ExpenseIn

An identity provider is a third party service providing directory services for managing user data and allowing centralised management of user sign-on.

Examples of identity providers are:&nbsp;

<a href="https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/expensein-tutorial" rel="nofollow noopener noreferrer" target="_blank">Microsoft Entra Active Directory</a> (Previously Microsoft Azure)

<a href="https://www.onelogin.com/" rel="nofollow noopener noreferrer" target="_blank">OneLogin</a>

- <a href="https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/expensein-tutorial" rel="nofollow noopener noreferrer" target="_blank">Microsoft Entra Active Directory</a> (Previously Microsoft Azure)
- <a href="https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-ExpenseIn.html" rel="nofollow noopener noreferrer" target="_blank">Okta</a>
- <a href="https://www.onelogin.com/" rel="nofollow noopener noreferrer" target="_blank">OneLogin</a>

To use an identity provider for SSO with ExpenseIn, you must add the identity provider and associate it with one or more domains within the Admin area. This allows the correct identity provider to be contacted for a particular email address being used for SSO.

Note: If setting up ExpenseIn manually within your identity provider rather than adding it from the app catalogue, you will need the following information:

Application ACS/Reply URL: <a href="https://app.expensein.com/samlcallback" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com/samlcallback</a>

Application SAML Audience: <a href="https://app.expensein.com" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com</a>

Application Entity ID: <a href="https://app.expensein.com" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com</a>

- Application ACS/Reply URL: <a href="https://app.expensein.com/samlcallback" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com/samlcallback</a>
- Application SAML Audience: <a href="https://app.expensein.com" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com</a> 
- Application Entity ID: <a href="https://app.expensein.com" rel="nofollow noopener noreferrer" target="_blank">https://app.expensein.com</a>

1. Click the Account Name &gt; Admin.

2. In the Integrations section, click the Single Sign-On subheading.

3. Click the New Provider + button.

Note: This is purely a label for you to identify the provider and does not affect SSO functionality.

5. Choose the desired options for SSO with this identity provider:

The Sign-On Mode dictates whether users can sign-in with their email address and password as well as using SSO (Mixed Mode), or can only use SSO (SSO Only).

The Provider Initiated Sign-On option dictates whether sign-on must be started from the ExpenseIn website or mobile application (No), or can be triggered from the Identity Provider (Yes).  Switch this on if you want to allow users to open ExpenseIn directly from a dashboard provided by your Identity Provider.

The Enabled option allows you to enable or disable this Identity Provider, which may be useful during testing.

- The Sign-On Mode dictates whether users can sign-in with their email address and password as well as using SSO (Mixed Mode), or can only use SSO (SSO Only).
- The Provider Initiated Sign-On option dictates whether sign-on must be started from the ExpenseIn website or mobile application (No), or can be triggered from the Identity Provider (Yes).  Switch this on if you want to allow users to open ExpenseIn directly from a dashboard provided by your Identity Provider.
- The Enabled option allows you to enable or disable this Identity Provider, which may be useful during testing.

6. Depending on what information your Identity Provider gives you, you have two options:

Fill in the Target Url, Issuer and Certificate fields individually. The values of these should be given by your Identity Provider.

If you have access to the Identity Provider (IdP) Metadata then click Load from Metadata... and the form will change to allow you to paste either the metadata XML directly, or a URL linking to the metadata. After pasting either of these, the form will attempt to parse the metadata and fill in the Target Url, Issuer and Certificate fields.

- Fill in the Target Url, Issuer and Certificate fields individually. The values of these should be given by your Identity Provider.
- If you have access to the Identity Provider (IdP) Metadata then click Load from Metadata... and the form will change to allow you to paste either the metadata XML directly, or a URL linking to the metadata. After pasting either of these, the form will attempt to parse the metadata and fill in the Target Url, Issuer and Certificate fields.

7. Click Create to save the identity provider. You should now see the identity provider in the identity providers list.

Note: The identity provider will not show as in use until it has been linked to one or more domains.

Follow the steps in our <a href="https://intercom.help/expensein/en/articles/3004045-add-domains-for-single-sign-on" rel="nofollow noopener noreferrer" target="_blank">Help Article</a> to add one or more domains to your identity provider.

<a href="https://intercom.help/expensein/en/articles/3004538-verify-a-domain-for-single-sign-on-sso" rel="nofollow noopener noreferrer" target="_blank">Verify a domain for Single Sign-On (SSO)</a>

<a href="https://docs.expensein.com/security/testing-single-sign-on-sso" rel="nofollow noopener noreferrer" target="_blank">Testing Single Sign-On</a>

- <a href="https://intercom.help/expensein/en/articles/3004538-verify-a-domain-for-single-sign-on-sso" rel="nofollow noopener noreferrer" target="_blank">Verify a domain for Single Sign-On (SSO)</a>
- <a href="https://docs.expensein.com/security/testing-single-sign-on-sso" rel="nofollow noopener noreferrer" target="_blank">Testing Single Sign-On</a>

Learn how to register a third party identify provider with ExpenseIn for Single Sign-On (SSO).

Add an identity provider for Single Sign-On (SSO)

Sign In

Get started

Mobile app video

Find answers and get help from Intercom Support and Community Experts

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Add an identity provider for Single Sign-On (SSO)

How to add an identity provider

Related Articles