Expensify supports single sign-on with SAML Single Sign-On (SSO). SAML SSO allows your employees to log into Expensify with the same credentials they use for other business applications. You can also restrict employees to only being able to sign in via SAML SSO. This allows you to have full control over password controls and employee access. Expensify supports any identity provider that uses SAML 2.0.
- Amazon Web Services (AWS SSO)
- Google SAML (for GSuite, not Google SSO)
- Microsoft Azure Active Directory
- Microsoft Active Directory Federation Services (ADFS)
- Oracle Identity Cloud Service
Enabling SAML Single Sign-On
To enable SAML SSO in Expensify you will first need to have Domain Control enabled.
Once you have Domain Control enabled, navigate to Settings > Domain Control > [domain name] > SAML.
On this page you will be able to:
- Choose whether you want to make SAML required for login. If you choose this option, users will only be able to log in via SAML SSO. They will not be able to use an Expensify password.
- Get Expensify's Service Provider MetaData. You will need to give this to your identity provider.
- Enter your Identity Provider MetaData. Please contact your SAML SSO provider if you are unsure how to get this.
Signing in with SAML SSO
If your company has SAML sign in as option, you will be able to either enter your Expensify password or choose the SAML option after entering your email address:
If your company has SAML sign in required, you will only see the option to sign in via SAML.
To sign in via the mobile app, simply enter your email and follow the flow as you would via the website.
FAQ's and error messages
There are a few reasons why this error occurs, but it all boils down to the fact that the response sent by your SAML provider doesn't match what Expensify is expecting given the setup.
- For ADFS: This is usually caused by misconfiguration on the ADFS IdP side. You'll want to clean out your current configuration and carefully follow the instructions here again.
- For AzureAD: It's likely the wrong certificate setting in Azure AD is set and you just need to check the Make new certificate active checkbox:
- For Centrify: You'll need to make sure you've added
use="signing"to the KeyDescriptor label so it looks like this
- For all others, this could be due to either a malformed x.509 certificate in the domain metadata in Expensify or there may actually be more than one certificate in the metadata. Check your SAML metadata in Expensify and make sure that there are not two different certificates in the same metadata.
"Error 404 No user with that partnerUserID/partnerUserSecret"
This is most common when the two emails do not match within the SAML provider and Expensify, either due to incorrect setup or if a user authenticates with SAML and Expensify creates a login for their account using the email sent as the NameID of the SAML Response. If that NameID changes (eg, I changed my OneLogin settings to send firstname.lastname@example.org instead of email@example.com in the NameID of the response), when it checks the email against the one we used to create the login, it doesn't match and thus authentication fails.
In these instances, you should set the user up as a new user in your SAML software and have them remove their SAML login from Settings > Your Account > Account Details > Secondary Logins. (You'll need to disable the SAML requirement to do this).
"Error SAML Response not found, Only supported HTTP_POST Binding"
The only reason that this error shows is due to a malformed request, specifically the IdP sending a request to Expensify without the SAMLResponse in the POST data of the request. You must configure your IdP to send the SAMLResponse in the POST data of the request.
OKTA shows Expensify listed, but I can't login!
OKTA provides both an SWA and SAML login for Expensify. Okta’s Secure Web Authentication (SWA) provides a neat way to store existing web credentials and easily log-in to any website.
If you're using OKTA SSO/SAML though, you won't be able to use your company credentials via this link. Instead, click the "Expensify" option (rather than the (SWA Only) option here:
If that option doesn't exist, you still require setting up. Reach out to your internal IT team to have this done for you!