Configuring Single Sign-on via SAML with Emburse Spend
Important: Emburse Spend currently only supports SAML-based single-sign-on providers.
Configuring your Identity Provider
If your company uses an Identity Provider like OneLogin, Okta, JumpCloud, or others, you may want to configure SAML on Emburse Spend.
Configuring your Emburse Spend account to use SSO for authentication means that every member of your team will need to log in via your chosen Identity Provider to access Emburse Spend. In order to configure SSO in your Emburse Spend account:
- Log in as an Administrator
- Head to the Authentication tab in Settings
- Enter your Sign-in page URL, provided by your identity provider
- Enter your Identity Provider Issuer, a unique name (usually a URL) that your identity provider typically provides
- Enter your X.509 Certificate
Your Identity Provider will have further details on how to get set up on their end. Here are some resources:
If your Identity Provider asks for an ACS URL or an Entity ID in the platform, you will need the following information:
- ACS URL: https://www.spend.emburse.com/login/saml/assertion
- Entity ID: https://www.spend.emburse.com/home?company_id=company ID*
*Reach out to your implementation manager for your company ID number
Congrats! Now your company is configured for SSO.
Note: Once SSO is enabled, this will be the exclusive way you and your team will be able to log in to your Emburse Spend accounts. Any attempts to use a username and password to log in to this Emburse Spend account will return an error.
Invite Your Team
- Before adding a team member in Emburse Spend, first make sure you have added the employee to your Identity Provider
- Next, invite the appropriate people via the Invite button on your Emburse Spend People Page
Your employees will be directed through your Identity Provider, and then once they log in there, they will be redirected to your Emburse Spend account.
Using SAML-based SSO within a Multi-Subsidiary Organization
Do you use the ‘Connected Orgs’ feature of Emburse Spend? If so, no problem! Your team will have different organizations in their account, and they will be prompted to authenticate the appropriate ones.
Logging in on your iPhone or Android
Logging in works the same way on iPhone or Android as it does on the web. We recommend that you use the mobile app for the Identity Provider you use. If you or your team belongs to multiple subsidiaries, they will have to select the appropriate organization from their phone:
When deactivating a user, you will need to deactivate them in Emburse Spend, in addition to disabling them in your Identity Provider. This ensures that their access to the mobile apps, as well as the web, will be deactivated.