What is an SAML-based SSO?
The SAML-based protocol for Single Sign On authentication allows companies to streamline employee access to third party applications such as Spendesk.
Customers on the Premium Plan can now connect their third-party authentication services (i.e. Okta, Onelogin or Microsoft Azure AD) to Spendesk and streamline user account management.
Activating access via SAML SSO
Business terms and conditions
As mentioned above, this feature is only available for companies on the Premium Plan.
If interested, Spendesk Account Owners can directly reach out to their Spendesk account manager or to the support team.
There are two options available, either:
- Choose to set this feature as the only way for your employees to connect to Spendesk;
- Let them choose how they wish to connect (via an other email and password)
Once you have reached out to your account manager on Spendesk, an initial data exchange will be necessary in order to set up the connection with your SSO authentication service.
This process will be done in 4 steps:
- You will need to create a new application in your authentication service’s admin interface for Spendesk.
- Spendesk will give you the technical connection information in the format of an XML file, which you will have to input in the same interface.
- You will then need to retrieve the connection information for this new application in the administration interface of your authentication service - often also in XML format - and send it to your account manager.
- Your Spendesk account manager will finalize the set up and activate the feature on your account. Your employees will then be able to connect to Spendesk via your authentication service (see part 3 of this article).
When creating the Spendesk application on your authentication service, please fill in the following user attributes required by Spendesk:
- NameID: choose the email address for the NameID format.
- email: choose the email address as well
- first_name: choose the first name
- last_name: choose last name
If you cannot choose the exact name of each of these attributes, Spendesk will try to determine them automatically by identifying the following attributes in the server SAML response returned by your authentication service:
- Email: email, Email, user.email, user.email, User.email, User.email, email, emailaddress, emailAddress, EmailAddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email, http://schemas.xmlsoap.org/claims/EmailAddress
- FirstName: firstName, first_name, FirstName, user.firstName, user.first_name, user.FirstName, User.firstName, User.first_name, User.FirstName, givenname, given_name, GivenName, user.givenname, user.given_name, user.GivenName, User.givenname, User.given_name, User.GivenName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Name: lastName, last_name, LastName, LastName, user.lastName, user.last_name, user.LastName, User.lastName, User.last_name, User.LastName, surname, sur_name, SurName, user.surname, user.sur_name, user.SurName, User.surname, User.sur_name, User.SurName, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Each user must be invited to Spendesk beforehand to sign up and connect. However, it is always possible to generate a unique sign up link to your organization, which you can send to new employees who have joined your company to register.
- Each and every employee will have to share their email address to Spendesk as well as your authentication service. If this happens, Spendesk will not be able to identify them.
3. Connecting to Spendesk with SAML SSO authentication
Once the feature activated by your account manager and the configuration made by your Account Owner, the connection by SAML SSO will be offered among other login options (Google, Microsoft & other). Spendesk supports authentication via services such as Okta, OneLogin, Microsoft Azure AD, or any other SAML 2.0 compliant services.
- Click on SAML SSO
- Enter your personal SSO provider’s email address
- Sign in after being redirected to your SSO’s providers interface
- That’s it, you have signed in to Spendesk!
You’ve set up SAML SSO with Spendesk but wish to stop using it?
Simply ask your account manager to deactivate the feature for you!