Companies with Okta can now deactivate users in Expensify using the Okta SCIM API. This means that when a user is deactivated in Okta their access to Expensify will expire and they will be logged out of both the web and mobile apps. This page takes you through the steps to enable this feature.
Included in the integration:
- Deactivate Users in Expensify
- Export Users (from Expensify to Okta)
Not in the integration:
- Create Users in Expensify
- Update User Attributes in Expensify
- Group Push from Okta to Expensify
- Import Groups from Expensify to Okta
- Sync Password
Enabling Okta deactivation
Step 1 - Add Expensify as an app in Okta
In Okta, go to Admin > Applications > Add Application. Search for Expensify and click on Add
Enter your company domain (e.g. yourcompany.com)
On Sign-On Options, click Next (leaving default settings)
On Assign to People, click Next and then click Done
Step 2 - Enable Okta SAML in Expensify
In Okta, go to to Admin > Applications > Expensify > Sign On > View Setup Instructions and follow the steps listed.
Step 3 - Contact Expensify to enable Okta SCIM
Email email@example.com providing your domain and request that Okta SCIM be enabled. You will receive a response when this has been actioned.
Step 4 - Copy Okta SCIM Token
In Expensify, go to Domain Control > [Domain Name] > SAML > Show Token and copy the Okta SCIM Token.
Step 5 - Enable Okta SCIM in Okta
In Okta, go to Admin > Applications > Expensify > Provisioning > API Integration > Configure API Integration.
Select Enable API Integration, paste the Okta SCIM Token in API Token field and click Save.
Go to To App, click Edit Provisioning Users, select Enable Deactivate Users and then Save.
You may also need to set up the Expensify Attribute Mappings if you have not previously.
Successful activation of this function will be indicated by the green Push User Deactivation is enabled icon at the top of the app page.
Note: If importing users from Expensify to Okta, ensure Okta UserName Format is set on the To Okta page