ExpenseIn

An identity provider is a third party service providing directory services for managing user data and allowing centralised management of user sign-on.

Examples of identity providers are:&nbsp;

<a href="https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/expensein-tutorial" rel="nofollow noopener noreferrer" target="_blank">Microsoft Entra Active Directory</a> (Previously Microsoft Azure)

<a href="https://www.onelogin.com/" rel="nofollow noopener noreferrer" target="_blank">OneLogin</a>

- <a href="https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/expensein-tutorial" rel="nofollow noopener noreferrer" target="_blank">Microsoft Entra Active Directory</a> (Previously Microsoft Azure)
- <a href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-ExpenseIn.html" rel="nofollow noopener noreferrer" target="_blank">Okta</a>
- <a href="https://www.onelogin.com/" rel="nofollow noopener noreferrer" target="_blank">OneLogin</a>

To use an identity provider for SSO with ExpenseIn, you must add the identity provider and associate it with one or more domains within the Admin area. This allows the correct identity provider to be contacted for a particular email address being used for SSO.

Note: If setting up ExpenseIn manually within your identity provider rather than adding it from the app catalogue, you will need the following information:

Application ACS/Reply URL: <a href="https://app.expensein.com/samlcallback" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com/samlcallback</a>

Application SAML Audience: <a href="https://app.expensein.com" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com</a>

Application Entity ID: <a href="https://app.expensein.com" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com</a>

- Application ACS/Reply URL: <a href="https://app.expensein.com/samlcallback" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com/samlcallback</a>
- Application SAML Audience: <a href="https://app.expensein.com" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com</a> 
- Application Entity ID: <a href="https://app.expensein.com" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com</a>

1. Click the Account Name &gt; Admin.

2. In the Integrations section, click the Single Sign-On subheading.

3. Click the New Provider + button.

Note: This is purely a label for you to identify the provider and does not affect SSO functionality.

5. Choose the desired options for SSO with this identity provider:

The Sign-On Mode dictates whether users can sign-in with their email address and password as well as using SSO (Mixed Mode), or can only use SSO (SSO Only).

The Provider Initiated Sign-On option dictates whether sign-on must be started from the ExpenseIn website or mobile application (No), or can be triggered from the Identity Provider (Yes).  Switch this on if you want to allow users to open ExpenseIn directly from a dashboard provided by your Identity Provider.

The Enabled option allows you to enable or disable this Identity Provider, which may be useful during testing.

- The Sign-On Mode dictates whether users can sign-in with their email address and password as well as using SSO (Mixed Mode), or can only use SSO (SSO Only).
- The Provider Initiated Sign-On option dictates whether sign-on must be started from the ExpenseIn website or mobile application (No), or can be triggered from the Identity Provider (Yes).  Switch this on if you want to allow users to open ExpenseIn directly from a dashboard provided by your Identity Provider.
- The Enabled option allows you to enable or disable this Identity Provider, which may be useful during testing.

6. Depending on what information your Identity Provider gives you, you have two options:

Fill in the Target Url, Issuer and Certificate fields individually. The values of these should be given by your Identity Provider.

If you have access to the Identity Provider (IdP) Metadata then click Load from Metadata... and the form will change to allow you to paste either the metadata XML directly, or a URL linking to the metadata. After pasting either of these, the form will attempt to parse the metadata and fill in the Target Url, Issuer and Certificate fields.

- Fill in the Target Url, Issuer and Certificate fields individually. The values of these should be given by your Identity Provider.
- If you have access to the Identity Provider (IdP) Metadata then click Load from Metadata... and the form will change to allow you to paste either the metadata XML directly, or a URL linking to the metadata. After pasting either of these, the form will attempt to parse the metadata and fill in the Target Url, Issuer and Certificate fields.

7. Click Create to save the identity provider. You should now see the identity provider in the identity providers list.

Note: The identity provider will not show as in use until it has been linked to one or more domains.

Follow the steps in our <a href="https://intercom.help/expensein/en/articles/3004045-add-domains-for-single-sign-on" rel="nofollow noopener noreferrer" target="_blank">Help Article</a> to add one or more domains to your identity provider.

<a href="https://intercom.help/expensein/en/articles/3004538-verify-a-domain-for-single-sign-on-sso" rel="nofollow noopener noreferrer" target="_blank">Verify a domain for Single Sign-On (SSO)</a>

<a href="https://docs.expensein.com/security/testing-single-sign-on-sso" rel="nofollow noopener noreferrer" target="_blank">Testing Single Sign-On</a>

- <a href="https://intercom.help/expensein/en/articles/3004538-verify-a-domain-for-single-sign-on-sso" rel="nofollow noopener noreferrer" target="_blank">Verify a domain for Single Sign-On (SSO)</a>
- <a href="https://docs.expensein.com/security/testing-single-sign-on-sso" rel="nofollow noopener noreferrer" target="_blank">Testing Single Sign-On</a>

Learn how to register a third party identify provider with ExpenseIn for Single Sign-On (SSO).

Add an identity provider for Single Sign-On (SSO)

Sign In

Get started

Mobile app video

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Add an identity provider for Single Sign-On (SSO)

How to add an identity provider

Related Articles