AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Expensify

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Expensify using SAML.

Topics

• Prerequisites

• Setup instructions

• Verification

• Troubleshooting

Prerequisites

You'll need the following to set up SSO access to Expensify:

• Access to the IAM Identity Center console with permissions to manage applications.

• A Expensify account with permissions to configure SAML.

• A user in Expensify with the same email address as the user you configure to use SSO.

• An active and verified domain name configured in the Expensify account. Only after the domain is verified, you are allowed to enable SSO in Expensify.

Setup instructions

1. On the Configure page in the IAM Identity Center Console, in the Details section, fill in the Display name, and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

2. In another tab, login to your Expensify account as an administrator.

3. In the left navigation pane, choose Admin, and choose Domain Control.

4. On the Domain Control page, choose your domain name under the DOMAIN column.

5. In the left navigation pane, choose SAML.

6. Set SAML Login to ENABLED.

7. To deny password access for all users, enable Required for login. Else, make sure that the option is disabled to allow both password and SSO access for all the users.

8. Download the IAM Identity Center metadata.

9. Copy and paste the contents of the downloaded IAM Identity Center metadata in Identity Provider MetaData.

10. Referencing the documentation provided by Expensify, configure a user to use SSO in Expensify.

11. Go back to the previous tab, and access the IAM Identity Center console page where you are configuring the application.

12. Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values to display the application metadata settings.

13. Insert these values:

Field	Value
Application ACS URL	https://www.expensify.com/authentication/saml/loginCallback?domain=DOMAINNAME
Application SAML audience	https://www.expensify.com

14. Choose Save Changes.

15. Assign a user to the application in IAM Identity Center.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying SSO from IAM Identity Center

1. Access the AWS access portal using the credentials of a user assigned to the Expensify application.

2. In the list of applications, choose Expensify to initiate a login to Expensify.

3. If login was successful you will be signed-in to the Expensify application.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Verifying Service Provider Initiated SSO from Expensify

1. Access Expensify.

2. Choose SAML.

3. Type the email address of a user which exists in Expensify, and choose Go.

4. Type the credentials of a user assigned to the application in the IAM Identity Center console and a user which exists in Expensify.

5. Choose Sign In.

6. On the Expensify home page, verify that both Expensify and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error	Issue	Solution
"Unknown error during the SAML authentication process 'SAML login is not available on your domain'"	The ACS URL of Expensify specified in IAM Identity Center is incorrect.	Make sure that the Expensify ACS URL is specified correctly in IAM Identity Center.
"Unknown error during the SAML authentication process 'SAML login is not available on your domain"	The SAML Login option is not enabled in Expensify.	Make sure that the SAML Login option is enabled in Expensify.
The SSO login page is displayed when the user initiates password access after SSO is enabled.	Required for login option is enabled.	Make sure that the Required for login option is disabled in Expensify to allow password access.
Other	When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' and 'subject' fields (if they are present) from the connected directory to populate the 'Email' and 'Subject' attributes in the SAML assertion. Many service providers expect these attributes to contain the user's email address. By default your directory is configured to send 'windowsUPN' in both fields.	Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

• Preprovisioned users

  Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.

• JIT users

  JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.