Configuring Single Sign-On

Single Sign-On (SSO) allows users to access Emburse Professional through a centralized Identity Provider (IdP). 

Emburse Professional supports IdP initiated SSO via SAML 2.0, meaning that users will not access Emburse Professional with Emburse Professional credentials. Instead, users will follow a link from their IdP portal or intranet, which will send a SAML 2.0 assertion to expense.certify.com/SAML2.aspx containing the user’s email address. The SAML 2.0 Assertion must contain an email address that is active in Emburse Professional for the user to be able to log in via SSO.

Any provider that can send a SAML 2.0 assertion is supported, though the amount of technical help Emburse Professional can provide will be limited.

Obtaining Emburse Professional's Metadata

To access Emburse Professional's metadata, click https://expense.certify.com/saml2.aspx. Clicking this link will trigger a download that contains Emburse Professional's metadata, including key information such as the Entity ID.

Configuring your SSO Settings in Emburse Professional

1. On your Emburse Professional homepage, click Configuration. Then, click Configure Single Sign On.

sso_1.png

2. Choose between Standard authentication (users will log in with a Emburse Professional username and password) or Single Sign On (users will access Emburse Professional through your company’s Identity Provider).

sso_2.png

3. If you want to allow users access to Emburse Professional using both your IdP and Emburse Professional credentials, select Allow Standard Login.

sso_3.png

4. Enter the following URLs and create a Emburse Professional Mobile company code, if applicable. The Emburse Professional Mobile Login URL and Emburse Professional Mobile Company Code are required if you intend to use SSO through the Emburse Professional Mobile app. The Logout Redirect URL and Email Login URL are optional, but will improve the user experience.

sso_4.png

  • The Emburse Professional Mobile Login URL is required for SSO through the mobile app and is where the user is directed after entering your company’s Emburse Professional Mobile Company Code. This URL must be public facing and accessible to your users outside of your company’s intranet. The page should accept the user's IdP credentials and initiate a SAML 2.0 request to https://expense.certify.com/saml2.aspx
  • Create a Emburse Professional Mobile Company Code if you intend to utilize SSO through the mobile app. Users will be required to enter this code during initial log in on the mobile app. The company code must be between 3 and 14 alphanumeric characters and should be easy for your users to remember. Emburse Professional recommends a shortened version of your company name or a company acronym.
The Emburse Professional Mobile Company Code is not case sensitive.
  • The Email Login URL will replace “expense.certify.com/login.aspx” at the bottom of Emburse Professional’s automated email notifications. This ensures that users accessing Emburse Professional through the email notifications are sent to your IdP to authenticate, instead of being sent to the standard Emburse Professional login screen.
  • The Logout Redirect URL will dictate where a user is redirected when they click “Logout” in the Emburse Professional application. This is typically your IdP’s homepage, but could be any URL you wish to direct users to on logout. If this field is left blank, users will be directed to expense.certify.com/login.aspx when they log out of the Emburse Professional application.

5. Paste your company’s x509 Certificate in the text box provided.

sso_5.png

Emburse Professional will automatically extract the certificate’s thumbprint, and will be used to validate the assertion when users attempt to access Emburse Professional through your IdP. Users attempting to log in with a thumbprint not listed on this page will not be granted access to Emburse Professional.

When your certificate expires, feel free to delete the expired thumbprint by clicking on the trashcan icon. It is acceptable to have multiple thumbprints active concurrently.

6.  Click Save at the bottom of the screen to save all changes made to the page.

sso_6.png

Please refer to our Help Center article Configuring a Custom Welcome Email for more information on creating and maintaining a custom welcome email.

 

 

Was this article helpful?