An identity provider is a 3rd party service, providing directory services for managing user data, and allowing centralised management of user sign-on.
Examples of identity providers are:
To use an identity provider for SSO with ExpenseIn you must add the identity provider and associate it with one or more domains within Admin. This allows the correct identity provider to be contacted for a particular email address being used for SSO.
If setting up ExpenseIn manually within your identity provider, rather than adding it from the app catalogue, you will need the following information:
- Application ACS/Reply URL: https://app.expensein.com/samlcallback
- Application SAML Audience: https://app.expensein.com
- Application Entity ID: https://app.expensein.com
Add an Identity Provider
- From the Single Sign-On area of Admin, click the Identity Providers tab.
2. Click Add Provider.
3. Enter a provider name. This is purely a label for you to identify the provider and does not affect SSO functionality.
4. Choose the desired options for SSO with this identity provider
- The Enabled option allows you to enable or disable this Identity Provider, which may be useful during testing.
- The Sign-On Mode dictates whether users can sign-on with their email address and password, as well as using SSO (Mixed Mode), or can only use SSO (SSO Only).
- The Provider Initiated Sign-On option dictates whether sign-on must be started from the ExpenseIn website or mobile application (No), or can be triggered from the Identity Provider (Yes). Switch this on if you want to allow users to open ExpenseIn directly from a dashboard provided by your Identity Provider.
5. Depending on what information your Identity Provider gives you, you have two options:
- Fill in the Target Url, Issuer and Certificate fields individually. The values of these should be given by your Identity Provider.
- If you have access to the Identity Provider (IdP) Metadata then click Load from Metadata... and the form will change to allow you to paste either the metadata XML directly, or a URL linking to the metadata. After pasting either of these, the form will attempt to parse the metadata and fill in the Target Url, Issuer and Certificate fields.
6. Click Create to save the identity provider. You should now see the identity provider in the identity providers list.
7. At this point the identity provider will show as not In Use. This is because it has not yet been linked to one or more domains.
- If you have not yet added the domain(s) you wish to use for SSO, you will need to add Domains.
- If you have previously added the domain(s) to ExpenseIn, you will need to link the newly created identity provider to the domain(s) as follows:
8. Click the Domains tab, and choose Edit next to the domain you wish to link to the identity provider.
9. Select the identity provider that you wish to use with this domain from the list, and click Save to confirm.
You should now see the domain configured to use your identity provider on the Domains tab, and your identity provider showing as In Use on the Identity Providers tab.
You can now test your SSO setup.