Expensify - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk.
This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Expensify using MPAS. SSO simplifies user authentication by allowing access to multiple applications with a single set of credentials. This integration enhances security and improves user experience across your organization
To set up Multi-Pass with Expensify, ensure you meet the following requirements:
- Expensify admin rights
- MPAS Admin rights
- Make sure that all users intended to use SSO in Expensify are registered in your IdP and have the necessary permissions to access Expensify.
Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.
Expensify - SSO configuration
Step 1 - Enable SAML in Expensify
- Open an Incognito browser window, go to https://www.expensify.com/signin, and log in with your Expensify administrator account.
- Go to Settings > Domain Control, and select your domain.
- Click Verify, choose Add a DNS record, and follow instructions to verify your domain.
- Once verified, under Domain Control > SAML, toggle SAML Login to Enabled.
- From this page:
- Download the SP metadata file or note the following values:
- Entity ID / Identifier: https://www.expensify.com
- ACS / Reply URL: https://www.expensify.com/authentication/saml/loginCallback?domain=<yourdomain>
Contact Expensify support to confirm the correct ACS URL for your domain.
Step 2 - Access the Multi-Pass Console
- On the left side, click on integration and on application
- Locate the section called "Custom Integration" and click on SAML to do it custom or locate the box (if it is existing) to reach a predefined parameters set up.
- Complete the form :
| Field | Value |
|---|---|
| Client Type | SAML |
| Client ID | https://www.expensify.com |
| Name | Expensify |
| Description | SSO Integration |
| Assertion Consumer Service URL | https://www.expensify.com/saml/acs (or loginCallback pattern) |
NameID Policy Format | Email |
- Now we need to confirm the different fields, reach the advanced console
- Click on Clients, and look for the application you juste created by using the search tab, when the line is highlighted click on it,
- Make sure the fields are completed as below, start from the settings tab, general settings :
| Field | Value |
|---|---|
| Client Type | SAML |
| Client ID | https://www.expensify.com |
| Name | Expensify |
| Description | SSO Integration |
| Always Display in UI | ON |
- Scroll to the Access settings :
| Field | Value |
|---|---|
| Home URL | https://ca.auth.kzero.com/realms/<TENANT_NAME>/protocol/saml/clients/expensify |
| Valid Redirect URIs | https://www.expensify.com/saml/acs (or loginCallback pattern) |
| IDP-Initiated SSO URL Name | expensify |
- Scroll to SAML capabilities :
| Setting | Value |
|---|---|
| Name ID Format | |
| Force Name ID Format | OFF |
| Force POST Binding | ON |
| Include AuthnStatement | ON |
- Keep going to the Signature and Encryption
| Setting | Value |
|---|---|
| Sign Documents | OFF |
| Sign Assertions | ON |
- Click Save and reach the tab called Keys
- Make sure that both fields are switch to OFF
- Move to the advanced tab
- Assertion Consumer Service POST Binding URL = From Expensify SP config (e.g. ACS or loginCallback)
SAML Attribute Mapping
- Add the following mappers under Client Scope, click on the line expensify
- Click on "Configure a new mapper" and select User attribute, you will need to repeat this steps for each attribute we need to configure
- Complete the fields for Email
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | |
| User Attribute | |
| Friendly Name | |
| SAML Attribute Name | email |
- First Name
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | givenname |
| User Attribute | firstname |
| Friendly Name | givenname |
| SAML Attribute Name | givenname |
- Last Name
| Field | Value |
|---|---|
| Mapper Type | User Attribute |
| Name | surname |
| User Attribute | lastName |
| Friendly Name | surname |
| SAML Attribute Name | surname |
Step 3 - Finalize the configuration in Expensify
- Upload the Multi-Pass metadata into Expensify if prompted. You can find it at:
- Save your configuration in both MPAS and Expensify.
- Test login via Expensify SSO with your domain.
- Enforce login via SAML for users if needed.
Related Articles
SAML SSO Integration Guide
This guide provides an overview of how to configure SAML Single Sign-On (SSO) between Multi-Pass and a third-party Service Provider (SP). Multi-Pass acts as the Identity Provider (IdP) in this federation model. Multi-Pass is working on SCIM support ...Wrike - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Wrike using MPAS. SSO simplifies user authentication by allowing access to multiple ...Rocket.chat - SSO configuration
This documentation has been tested and approved by Kelvin Zero's team This documentation provides a step-by-step guide to setting up Single Sign-On (SSO) for Rocket.chat using MPAS. SSO simplifies user authentication by allowing access to multiple ...Intercom - SSO configuration
Valid redirect URIs Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This ...Lusha - SSO configuration
Please note that this application has not been formally tested by Kelvin Zero Inc. It is provided solely as a reference guide. If you encounter any issues, kindly submit a ticket directly through the support desk. This documentation provides a ...