How can I configure SSO with OpenID Connect?
You can set up SSO with OpenID Connect in your DeepL Pro account. The process is described below. You can also watch this video which walks you through the setup.
To start the setup, go to the Team tab, click on Set up SSO, and choose OpenID Connect as your Authentication type.
To configure OpenID Connect, you need to provide the OpenID Connect metadata, which you can import either from a config file or from a URL.
Please contact the administrator of your identity provider for the required information.
- To import from a URL, please provide the URL where the OpenID Connect metadata can be found on your server (e.g., https://login.microsoftonline.com/…/v2.0/.well-known/openid-configuration).
- To import from a file, please provide the file where the metadata can be found. This is usually a downloaded OpenID Connect metadata JSON file.
You should also enter the following variables:
- Client ID, which is the Client ID from your DeepL configuration in your identity provider. For Azure, this is also called the Application ID.
- Client Secret, which is the Client Secret from your DeepL configuration in your identity provider. For Azure, please provide the value of the Client Secret and not the Secret ID.
Once you have entered your Client ID and Client Secret, please click on Confirm to confirm the configuration.
You can edit the parameters if needed. Please note that you can't change the authentication type once you have confirmed the configuration. To change your authentication type, please contact DeepL Support.
Having confirmed the configuration, you will see the following information in your DeepL Pro account, which will be displayed in the Team tab, under Security, in the Single sign-on (SSO) field:
- Ready for activation, as the status of the integration
- Indication of your company SSO domain
At this point, you need to configure the redirect URL to complete your setup with OpenID Connect. To do this, copy the first part of the automatically generated company SSO domain (the so-called "alias", which is the part of the company SSO domain before sso.deepl.com) and enter it into the redirect URL of your identity provider configuration.
Having completed this step, you will have the opportunity to test the configuration before activating it for the whole team. Please note that your team shouldn't log in via SSO yet and still has to use the standard login with email address and password.
To activate SSO for your team, click on Proceed to SSO Activation. This opens the Activate SSO for your team dialog. You will see a list of all the changes which will take place once you have activated SSO for your subscription:
- SSO login will be enabled for all your team members (please note that team administrators can't use the SSO login).
- SSO will be the only available login method for your team. This means that your team members will no longer be able to log in using their DeepL Pro credentials (email and password).
- All active team members will receive an email informing them of the new login process.
- New team members can no longer be invited via an invitation link or a direct email invitation.
- All sessions that are active at the time of activation will remain active until the next login.
Please note that activating SSO can't be undone. Therefore, we recommend that you only activate SSO for your team after you have successfully tested the integration by logging in one of your users via SSO.
To activate the integration, click on Activate SSO.
Having activated SSO, you will see that the status displayed in the Single sign-on (SSO) field is changed to Active.