Single Sign-On (SSO) allows users to access Emburse Professional through their organization's Identity Provider (IdP), such as Okta, OneLogin, and others.
Emburse Professional supports IdP initiated SSO via SAML 2.0, meaning that users would not access Emburse Professional with Emburse Professional credentials. Instead, users will follow a link from their IdP portal or intranet, which will send a SAML 2.0 assertion to pro.emburse.app/SAML2.aspx containing the user’s email address. The SAML 2.0 Assertion must contain an email address that is active in Emburse Professional for the user to be able to log in via SSO.
Obtaining Emburse Professional's Metadata
Emburse Professional's metadata can be obtained from https://pro.emburse.app/saml2.aspx Clicking this link will trigger a download that contains Emburse Professional's metadata, including key information such as the Entity ID.
Configuring your SSO Settings in Emburse Professional
1. On your Emburse Professional homepage, click Configuration. Then, click Configure Single Sign On.
2. Choose between Standard authentication (users will log in with a Emburse Professional username and password) or Single Sign On (users will access Emburse Professional through your company’s Identity Provider).
3. If you want to allow users access to Emburse Professional using both your IdP and Emburse Professional credentials, select Allow Standard Login.
4. Enter a Mobile App Login URL, an Email Notification Login URL, and a Logout Redirect URL.
- The Mobile App Login URL is required for SSO through the mobile app and is where the user will be redirected when authenticating into the mobile app. This URL must be public facing and accessible to your users outside of your company’s intranet. The page should accept the user's IdP credentials and initiate a SAML 2.0 request to https://pro.emburse.app/login.aspx
- The Email Notification Login URL will replace “pro.emburse.app/login.aspx” in Emburse Professional’s automated email notifications. This ensures that users accessing Emburse Professional through the email notifications are sent to your IdP to authenticate, instead of being sent to the standard Emburse Professional login screen.
- The Logout Redirect URL will determine where a user is redirected when they click “Logout” in the Emburse Professional application. This is typically your IdP’s homepage, but could be any URL you wish to direct users to on logout. If this field is left blank, users will be directed to pro.emburse.app/login.aspx when they log out of the Emburse Professional application.
5. Paste your company’s x509 Certificate in the text box provided.
Emburse Professional will automatically extract the certificate’s thumbprint, and will be used to validate the assertion when users attempt to access Emburse Professional through your IdP. Users attempting to log in with a thumbprint not listed on this page will not be granted access to Emburse Professional.
When your certificate expires, feel free to delete the expired thumbprint by clicking on the trashcan icon. Multiple thumbprints are allowed to be active concurrently.
6. Click Save at the bottom of the screen when complete.
Please refer to our Help Center article Configuring a Custom Welcome Email for more information on creating and maintaining a custom welcome email.