Enter a Group name.
   We recommend using the same name that you used for your groups in Okta. However, you may choose a different name, e.g., if your organization uses concealed group names in the identity provider.
9. Enter the group name string from Okta under Group ID.
   
10. Select one or several subscriptions the user group should have access to.
    
11. Click on Create group to save the changes.
12. Repeat this process for each group from your Okta instance. As a result, the groups you have granted access to the DeepL application will be reflected in your DeepL account.

Edit bookmark app

1. Go to your DeepL bookmark app.
2. Assign the same user and groups to the bookmark app as you have to the DeepL SSO app.
3. Test the SSO login with a user. Once the user logs in, they will be automatically assigned to the DeepL group or groups that match the Okta group based on the configured Group ID.