If your company uses an Identity Provider like OneLogin, Okta, or JumpCloud, you may want to configure Single Sign On (SSO) via SAML for Emburse Spend. Configuring your Emburse Spend account to use SSO for authentication means that every member of your team will need to log in via your chosen Identity Provider to access Emburse Spend.
Users must launch Spend from their SSO provider's portal (e.g., Microsoft Entra, Okta, or OneLogin). Attempting to log in from spend.emburse.com or the mobile app without an IdP-initiated session will result in an error.
When SSO is on, two-factor authentication (2FA) must be enforced by your Identity Provider. The Emburse Spend 2FA setting is automatically turned off and does not apply when SSO is active.
Configure Your Identity Provider
- Log in as an Administrator.
- Click on Company Settings > Authentication.
- Enter your Sign-in page URL. This is the login URL from your Identity Provider. It validates SAML assertions for IdP-initiated login only. This does not allow SP-initiated login from the Emburse Spend login page.
- Enter your Identity Provider Issuer, a unique name (usually a URL) that your identity provider typically provides.
- Enter your X.509 Certificate.
Company Settings > Authentication.Your Identity Provider will have further details on how to get set up on their end. Here are some resources:
- Okta
- OneLogin
- JumpCloud
- Microsoft Entra (formerly Azure AD): Some settings in Microsoft Entra favor SP-initiated login flows. Users must log in from the Entra dashboard or be deep-linked from an IdP-initiated session. If SP-initiated login is required by your setup, note that Emburse Spend does not support SP-initiated login at this time.
If your Identity Provider asks for an ACS URL, an Entity ID and an Audience Key in the platform, you will need the following information:
-
ACS URL: https://users.api.emburse.services/v1/saml/assertion?connection=spend-prod-[insert Company ID here*]
-
Entity ID: urn:auth0:emburse-prod:spend-prod-[insert Company ID here*]
*Users can find the Company ID at the end of the URL when navigating to the Company Settings screen.
Invite Your Team
Before adding a team member in Emburse Spend, first make sure you have added the employee to your Identity Provider. Then, you can invite the appropriate people using the Invite button on your Emburse Spend People screen.
Your employees will be directed through your Identity Provider; once they log in there, they will be redirected to your Emburse Spend account.
How SSO Works for the Mobile App
In order to access Emburse Spend using SSO on the mobile app, users must first download the Emburse Spend mobile app from the App Store on iOS devices or the Google Play Store on Android devices.
Once they have downloaded the app, they will need to go through their identity provider (OneLogin, Azure, or Google) to log in for the first time. To do so, they must log in to their identity provider through the identity provider’s mobile app or through their website on mobile. Then, they can click to open Emburse Spend from the identity provider app or site.
Use SAML-Based SSO Within a Multi-Subsidiary Organization
Do you use the Connected Orgs feature of Emburse Spend? If so, no problem! Your team will have different organizations in their account, and they will be prompted to authenticate the appropriate ones.
Deactivate Users When Using SSO
When deactivating a member, you will need to deactivate them in Emburse Spend and disable them in your Identity Provider. This ensures that their access to the mobile apps, as well as the web, will be deactivated.
Common Errors and Troubleshooting Tips
"Error AADSTS750054 - SAMLRequest or SAMLResponse must be present…"
This means an unsupported SP-initiated login attempt occurred. Ensure users are accessing Spend from the SSO portal, not the Emburse Spend login page. Do not test with direct login at spend.emburse.com unless instructed to by Support.