Single Sign-On (SSO) allows users to access Certify through a centralized Identity Provider (IdP).
Certify supports IdP initiated SSO via SAML 2.0, meaning that users will not access Certify with Certify credentials. Instead, users will follow a link from their IdP portal or intranet, which will send a SAML 2.0 assertion to expense.certify.com/SAML2.aspx containing the user’s email address. The SAML 2.0 Assertion must contain an email address that is active in Certify for the user to be able to log in via SSO.
Please Note: Any provider that can send a SAML 2.0 assertion is supported, though the amount of technical help Certify can provide will be limited.
October 2022 Changes to Single Sign-On Requirements
In early October 2022, Certify’s application URL will change from https://www.certify.com to https://expense.certify.com. Prior to this switchover, any customer that is using Single Sign-On (SSO) must update their internal SSO configuration to ensure there is no disruption in service.
To update your internal SSO configuration, please download Certify’s updated metadata at https://expense.certify.com/saml2.aspx and ensure that your Single Sign-On is configured for expense.certify.com.
These changes must be made by October, but we recommend making this adjustment as soon as possible to avoid a disruption in service.
Please Note: No action or training will be required for end users with this change. The only noticeable difference will be that the Certify application URL will start with expense.certify.com.
Obtaining Certify's Metadata
To access Certify's metadata, click https://expense.certify.com/saml2.aspx. Clicking this link will trigger a download that contains Certify's metadata, including key information such as the Entity ID.
Configuring your SSO Settings in Certify
Step 1: On your Certify homepage, click Configuration. Then, click Configure Single Sign On.
Step 2: Choose between Standard authentication (users will log in with a Certify username and password) or Single Sign On (users will access Certify through your company’s Identity Provider).
Step 3: If you want to allow users access to Certify using both your IdP and using Certify credentials, select Allow Standard Login.
Step 4: Enter the following URLs and create a Certify Mobile company code, if applicable. The Certify Mobile Login URL and Certify Mobile Company Code are required if you intend to use SSO through the Certify Mobile app. The Logout Redirect URL and Email Login URL are optional, but will improve the user experience.
The Certify Mobile Login URL is required for SSO through the mobile app and is where the user is directed after entering your company’s Certify Mobile Company Code. This URL must be public facing and accessible to your users outside of your company’s intranet. The page should accept the user's IdP credentials and initiate a SAML 2.0 request to https://expense.certify.com/saml2.aspx
Create a Certify Mobile Company Code if you intend to utilize SSO through the mobile app. Users will be required to enter this code during initial log in on the mobile app. The company code must be between 3 and 14 alphanumeric characters and should be easy for your users to remember. Certify recommends a shortened version of your company name or a company acronym.
Please Note: The Certify Mobile Company Code is not case sensitive.
The Email Login URL will replace “expense.certify.com/login.aspx” at the bottom of Certify’s automated email notifications. This ensures that users accessing Certify through the email notifications are sent to your IdP to authenticate, instead of being sent to the standard Certify login screen.
The Logout Redirect URL will dictate where a user is redirected when they click “Logout” in the Certify application. This is typically your IdP’s homepage, but could be any URL you wish to direct users to on logout. If this field is left blank, users will be directed to expense.certify.com/login.aspx when they log out of the Certify application.
Step 5: Paste your company’s x509 Certificate in the text box provided.
Certify will automatically extract the certificate’s thumbprint, and will be used to validate the assertion when users attempt to access Certify through your IdP. Users attempting to log in with a thumbprint not listed on this page will not be granted access to Certify.
When your certificate expires, feel free to delete the expired thumbprint by clicking on the trashcan icon. It is acceptable to have multiple thumbprints active concurrently.
Step 6: Click Save at the bottom of the screen to save all changes made to the page.
Please refer to our Help Center article Configuring a Custom Welcome Email for more information on creating and maintaining a custom welcome email.