This guide will walk you through the steps necessary to configure SSO (Single Sign-On) with SAML.
Step 1: Set up an application in your identity provider
Find a step-by-step guide for Microsoft Entra ID (Azure AD), Google Workspace, Okta, OneLogin and PingOne based on your subscription setup below.
Setup guides for teams
Setup guides for multiple groups (subscription management by group)
| Without previous SSO setup: | With previous SSO setup: |
| Okta | Microsoft Entra ID (Azure AD) |
Once the setup in your identity provider is done, you can set up SSO with SAML in your DeepL account.
Step 2: Set up SSO in your DeepL account
- Go to the Settings tab in your DeepL account
- Under Team click Set up SSO
- Choose SAML as your Authentication type
To configure SAML, you need to provide the external IDP metadata, which you can import either from a config file or from a URL.
Contact the admin of your identity provider for the required information.
- To import from a URL, provide the URL where the metadata can be found on your server (e.g., adfs.company-name.server/.../FederationMetadata.xml).
- To import from a file, provide the file where the metadata can be found, which is usually named "FederationMetadata".
You should also enter the following variables:
- Name ID Policy Format, which is the NameID policy format of your identity provider. Email is set as a default value. For ADFS, we recommend using email.
- Assertion attribute: First Name, which is the name of the attribute to search for the user's first name in the assertion.
- Assertion attribute: Last Name, which is the name of the attribute to search for the user's last name in the assertion.
- Assertion attribute: Email Address, which is the name of the attribute to search for the user's email address in the assertion.
Once you have entered all the variables, click Confirm to confirm the configuration.
You can't change the authentication type once you have confirmed the configuration. To change your authentication type, contact DeepL Support.
Once confirmed, your integration is ready for activation. This status will be displayed in the Team area of your account, under Security, in the Single Sign-On (SSO) field.
Step 3: Test the configuration
Next, you should test the configuration before completing the setup for the whole team - see guidance.
During testing, your team shouldn't log in via SSO. They should continue to use the standard login with email address and password.
Step 4: Activate SSO for your team
To activate SSO for your team, click Proceed to SSO Activation. This opens the Activate SSO for your team dialog. You will see a list of all the changes which will take place once you have activated SSO for your subscription:
- SSO login will be enabled for all your team members (team admins can't use the SSO login).
- SSO will be the only available login method for your team. This means that your team members will no longer be able to log in using their DeepL Pro credentials (email and password).
- New team members can no longer be invited via an invitation link or a direct email invitation.
- All sessions that are active at the time of activation will remain active until the next login.
Activating SSO can't be undone. Therefore, we recommend that you only activate SSO for your team after you have successfully tested the integration by logging in one of your users via SSO.
To activate the integration, click Activate SSO.
Once activated, the status displayed in the Single Sign-On (SSO) field is changed to Active.