Set up secure and streamlined login across your organization by enabling SAML Single Sign-On (SSO) in Expensify Classic. This allows Workspace members to authenticate using your identity provider (IdP), rather than creating separate credentials.

---

Where to find SAML Single Sign-On (SSO) settings

Before setting up SSO, make sure your domain is verified.
Learn how to claim and verify your domain

Once your domain is verified:

1. Go to Settings > Domains > [Domain Name] > SAML.
2. From the SAML section:
   • Download Expensify’s Service Provider metadata to upload to your IdP.
   • Enter your IdP metadata or upload the file from your provider.
   • Toggle SAML required for login to enforce SSO-only login.

---

Who can manage SAML Single Sign-On (SSO)

• Only Domain Admins can configure SAML for verified domains.
• SAML login applies to all Workspace members whose emails match the verified domain.

---

How to set up SAML Single Sign-On (SSO) with your identity provider

Follow these links for configuration steps with your identity provider:

• Amazon Web Services (AWS SSO)
• Google Workspace / SAML (Gsuite)
• Microsoft Entra ID (formerly Azure AD)
• Okta
• OneLogin
• Oracle Identity Cloud Service
• SAASPASS
• Microsoft ADFS – see instructions below

Note: If your provider isn’t listed, contact them directly for guidance with metadata and setup.

---

How SAML Single Sign-On (SSO) affects login behavior

• Members with email addresses matching your verified domain will be prompted to log in through your configured IdP.
• Members using a personal or secondary email (e.g., Gmail) must update their email address to match the verified domain for SSO access.

---

Troubleshooting SAML Single Sign-On (SSO)

If setup fails or login doesn’t work:

• Use samltool.com to validate your IdP metadata and certificate.
• Confirm that your public certificate is in PEM format.
• Make sure the email domain in your IdP exactly matches your verified domain in Expensify.
• Confirm that your domain is verified in Expensify before enabling SAML.

What is Expensify’s Entity ID?

• Standard setup: https://expensify.com
• Multi-domain setup: https://expensify.com/yourdomain.com

Can I manage multiple domains with one Entity ID?

Yes, managing multiple domains with one Entity ID is supported. Contact Concierge or your Account Manager to enable this feature.

Advanced configurations for SAML Single Sign-On (SSO)

Okta SCIM API and SAML provisioning

Once SAML is enabled:

1. Go to Domains > [Domain Name] > SAML.
2. Toggle on both Enable SAML login and Require SAML login.
3. In Okta, add Expensify as an app and configure attribute mappings.
4. Request SCIM API access via concierge@expensify.com.
5. Add the SCIM token in your Okta provisioning settings.

Refer to Okta’s documentation for complete instructions.

Microsoft ADFS configuration

1. Open the ADFS Management Console and create a new trust.
2. Upload Expensify’s metadata XML file.
3. Map LDAP attributes (email or UPN) to outgoing claims.
4. Add two claim rules:
   • Send LDAP Attributes as Claims
   • Transform Incoming Claim to Name ID

Microsoft Entra ID certificate update process

To avoid setup errors during certificate renewal:

1. Create the new certificate in Microsoft Entra.
2. Remove the old certificate before activating the new one.
3. Replace the existing IdP metadata in Expensify.
4. Log in via SSO to confirm the new certificate works.

FAQ

Can I use SAML for multiple Workspaces?

Yes, as long as all members are part of the same verified domain, SAML access applies across all Workspaces they belong to.

How can I confirm my SAML SSO setup is correct?

Before enabling Require SAML login, make sure your SAML connection is working by testing both SP-initiated and IdP-initiated logins. You should also confirm that:

• The correct certificate and endpoints are in your Expensify metadata
• Members can log in successfully using the SAML flow

Can I test a new SAML SSO setup without locking users out?

Yes. Disable Require SAML login before making changes. This allows users to log in with email and password if SAML setup fails. Once you’ve confirmed that login works, you can re-enable enforcement.

What happens if a member can’t log in after SAML SSO is enabled?

First, confirm that the member’s email matches your verified domain and that their account exists in your Identity Provider (IdP) with the correct access permissions.

If they’re still unable to log in, follow the steps in Troubleshoot SAML SSO login to identify and resolve the issue.