Are you receiving SNAP/EBT benefits? The Expensify.org/SNAP-VAX campaign is live and accepting new members. Learn more about receiving $50 for submitting a SNAP receipt and $50 for getting your COVID-19 vaccine here and join today!
Enforce SSO to use SAML only, prevent use of secondary accounts for domains
One reason we leverage SSO is pass off authentication and MFA to our IDP, Google. By doing so, users logging into Expensify will be subject to the Google password and account policies.
If we don't have an ability to restrict the ability for user accounts within our company's domain to create a secondary account, this creates a large security gap. Would love to see the ability to restrict the based on domains/groups.
Comments
-
While it's not possible to restrict users from creating secondary logins, you can fully lock down their ability to use them for login purposes. The true benefit of a secondary login comes from the ability to forward receipts from that email and have them import into their Expensify account. This simply makes it easier for employees to stay on top of their expenses by giving them multiple options for upload.
If you use a combination of enforcing SAML login and restricting primary login selection, you can allow employees the benefit of receipt upload and force them to use their SAML login credentials to access Expensify.
Domain Settings to enforce SAML login:
Don't forget to vote for your own idea in your original post above!
-
Thanks for the tip! In our case, all receipts would need to come from a corporate email account, not a secondary personal email account. In this case, a secondary login wouldn't be necessary, right?
-
@beer correct, they'd be unnecessary in that case. You could make this topic a part of your employee onboarding instructions. Education driven compliance is always a great way to keep everyone on the same page.
-
Awesome. How do I submit a feature request for this to get the attention of the product managers?
-
@beer, you can submit a request in the Community by posting in the Ideas category. This post will give other customers a chance to vote for the feature. Since this thread is already in the Ideas category and waiting for votes, you're all set.
If you scroll to the top of this thread, you'll see the option to vote for your own idea, which I highly encourage you to do.
-
Thank you! Just voted.
