Get familiar with SAML SSO login
The SAML-based protocol for Single Sign On authentication allows companies to streamline employee access to third-party applications such as Spendesk.
The SAML-SSO feature is an option that is not activated by default in your account. In order to know more about the conditions, please reach out to your dedicated Account Manager or the support team.
Customers on SAML SSO can now connect their third-party authentication services (i.e. Okta, Onelogin or Microsoft Azure AD) to Spendesk and streamline user account management.
You’ve set up SAML SSO with Spendesk but wish to stop using it?
Simply ask your account manager to deactivate the feature for you!
Set up access
Business terms and conditions
If interested, Spendesk Account Owners can directly reach out to their Spendesk account manager.
There are two options available, either:
Choose to set this feature as the only way for your employees to connect to Spendesk,
Let them choose how they wish to connect (this way or using another login method).
Technical conditions
Once you have reached out to your account manager on Spendesk, an initial data exchange will be necessary in order to set up the connection with your SSO authentication service.
Technical steps
You will need to create a new application in your authentication service’s admin interface for Spendesk.
Spendesk will give you the technical connection information in the format of an XML file, which you will have to input in the same interface.
You will then need to retrieve the connection information for this new application in the administration interface of your authentication service - often also in XML format - and send it to your account manager.
Your Spendesk account manager will finalize the set up and activate the feature on your account. Your employees will then be able to connect to Spendesk via your authentication service (see part 3 of this article).
Your employees will then be able to connect to Spendesk via your authentication service (see here).
Create a new application in your authentication service’s admin interface for Spendesk
When creating the Spendesk application on your authentication service, please fill in the following user attributes required by Spendesk:
NameID: choose the email address for the NameID format.
email: choose the email address as well
first_name: choose the first name
last_name: choose last name
If you cannot choose the exact name of each of these attributes, Spendesk will try to determine them automatically by identifying the following attributes in the server SAML response returned by your authentication service:
Email: email, Email, user.email, user.email, User.email, User.email, email, emailaddress, emailAddress, EmailAddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email, http://schemas.xmlsoap.org/claims/EmailAddress
FirstName: firstName, first_name, FirstName, user.firstName, user.first_name, user.FirstName, User.firstName, User.first_name, User.FirstName, givenname, given_name, GivenName, user.givenname, user.given_name, user.GivenName, User.givenname, User.given_name, User.GivenName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Name: lastName, last_name, LastName, LastName, user.lastName, user.last_name, user.LastName, User.lastName, User.last_name, User.LastName, surname, sur_name, SurName, user.surname, user.sur_name, user.SurName, User.surname, User.sur_name, User.SurName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
More information:
Each user must be invited to Spendesk beforehand to sign up and connect. However, it is always possible to generate a unique sign-up link to your organization, which you can send to new employees who have joined your company to register.
Each and every employee will have to share a commune email address for Spendesk and your authentication service, otherwise Spendesk will not be able to identify them.
Each user account should have an 'email address', a 'first name', and a 'last name' field filled on your identity provider's website to be able to log in.
Log in Spendesk using SAML SSO authentication
Once the feature activated by your account manager and the setup done by your Account Owner, the connection by SAML SSO will be offered among other login options (Google, Microsoft & other). Spendesk supports authentication via services such as Okta, OneLogin, Microsoft Azure AD, or any other SAML 2.0 compliant services.
On the login page,
Click on SAML SSO on the login page
Enter your personal SSO provider’s email address
Sign in after being redirected to your SSO provider's interface
What is supported in the SAML SSO feature on Spendesk?
What can I do / not do with SAML SSO enabled on Spendesk?
Supported options
Sign-in using a third-party identity provider (from the login page, choose the SAML SSO sign-in option).
Sign-up using a third-party identity provider (from invitation link, you can choose the SAML SSO sign-up option).
Either activate or enforce the SAML SSO sign-in (the latter makes it only possible to authenticate to Spendesk using the third-party SSO system)
Unsupported options
User auto-provisioning and auto-deprovisioning, e.g creating Spendesk accounts automatically when someone is invited on the identity provider — or when someone gets removed from the organisation. Similarly, roles and teams aren't synchronized with the identity providers (often called SCIM capability).
This is facilitated by being able to invite users by link in Spendesk (no need for SAML based auto-provisioning) and still being able to restrict access via the SAML provider ("soft" de-provisioning).
As of today, we only support one SSO system per organisation.
Learn more about auto-provisioning, using our HR tools.