How-to: Enable deactivating users with Okta

Mark Louis

Companies with Okta can deactivate users in Expensify using the Okta SCIM API. This means that when a user is deactivated in Okta their access to Expensify will expire and they will be logged out of both the web and mobile apps.

Note: Deactivating a user through Okta will not close their account in Expensify, if you are offboarding this employee, you will still want to close the account in the domain following the steps in this support article.

Requirements:

• Verified domain (should match users' email domain)
• SAML is enabled and required

Included in the integration:

• Deactivate Users in Expensify
• Export Users (from Expensify to Okta)

Not in the integration:

• Provision Users in Expensify
• Update User Attributes in Expensify
• Group Push from Okta to Expensify
• Import Groups from Expensify to Okta
• Sync Password

To enable deactivating users in Okta, follow these steps:

1. In Expensify, head to Settings > Domains > [Domain Name] > SAML.
2. Ensure that the toggle is set to Enabled for “SAML Login” and “Required for login”
3. In Okta, go to Admin > Applications > Add Application.
4. Search for Expensify and click on Add.
5. On the next screen, enter your company domain (e.g. yourcompany.com).
6. In the tab Sign-On Options, click “Next” (leaving default settings).
7. In the tab Assign to People, click “Next” and then click Done.
8. Next, in Okta, go to Admin > Applications > Expensify > Sign On > View Setup Instructions and follow the steps listed.
9. Then, go to Directory > Profile Editor > Okta user > Profile.
10. Click the information bubble to the right of the "First name" and "Last name" attributes. 
11. Uncheck "Yes" under "Attribute required" field and press "Save Attribute".
12. Email concierge@expensify.com providing your domain and request that Okta SCIM be enabled. You will receive a response when this has been actioned.
13. In Expensify, go to Domains > [Domain Name] > SAML > Show Token and copy the Okta SCIM Token you received.
14. In Okta, go to Admin > Applications > Expensify > Provisioning > API Integration >  Configure API Integration.
15. Select Enable API Integration, paste the Okta SCIM Token in API Token field and then click Save.
16. Go to To App, click Edit Provisioning Users, select Enable Deactivate Users and then Save. (You may also need to set up the Expensify Attribute Mappings if you have not previously in steps 9-11).

Successful activation of this function will be indicated by the green Push User Deactivation is enabled icon at the top of the app page:

Note: If importing users from Expensify to Okta, ensure Okta UserName Format is set on the To Okta page.

Related articles:

• How-to: Enable SSO
• FAQ: Okta shows Expensify listed, but I can't log in!