Content is translated from English using DeepL Pro.
Required plan:
DeepL Pro Ultimate,
Business, Enterprise, Voice for Conversations, or Voice for Meetings
These setup instructions are only available in English.
Important information:
- Okta has separated how groups are assigned to applications and how user's group memberships are provisioned to downstream applications. Group memberships are synchronized to applications via the concept called "Push groups". For more information, see Okta's documentation on managing applications and group assignments.
- SCIM operations in Okta are done immediately. When provisioning is enabled, users will be provisioned when given access to DeepL and their group memberships will be updated accordingly.
- To understand how Okta manages users throughout the provisioning lifecycle, see Okta's own documentation.
Limitations:
- SCIM provisioning with Okta is only available for SAML integrations. This is due to Okta enforcing developers to create integrations which become part of the public Okta Integration Network, allowing anyone to set up SCIM in Okta with OIDC. This requires a process where Okta confirms the SCIM integration works before publishing to their network.
- Admins cannot be managed via SCIM. If a user is provisioned via SCIM and then promoted to Admin, it won't be possible to continue managing that user via SCIM. We are working on removing this limitation in future releases.
- Existing accounts not associated with your organization cannot be imported into your organization during SCIM provisioning.
- Email update operations cannot be completed if used in conjunction with Email NameID policy format. This is only applicable to SSO configurations using SAML.
Prerequisites
- Admin access to DeepL
- Single sign on (SSO) is setup for DeepL. If you haven't set up SSO, follow the instructions.
- Remove JIT group synchronization and groups, if it was enabled in a previous setup. Follow the instructions in this article.
- SCIM provisioning with Okta is currently only available for SAML integrations. This is due to Okta enforcing developers to create integrations which become part of the public Okta Integration Network, allowing anyone to set up SCIM in Okta with OIDC. This requires a process where Okta confirms the SCIM integration works before publishing to their network.
Enable SCIM in DeepL account
- Go to the Settings of your DeepL account
- In section Team and User provisioning configuration, click Manage user provisioning
-
Select Enable SCIM provisioning
An SCIM admin API key is created. You need this API key for your configuration in Entra ID.If you've previously set up JIT group synchronization, make sure to disable it to avoid any user provisioning issues. Before disabling JIT group synchronization, export your existing groups and users.
Set the SCIM configuration in Okta
Create the connection
- Go to your Okta admin console and navigate to your DeepL application under Applications.
- Select the General tab.
- In the App Settings section, click Edit.
- Enable SCIM provisioning and click Save.
- Select the Provisioning tab that now appears.
- Click Edit in the SCIM Connection section.
- Enter the following information:
-
SCIM connector base URL:
https://scim.deepl.com -
Unique identifier field for users:
userName - Supported provisioning actions: Select Push New Users, Push Profile Updates, and Push Groups
- Authentication Mode: Select HTTP Header
- Authorization: Enter your SCIM API key (found in your DeepL admin account under Admin keys. For more information, see this article.)
-
SCIM connector base URL:
- Click Test Connector Configuration to verify the connection.
- Once the test is successful, click Save.
Assign users and groups
If you already assigned users and groups to the application during the SSO setup, you can move to the next section.
- In your DeepL application, select the Assignments tab.
- Click Assign and choose either Assign to People or Assign to Groups.
- Select the users or groups you want to provision to DeepL.
- Click Assign and then Done.
Note: When you assign a group to an application, only users directly in the group will have access. The assignment does not cascade to nested groups.
Configure the provisioning scope
- In your DeepL application, select the Provisioning tab.
- Click Edit in the Provisioning to App section.
- Enable the following options:
- Create Users: Automatically create users in DeepL when they are assigned to the application
- Update User Attributes: Update user attributes in DeepL when they change in Okta
- Deactivate Users: Deactivate users in DeepL when they are unassigned from the application or deactivated in Okta
- Click Save.
Configure attribute mapping
Okta provides default attribute mappings for SCIM provisioning. You can customize these mappings if needed:
- In your DeepL application, select the Provisioning tab.
- Click Go to Profile Editor.
- Review and modify the attribute mappings as needed.
- Click Save Mappings.
| Okta attribute | DeepL attribute | Required |
|---|---|---|
| userName | userName | Yes |
| givenName | name.givenName | Yes |
| familyName | name.familyName | Yes |
| emails[type eq "work"].value | Yes | |
| active | active | Yes |
Download provisioning logs
To troubleshoot provisioning issues or verify successful operations:
- In your Okta admin console, go to Reports > System Log.
- Filter by your DeepL application and provisioning events.
- Click on individual events to view detailed information.
- To export logs, click Download CSV or use the Okta API to retrieve logs in JSON format.
For more information about Okta provisioning logs, please see Okta's own documentation.