Deel allows customers to choose from a wide range of SSO providers like Okta, Azure, OneLogin and PingFederate. To enforce Single Sign-On login for workers and managers, Deel provides integrations to allow customers to choose which SSO protocol they want to use in their organization.
In this article:
Features of SSO Integration in Deel
How to connect an SSO Integration
Before you begin
Only active contractors/employees are forced to use SSO. This means they can use their username and password if their contract ends or is deactivated.
Active as used above means their contract must be in 'In Progress' or 'Processing Payment' status, and its effective date must be before the current date.
You can check this in the People section of Deel's application where their status must be `Active` and the `Start Date` must be before the current date.
Organization admin profiles are allowed to use password logins, so they are able to login to the platform even if the organization Identity Provider is down.
No custom domain required.
Features of SSO Integration in Deel
- Manage who is required to login with SSO: Deel's integrations will by default enforce SSO Login to all workers and managers. But it provides controls to switch off SSO Login enforcement, or select which groups are required to use SSO.
- SSO for All Email Types: Our integration now enhances the SSO experience by matching the email address from Identity Providers with either Deel account email or user's work email provided by clients. The "Work Email" is provided by the client, stored in the contractor's General Information section under 'Work Email'. This ensures a consistent and secure login process across different email types used by contractors on Deel.
- Unique Login Link for Easy Access: Deel provides a unique link that clients can share with any member of their organization. This link facilitates automatic login to Deel, streamlining the access process and enhancing user convenience.
- SSO Login Link: Deel provides a dedicated SSO Login link to your organization's custom domain login page. We provide instructions to configure a custom domain for your organization here.
We also allow organization admins to use password login at all times, so they are able to login to the platform even if the organization Identity Provider is down.
How to connect an SSO Integration
1. Find an SSO integration in the App Store: Scroll to "Browse by category", in the app store, and select "SSO" to view all SSO integrations. You can also search for integrations in the search bar, for example, OpenID or SAML2.
2. Connect the SSO integration: Once the desired integration is found, you can click on "Connect", and set up the connection with your Identity Provider. You can find instructions to connect with some of the most popular Identity Providers available in the SSO Integrations section.
3. Configure SSO assignment: Once you connected the SSO integration, you'll see the Single Sign-On plugin settings. Here you can configure the name, get the redirect URL, and define who is required to login with SSO in your organization.
i. Name: This is the name that will be displayed in the SSO link, on your organization custom domain login page.
ii. All managers: Switch on or off SSO Login enforcement to your organization managers. The only exception to this will be your organization admins, they can login with password at any time.
iii. All groups: Switch on or off SSO enforcement to your organization's groups. When it's off, you can choose which groups should be required to login with SSO, meaning that workers in the unselected groups will be allowed to login with password. If no group is selected, then all workers will be allowed to login with password.
4. Enable: now you just need to click on "Enable", to enable Single Sign-On to your organization.
To disable SSO at any time, can go back to the SSO plugin settings, and click on "Disable".
To disconnect the integration, you can click on the "More" button, at the top right, and then click on "Disconnect".