Expensify supports single sign-on with SAML Single Sign-On (SSO). SAML SSO allows your employees to log into Expensify with the same credentials they use for other business applications. You can also restrict employees to only being able to sign in via SAML SSO. This allows you to have full control over password controls and employee access. Expensify supports any identity provider that uses SAML 2.0.
- Amazon Web Services (AWS SSO)
- Google SAML (for GSuite, not Google SSO)
- Microsoft Azure Active Directory
- Microsoft Active Directory Federation Services (ADFS)
- Oracle Identity Cloud Service
Enabling SAML Single Sign-On
To enable SAML SSO in Expensify you will first need to have Domain Control enabled.
Once you have Domain Control enabled, navigate to Settings > Domain Control > [domain name] > SAML.
On this page you will be able to:
- Choose whether you want to make SAML required for login. If you choose this option, users will only be able to log in via SAML SSO. They will not be able to use an Expensify password.
- Get Expensify's Service Provider MetaData. You will need to give this to your identity provider.
- Enter your Identity Provider MetaData. Please contact your SAML SSO provider if you are unsure how to get this.
Signing in with SAML SSO
If your company has SAML sign in as option, you will be able to either enter your Expensify password or choose the SAML option.
If your company has SAML sign in required, you will only see the option to sign in via SAML.
To sign in via the mobile app, choose the "Company Sign In" option.