Skip to content

Commit

Permalink
Update and rename saml-sso.md to SAML-SSO.md
Browse files Browse the repository at this point in the history 
Updated name and line breaks
  • Loading branch information
@tjferriss
tjferriss authored Oct 11, 2023
1 parent 49631de commit edbf205
Showing 1 changed file with 24 additions and 17 deletions.
41 changes: 24 additions & 17 deletions ...ic/policy-and-domain-settings/saml-sso.md → ...ic/policy-and-domain-settings/SAML-SSO.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ description: Learn how to effectively manage Single Sign-On (SSO) and user authe
---
# Overview
This article provides a comprehensive guide on managing Single Sign-On (SSO) and user authentication in Expensify alongside your preferred SSO provider. Expensify uses SAML to enable and manage SSO between Expensify and your SSO provider.
# How to Use SSO in Expensify

# How to Use SSO in Expensify
Before setting up Single Sign-On with Expensify you will need to make sure your domain has been verified. Once the domain is verified, you can access the SSO settings by navigating to Settings > Domains > [Domain Name] > SAML.
On this page, you can:
- Get Expensify's Service Provider MetaData. You will need to give this to your identity provider.
Expand All @@ -21,10 +21,12 @@ Instructions for setting up Expensify for specific SSO providers can be found be
- [Oracle Identity Cloud Service](https://docs.oracle.com/en/cloud/paas/identity-cloud/idcsc/expensify.html#Expensify)
- [SAASPASS](https://saaspass.com/saaspass/expensify-two-factor-authentication-2fa-single-sign-on-sso-saml.html)
- Microsoft Active Directory Federation Services (see instructions in the FAQ section below)

When SSO is enabled, employees will be prompted to sign in through Single Sign-On when using their company email (private domain email) and also a public email (e.g. gmail.com) linked as a secondary login.

## How can I update the Microsoft Azure SSO Certificate?
Expensify's SAML configuration doesn't support multiple active certificates. This means that if you create the new certification ahead of time without first removing the old one, the respective IdP will include two unique x509 certificates instead of one and the connection will break. Should you need to access Expensify, switching back to the old certificate will continue to allow access while that certificate is still valid.

To transfer from one Microsoft Azure certificate to another, please follow the below steps:
1. In Azure Directory , create your new certificate.
2. In Azure Director, remove the old, expiring certificate.
Expand All @@ -33,8 +35,8 @@ To transfer from one Microsoft Azure certificate to another, please follow the b
5. Log in via SSO. If login continues to fails, write into Concierge for assistance.

## How can I enable deactivating users with the Okta SSO integration?
Companies using Okta can deactivate users in Expensify using the Okta SCIM API. This means that when a user is deactivated in Okta their access to Expensify will expire and they will be logged out of both the web and mobile apps. Deactivating a user through Okta will not close their account in Expensify, if you are offboarding this employee, you will still want to close the account.
You will need have a verified domain and SAML fully setup before completing setting up the deactivation feature.
Companies using Okta can deactivate users in Expensify using the Okta SCIM API. This means that when a user is deactivated in Okta their access to Expensify will expire and they will be logged out of both the web and mobile apps. Deactivating a user through Okta will not close their account in Expensify, if you are offboarding this employee, you will still want to close the account. You will need have a verified domain and SAML fully setup before completing setting up the deactivation feature.

To enable deactivating users in Okta, follow these steps:
1. In Expensify, head to *Settings > Domains > _[Domain Name]_ > SAML*
2. Ensure that the toggle is set to Enabled for *SAML Login* and *Required for login*
Expand All @@ -52,31 +54,36 @@ To enable deactivating users in Okta, follow these steps:
14. In Okta, go to *Admin > Applications > Expensify > Provisioning > API Integration > Configure API Integration*
15. Select Enable API Integration and paste the Okta SCIM Token in API Token field and then click Save.
15. Go to To App, click Edit Provisioning Users, select Enable Deactivate Users and then Save. (You may also need to set up the Expensify Attribute Mappings if you have not previously in steps 9-11).

Successful activation of this function will be indicated by the green Push User Deactivation icon being enabled at the top of the app page.

## How can I set up SAML authentication with Microsoft ADFS?
Before getting started, you will need have a verified domain and Control plan in order to setup SSO with Microsoft ADFS.
Before getting started, you will need to have a verified domain and Control plan in order to set up SSO with Microsoft ADFS.

To enable SSO with Microsoft ADFS follow these steps:
Open the ADFS management console, and click the *Add Relying Party Trust* link on the right.
Check the option to *Import data about the relying party from a file*, then click the *Browse* button. You will input the XML file of Expensify’s metadata which can be found on the Expensify SAML setup page.
The metadata file will provide the critical information that ADFS needs to set up the trust. In ADFS, give it a name, and click Next.
Select the option to permit all users, then click Next.
The next step will give you an overview of what is being configured. Click Next.
The new trust is now created. Highlight the trust, then click *Edit claim rules* on the right.
Click *Add a Rule*.
The default option should be *Send LDAP Attributes as Claims*. Click Next.
Depending upon how your Active Directory is set up, you may or may not have a useful email address associated with each user, or you may have a policy to use the UPN as the user attribute for authentication. If so, using the UPN user attribute may be appropriate for you. If not, you can use the emailaddress attribute.
Give the rule a name like *Get email address from AD*. Choose Active Directory as the attribute store from the dropdown list. Choose your source user attribute to pass to Expensify that has users’ email address info in it, usually either *E-Mail-Address* or *User-Principal-Name*. Select the outgoing claim type as “E-Mail Address”. Click OK.
Add another rule; this time, we want to *Transform an Incoming Claim*. Click Next.
Name the rule *Send email address*. The Incoming claim type should be *E-Mail Address*. The outgoing claim type should be *Name ID*, and the outgoing name ID format should be *Email*. Click OK.
You should now have two claim rules.
1. Open the ADFS management console, and click the *Add Relying Party Trust* link on the right.
2. Check the option to *Import data about the relying party from a file*, then click the *Browse* button. You will input the XML file of Expensify’s metadata which can be found on the Expensify SAML setup page.
3. The metadata file will provide the critical information that ADFS needs to set up the trust. In ADFS, give it a name, and click Next.
4. Select the option to permit all users, then click Next.
5. The next step will give you an overview of what is being configured. Click Next.
6. The new trust is now created. Highlight the trust, then click *Edit claim rules* on the right.
7. Click *Add a Rule*.
8. The default option should be *Send LDAP Attributes as Claims*. Click Next.
9. Depending upon how your Active Directory is set up, you may or may not have a useful email address associated with each user, or you may have a policy to use the UPN as the user attribute for authentication. If so, using the UPN user attribute may be appropriate for you. If not, you can use the emailaddress attribute.
10. Give the rule a name like *Get email address from AD*. Choose Active Directory as the attribute store from the dropdown list. Choose your source user attribute to pass to Expensify that has users’ email address info in it, usually either *E-Mail-Address* or *User-Principal-Name*. Select the outgoing claim type as “E-Mail Address”. Click OK.
11. Add another rule; this time, we want to *Transform an Incoming Claim*. Click Next.
12. Name the rule *Send email address*. The Incoming claim type should be *E-Mail Address*. The outgoing claim type should be *Name ID*, and the outgoing name ID format should be *Email*. Click OK.
13. You should now have two claim rules.

Assuming you’ve also set up Expensify SAML configuration with your metadata, SAML logins on Expensify.com should now work. For reference, ADFS’ default metadata path is: https://yourservicename.yourdomainname.com/FederationMetadata/2007-06/FederationMetadata.xml.

# FAQ
## What should I do if I’m getting an error when trying to set up SSO?
You can double check your configuration data for errors using samltool.com. If you’re still having issues, you can reach out to your Account Manager or contact Concierge for assistance.

## What is the EntityID for Expensify?
The entityID for Expensify is https://expensify.com. Remember not to copy and paste any extra slashes or spaces. If you've enabled the Multi-Domain support (see below) then your entityID will be https://expensify.com/mydomainname.com.

## Can you have multiple domains with only one entityID?
Yes. Please send a message to Concierge or your account manager and we will enable the ability to use the same entityID with multiple domains.

0 comments on commit edbf205

Please sign in to comment.