Here's how to set up login via SAML SSO for your company using Okta or OneLogin. 💪
Set up Spendesk <> Okta SAML SSO
Spendesk is listed as an official partner connector in Okta’s marketplace of applications. This guide will help you get set up.
Prerequisites
SAML SSO is available automatically with certain billing plans, or as a paid add-on. Please ask your account/billing manager at Spendesk to activate SAML SSO for your organisation, and to provide you with your Organisation ID. This will be your Customer ID in your Okta application.
SAML is activated on a per-organisation basis, not a per-company basis, meaning your entire organisation will share the same integration, even if you have multiple companies.
Supported features
IdP-initiated SSO - connecting to Spendesk from your Okta homepage
SP-initiated SSO - connecting via Okta from the Spendesk login page
Big bang - when enabling SAML SSO, you have the option to enforce it, meaning that users in your organisation can only login via SAML, and not any other method, such as username/password
For more information on the listed features, visit the Okta Glossary.
⚠️ The Spendesk Okta integration does not support user provisioning (creating and deleting users on demand, Just-In-Time provisioning, or SCIM), so users will need to be invited to your organisation on Spendesk before they’ll be able to connect or sign-up via Okta.
Configuration steps
Step 1
Connect to your Okta admin account, go to Applications, then click on Browse App Catalog.
Search for Spendesk.
Click on Add Integration.
Give your application a name, and click Done.
Step 2
Go to the Sign On tab and click on the Edit button.
Scroll down to the Advanced Sign-on Settings section and, in the Customer ID input, fill in the Organisation ID that you received from your Spendesk account/billing manager.
Save your changes.
Step 3
Still on the Sign On tab, copy the Metadata URL and give it to your account/billing manager.
Your account/billing manager will finish activating SAML SSO for your organisation.
You can choose to enforce SAML for your organisation (Big bang). This means that users in your organisation can only login via SAML, and not any other method, such as username/password.
⚠️ Note that if you choose to enforce SAML login, Spendesk does not provide a backup sign-in URL where users can sign in with their regular username and password. If necessary, contact support (using our Chat) to disable this feature or turn off SAML.
Step 4
Your SAML configuration for Spendesk is complete. You can start assigning people to your application from the Assignments tab.
Spendesk requires the following 3 attributes for each user:
email(Username)firstNamelastName
SP-initiated SSO, or connecting via Spendesk
From your browser, navigate to the Spendesk login page. Click on the SAML SSO button.
Enter your email address.
You’ll be redirected to Okta, where you can sign in.
If your credentials are valid, you’ll be redirected to the Spendesk dashboard.
Set up Spendesk <> OneLogin SSO
Spendesk is listed as an official partner connector in OneLogin's marketplace of applications. You'll need an 'Organization ID' from your account/billing manager at Spendesk to complete this task.
Contact your account manager to ask for SAML SSO activation and for your Organization ID.
Connect as an Admin on OneLogin, go to 'Applications' and add Spendesk.
After creating the application using the Spendesk connector template, specify your Spendesk Organisation ID in the 'Spendesk Customer ID' field and hit 'Save'.
Ask your account manager to complete the SAML SSO setup process by communicating the XML metadata file to them. After they complete it, you can then proceed to test SAML SSO login using this link. If it's right for you, you can choose to enforce it for all users.