Steps to configure SAML SSO for ExpenseIn

About ExpenseIn

ExpenseIn is a cloud-based expense management solution designed to simplify how organizations handle employee expenses, approvals, and reimbursements. It allows users to easily capture receipts, submit expense claims, and automate approval workflows through an intuitive web and mobile interface.

The following steps will help you enable SSO for ExpenseIn from Identity360.

Prerequisites

1. The MFA and SSO license for Identity360 is required to enable SSO for enterprise applications.
2. Log in to Identity360 as an Admin, Super Admin, or Technician with a role that has Application Integration and Single Sign-on permissions.
3. Navigate to Applications > Application Integration > Create New Application, and select ExpenseIn from the applications displayed.
   Note: You can also find ExpenseIn from the search bar located at the top.
4. Under the General Settings tab, enter the Application Name and Description.
5. Under the Choose Capabilities tab, select Single Sign-on and click Continue.
   General Settings of SSO configuration for ExpenseIn.
6. Under Integration Settings, navigate to the Single Sign On tab, click IdP Details. You can configure ExpenseIn by either loading the metadata file or entering the details manually.
   • For loading the metadata file: Copy the metadata file to be pasted during the configuration of ExpenseIn in Identity360 by clicking Copy from the Metadata field.
   • For manual configuration:
     • Copy the Login URL, Issuer URL, and Signing Certificate values, which will be used during the configuration of ExpenseIn.
   General Settings of SSO configuration for ExpenseIn.

ExpenseIn (service provider) configuration steps

1. Log in to ExpenseIn as an administrator.
2. Click the Account Name > Admin.
3. Click Integrations > Single Sign-On.
4. Click New Provider +.
5. In the Provider Name field, enter Identity360.
6. From the Allow Provider Initiated Sign-On drop-down, choose Yes.
7. From the Sign-On Mode drop-down, choose Mixed Mode if you want users to sign in using either their email address and password or SSO. Choose SSO Only if you want users to sign in only through SSO.
8. For SSO metadata configuration, you can either choose to manually configure by entering details or do an auto-load of metadata information.
9. For auto-load of metadata, click Load from Metadata..., you can either paste the Metadata value copied in Step 6(i) of prerequisites or the Metadata URL value copied from the steps instructed in this page. The form will parse the metadata and fill in the Target Url, Issuer and Certificate fields automatically.
10. For manual configuration, click Manually Enter Metadata...,
11. In the Target Url field, paste the Login URL value copied form Step 6(ii) of the prerequisites.
12. In the Issuer field, paste the Issuer URL value copied form Step 6(ii) of the prerequisites.
13. In the Certificate field, paste the Signing Certificate value copied form Step 6(ii) of the prerequisites.
14. Check the Enabled box.
15. Click Create to save the configuration.
    Note: Once SSO is configured, it is mandatory to add your domains as described here, and verify them by following the steps provided here. Ensure that the user email domain matches the verified and mapped domain.

Identity360 (identity provider) configuration steps

1. Switch to the Identity360 configuration page.
2. Enter the Relay State parameter, if necessary.
   Note: Relay State is an optional parameter used with a SAML message to remember where you were or to direct you to a specific page after logging in.
3. Click Save.
   Integration Settings of SSO configuration for ExpenseIn.
4. To learn how to assign users or groups to one or more applications, refer to this page.

Your users will now be able to sign in to ExpenseIn through the Identity360 portal.