Are you receiving SNAP/EBT benefits? The Expensify.org/SNAP-VAX campaign is live and accepting new members. Learn more about receiving $50 for submitting a SNAP receipt and $50 for getting your COVID-19 vaccine here and join today!

How-to: Enable deactivating users with Okta

Mark Louis
Mark Louis Expensify Team Posts: 146 Expensify Team
edited April 19 in How-to Docs

Companies with Okta can now deactivate users in Expensify using the Okta SCIM API.  This means that when a user is deactivated in Okta their access to Expensify will expire and they will be logged out of both the web and mobile apps.

Requirements:

  • Verified domain (should match users' email domain)
  • SAML is enabled and required

Included in the integration:

  • Deactivate Users in Expensify
  • Export Users (from Expensify to Okta)
  • Grant "enable access to Expensify" in Okta which will allow a user to create their Expensify account (with the default Domain Group settings) by signing in (via Okta)

Not in the integration:

  • Provision Users in Expensify
  • Update User Attributes in Expensify
  • Group Push from Okta to Expensify
  • Import Groups from Expensify to Okta
  • Sync Password

To enable deactivating users in Okta, follow these steps:

  1. In Expensify, head to Settings > Domains > [Domain Name] > SAML.
  2. Ensure that the toggle is set to Enabled for “SAML Login” and “Required for login”
  3. In Okta, go to Admin > Applications > Add Application.
  4. Search for Expensify and click on Add.
  5. On the next screen, enter your company domain (e.g. yourcompany.com).
  6. In the tab Sign-On Options, click “Next” (leaving default settings).
  7. In the tab Assign to People, click “Next” and then click Done.
  8. Next, in Okta, go to Admin > Applications > Expensify > Sign On > View Setup Instructions and follow the steps listed.
  9. Then, go to Directory > Profile Editor > Okta user > Profile.
  10. Click the information bubble to the right of the "First name" and "Last name" attributes. 
  11. Uncheck "Yes" under "Attribute required" field and press "Save Attribute".
  12. Email [email protected] providing your domain and request that Okta SCIM be enabled. You will receive a response when this has been actioned.
  13. In Expensify, go to Domains > [Domain Name] > SAML > Show Token and copy the Okta SCIM Token you received.
  14. In Okta, go to Admin > Applications > Expensify > Provisioning > API IntegrationConfigure API Integration.
  15. Select Enable API Integration, paste the Okta SCIM Token in API Token field and then click Save.
  16. Go to To App, click Edit Provisioning Users, select Enable Deactivate Users and then Save. (You may also need to set up the Expensify Attribute Mappings if you have not previously in steps 9-11).

Successful activation of this function will be indicated by the green Push User Deactivation is enabled icon at the top of the app page:

Note: If importing users from Expensify to Okta, ensure Okta UserName Format is set on the To Okta page.

Related articles:

Tagged: