The SAML-SSO feature is a paying option that is not activated by default in your account. In order to know more about its price & the conditions of activation, please reach out to your dedicated Account Manager or the support team.
SAML-SSO is included on Premium plans.
You’ve set up SAML SSO with Spendesk but wish to stop using it?
Simply ask your account manager to deactivate the feature for you!
What is an SAML-based SSO?
The SAML-based protocol for Single Sign On authentication allows companies to streamline employee access to third party applications such as Spendesk.
Customers on SAML SSO can now connect their third-party authentication services (i.e. Okta, Onelogin or Microsoft Azure AD) to Spendesk and streamline user account management.
Activating access via SAML SSO
Business terms and conditions
If interested, Spendesk Account Owners can directly reach out to their Spendesk account manager or to the support team.
There are two options available, either:
- Choose to set this feature as the only way for your employees to connect to Spendesk,
- Let them choose how they wish to connect (via an other email and password)
Once you have reached out to your account manager on Spendesk, an initial data exchange will be necessary in order to set up the connection with your SSO authentication service.
This process will be done in 4 steps:
- You will need to create a new application in your authentication service’s admin interface for Spendesk.
- Spendesk will give you the technical connection information in the format of an XML file, which you will have to input in the same interface.
- You will then need to retrieve the connection information for this new application in the administration interface of your authentication service - often also in XML format - and send it to your account manager.
- Your Spendesk account manager will finalize the set up and activate the feature on your account. Your employees will then be able to connect to Spendesk via your authentication service (see part 3 of this article).
When creating the Spendesk application on your authentication service, please fill in the following user attributes required by Spendesk:
- NameID: choose the email address for the NameID format.
- email: choose the email address as well
- first_name: choose the first name
- last_name: choose last name
If you cannot choose the exact name of each of these attributes, Spendesk will try to determine them automatically by identifying the following attributes in the server SAML response returned by your authentication service:
- Email: email, Email, user.email, user.email, User.email, User.email, email, emailaddress, emailAddress, EmailAddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email, http://schemas.xmlsoap.org/claims/EmailAddress
- FirstName: firstName, first_name, FirstName, user.firstName, user.first_name, user.FirstName, User.firstName, User.first_name, User.FirstName, givenname, given_name, GivenName, user.givenname, user.given_name, user.GivenName, User.givenname, User.given_name, User.GivenName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Name: lastName, last_name, LastName, LastName, user.lastName, user.last_name, user.LastName, User.lastName, User.last_name, User.LastName, surname, sur_name, SurName, user.surname, user.sur_name, user.SurName, User.surname, User.sur_name, User.SurName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Each user must be invited to Spendesk beforehand to sign up and connect. However, it is always possible to generate a unique sign up link to your organization, which you can send to new employees who have joined your company to register.
- Each and every employee will have to share their email address to Spendesk as well as your authentication service. If this happens, Spendesk will not be able to identify them.
Connecting to Spendesk with SAML SSO authentication
Once the feature activated by your account manager and the configuration made by your Account Owner, the connection by SAML SSO will be offered among other login options (Google, Microsoft & other). Spendesk supports authentication via services such as Okta, OneLogin, Microsoft Azure AD, or any other SAML 2.0 compliant services.
- Click on SAML SSO
- Enter your personal SSO provider’s email address
- Sign in after being redirected to your SSO provider's interface
- That’s it, you have signed in to Spendesk!
What is supported in this feature?
Supported in the SAML-SSO login feature
- Sign-in using a third-party identity provider (from the login page, choose the SAML SSO sign-in option).
- Sign-up using a third-party identity provider (from invitation link, you can choose the SAML SSO sign-up option).
- Either activate or enforce the SAML SSO sign-in. The latter makes it only possible to authenticate to Spendesk using the third-party SSO system.
- User auto-provisioning and auto-deprovisioning, e.g creating Spendesk accounts automatically when someone is invited on the identity provider — or when someone gets removed from the organisation. Similarly, roles and teams aren't synchronized with the identity providers (often called SCIM capability).
This is facilitated by being able to invite users by link in Spendesk (no need for SAML based auto-provisioning) and still being able to restrict access via the SAML provider ("soft" de-provisioning).
Anyways, auto-deprovisioning would not really help with Spendesk since e.g. subscription cards etc. need to be reassigned to another person, which can not be automated.
- As of today, we only support one SSO system per organisation.