Prerequisites
- Deel administrator account
- A and your Deel ID (SSO only).
- A dedicated ºÚÁϺ£½Ç91Èë¿Ú administrator account (User Sync only).
- A ºÚÁϺ£½Ç91Èë¿Ú API key to connect Deel and ºÚÁϺ£½Ç91Èë¿Ú (User Sync only).
Important Considerations for User Sync
- Syncs from Deel to ºÚÁϺ£½Ç91Èë¿Ú happen automatically every night.
- Syncs can be triggered to occur at any time from the ºÚÁϺ£½Ç91Èë¿Ú app in the Deel console.
Configuring the User Sync Integration
To create a new ºÚÁϺ£½Ç91Èë¿Ú Admin account for the User Sync Integration
- Log in to the with an administrator account.
- Click your initials in the top right corner.
- Select Administrators.
- Click the green + icon.
- Enter a first name, such as ‘Deel’.
- Enter a last name, such as ‘Integration’.
- Enter the email address you want associated with this account.
- Select Administrator for the Role.
- Toggle on Multi-factor Authentication Required and click Require MFA.
MFA is optional, but not required for this account. It is strongly recommended.
- Click Save.
- Go to the inbox of the email address specified for this account.
- Find the ºÚÁϺ£½Ç91Èë¿Ú Administrator Account Setup email.
- Click Setup Account in the email.
- Enter a password in the Password and Confirm Password fields.
- Select the box to agree to the Terms of Use.
- Click Reset Password.
- If the option to require Multi-factor Authentication was enabled, do the following:
- Follow the instructions to download ºÚÁϺ£½Ç91Èë¿Ú Protect if you don’t have it or another Authenticator app.
- Otherwise, click I Have An App.
- Add the ºÚÁϺ£½Ç91Èë¿Ú account.
- Verify the TOTP code from the Authenticator app.
- Click Submit.
To get your ºÚÁϺ£½Ç91Èë¿Ú API Key
Note: The Admin API key needs to belong to an Admin that has one of the following roles; Manager, Administrator or Admin with Billing. Creating an administrator service account with one of these roles is one way to ensure the integration isn't dependent on a specific admin account.
Once a new API key is generated, this revokes access to the current API key.
- Log in to the with the administrator account you want to use to generate the API key for this integration.
- Click your initials in the top right corner.
- Select My API Key.
- Click on Generate New API Key.
- Copy the API Key and store it securely, or leave this tab open while you complete the integration configuration steps in the SP.
This is the only time your API key will be visible to you. Store it somewhere safe, such as the ºÚÁϺ£½Ç91Èë¿Ú Password Manager, so you can access it later.
To connect the ºÚÁϺ£½Ç91Èë¿Ú app in Deel
- Login to with an administrator account.
- Click Apps & Integration from the left navigation menu.
- Search for and select ºÚÁϺ£½Ç91Èë¿Ú.
- Click Connect.
- Paste the API key you copied in the steps above.
- Click Connect.
- Click OK on the connection success notification window.
To sync users from Deel to ºÚÁϺ£½Ç91Èë¿Ú
An automatic hourly sync occurs that will create new users, update existing users, and suspend users who have been marked as terminated. You can trigger an immediate sync between Deel and ºÚÁϺ£½Ç91Èë¿Ú at any time.
You may want to trigger an immediate sync in the case of employee terminations or role and department changes.
To immediately sync changes from Deel to ºÚÁϺ£½Ç91Èë¿Ú
- Login to with an administrator account.
- Click Apps & Integration from the left navigation menu.
- Select the Connected Apps tab.
- Find the ºÚÁϺ£½Ç91Èë¿Ú app.
- Click Manage.
- Click Sync ºÚÁϺ£½Ç91Èë¿Ú,
Deel User Attributes
Deel Value | ºÚÁϺ£½Ç91Èë¿Ú Attribute | ºÚÁϺ£½Ç91Èë¿Ú UI Field Name | Notes |
---|---|---|---|
Work email | Company Email | Required. Users will not sync if a work email address is not defined. (max length 1024) | |
N/A | username | Username | The user name is set to {firstname.lastname}. If the username already exists in your ºÚÁϺ£½Ç91Èë¿Ú organization, a number will be appended to the last name (e.g., alpha.zed1) |
First Name | firstname | First Name | |
Last Name | lastname | Last Name | |
Full Name | displayName | Display Name | |
Active (boolean) | state | N/A | Users are created as staged or active when active is true. Users are suspended when active is sent as false. |
Job Title | jobTitle | Job Title | |
Department | department | Department | |
Work Location | location | Location | |
Team | costCenter | Cost Center | |
Worker Type | employeeType | Employee Type | |
Entity | company | Company | |
Profile ID | employeeIdentifier | Employee ID |
Activating a user in ºÚÁϺ£½Ç91Èë¿Ú
A user in the Staged user state in ºÚÁϺ£½Ç91Èë¿Ú does not have access to their assigned resources. Once a user has been assigned a device, policies, and all other needed ºÚÁϺ£½Ç91Èë¿Ú managed resources, the user will need to be activated in ºÚÁϺ£½Ç91Èë¿Ú to gain access to those resources. For more information about activating a user, read Manage User States.
- Log in to the with an administrator account.
- Go to USER MANAGEMENT > Users.
- Select the user you want to activate.
- Click the dropdown menu next to Staged above the Security Status section in the left panel.
- Select Activate.
- Click Schedule Activation to activate the user on a future date and time or Activate Now to activate the user immediately.
- Click Save.
For Scheduled Activation, the time must be at least one hour in the future.
- Select and populate the Send email to field to notify the user of their ºÚÁϺ£½Ç91Èë¿Ú account activation.
- Click Save.
Configuring the SSO Integration
To configure ºÚÁϺ£½Ç91Èë¿Ú
- Log in to the .
- Navigate to USER AUTHENTICATION > SSO Applications.
- Click + Add New Application and type Deel.
- Select it from the dropdown and click Next.
- In the Display Label, confirm or change the name for the application. Optionally, you can enter a Description, adjust the User Portal Image and choose to hide or Show in User Portal.
- Click Save Application and then Configure Application.
- On the SSO tab, replace any instances of YOUR_ID and YOUR_SUBDOMAIN with your Deel values.
- Add or change any additional attributes.
- Click save.
Download the certificate
- Find your application in the Configured Applications list and click anywhere in the row to reopen its configuration window.
- Select the SSO tab and click IDP Certificate Valid > Download certificate.
The certificate.pem will download to your local Downloads folder.
To configure Deel
- Click the Edit button next to your subdomain.
- In the Part 2: Single Sign-On section, toggle on the SAML 2.0 Connector.
- Enter the following information:
- SAML 2.0 Endpoint - copy and paste the ºÚÁϺ£½Ç91Èë¿Ú IDP URL.
- IDP X509 Public Key - copy and paste the contents of the certificate downloaded in the previous section.
Only copy the contents between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
- Ensure the displayed IdP configuration matches the ºÚÁϺ£½Ç91Èë¿Ú configuration.
- Click Continue.
- Customize your interface and then click Deploy.
Authorizing User SSO Access
Users are implicitly denied access to applications. After you connect an application to ºÚÁϺ£½Ç91Èë¿Ú, you need to authorize user access to that application. You can authorize user access from the Application Configuration panel or from the Groups Configuration panel.
To authorize user access from the Application Configuration panel
- Log in to the .
- Go to USER AUTHENTICATION > SSO Applications, then select the application to which you want to authorize user access.
- Select the User Groups tab. If you need to create a new group of users, see Get Started: User Groups.
- Select the check box next to the group of users you want to give access.
- Click save.
To learn how to authorize user access from the Groups Configuration panel, see Authorize Users to an SSO Application.
Validating SSO user authentication workflow(s)
IdP-initiated user workflow
- Access the
- Go to Applications and click an application tile to launch it
- ºÚÁϺ£½Ç91Èë¿Ú asserts the user's identity to the SP and is authenticated without the user having to log in to the application
SP-initiated user workflow
- Go to the SP application login - generally, there is either a special link or an adaptive username field that detects the user is authenticated through SSO
This varies by SP.
- Login redirects the user to ºÚÁϺ£½Ç91Èë¿Ú where the user enters their ºÚÁϺ£½Ç91Èë¿Ú credentials
- After the user is logged in successfully, they are redirected back to the SP and automatically logged in
Managing user access and access policies for ºÚÁϺ£½Ç91Èë¿Ú managed resources
Once users are created in ºÚÁϺ£½Ç91Èë¿Ú, you can grant them access to any of the resources connected to ºÚÁϺ£½Ç91Èë¿Ú from a device to applications, networks, etc. User, device, and policy groups allow you to more efficiently assign resources to users and control the level of permissions they are given. Access policies allow you to control how, on what device, and from where they can access their assigned resources.
All user access and access policy management for ºÚÁϺ£½Ç91Èë¿Ú managed resources is done directly in the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal or through the ºÚÁϺ£½Ç91Èë¿Ú API. For more information see, Get Started: Users, Get Started: User Groups, and Get Started: Conditional Access Policies.
Managing devices and policies
Using ºÚÁϺ£½Ç91Èë¿Ú's device management features will allow you to control settings on your devices, including Firewalls, Disk Encryption, Security Settings and common compliance policy groups.
All device and policy management actions are done directly in the ºÚÁϺ£½Ç91Èë¿Ú Admin Portal or through the ºÚÁϺ£½Ç91Èë¿Ú API. For more information, see Get Started: Devices and Get Started: Policies.
Removing the User Sync Integration
- Login to with your administrator account.
- Navigate to App Store > My Apps.
- In the ºÚÁϺ£½Ç91Èë¿Ú app, click Manage.
- In the right upper corner, click More and then Disconnect.
Removing the SSO Integration
These are steps for removing the integration in ºÚÁϺ£½Ç91Èë¿Ú. Consult your SP's documentation for any additional steps needed to remove the integration in the SP. Failure to remove the integration successfully for both the SP and ºÚÁϺ£½Ç91Èë¿Ú may result in users losing access to the application.
To deactivate the SSO Integration
- Log in to the .
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to deactivate and click to open its details panel.
- Select the SSO tab.
- Scroll to the bottom of the configuration.
- Click Deactivate SSO.
- Click save.
- If successful, you will receive a confirmation message.
To delete the application
- Log in to the .
- Go to USER AUTHENTICATION > SSO Applications.
- Search for the application that you’d like to delete.
- Check the box next to the application to select it.
- Click Delete.
- Enter the number of the applications you are deleting
- Click Delete Application.
- If successful, you will see an application deletion confirmation notification.