How-to: Enable deactivating users with Okta
Companies with Okta can now deactivate users in Expensify using the Okta SCIM API. This means that when a user is deactivated in Okta their access to Expensify will expire and they will be logged out of both the web and mobile apps.
- Verified domain (should match users' email domain)
- SAML is enabled and required
Included in the integration:
- Deactivate Users in Expensify
- Export Users (from Expensify to Okta)
- Grant "enable access to Expensify" in Okta which will allow a user to create their Expensify account (with the default Domain Group settings) by signing in (via Okta)
Not in the integration:
- Provision Users in Expensify
- Update User Attributes in Expensify
- Group Push from Okta to Expensify
- Import Groups from Expensify to Okta
- Sync Password
To enable deactivating users in Okta, follow these steps:
- In Expensify, head to Settings > Domains > [Domain Name] > SAML.
- Ensure that the toggle is set to Enabled for “SAML Login” and “Required for login”
- In Okta, go to Admin > Applications > Add Application.
- Search for Expensify and click on Add.
- On the next screen, enter your company domain (e.g. yourcompany.com).
- In the tab Sign-On Options, click “Next” (leaving default settings).
- In the tab Assign to People, click “Next” and then click Done.
- Next, in Okta, go to Admin > Applications > Expensify > Sign On > View Setup Instructions and follow the steps listed.
- Then, go to Directory > Profile Editor > Okta user > Profile.
- Click the information bubble to the right of the "First name" and "Last name" attributes.
- Uncheck "Yes" under "Attribute required" field and press "Save Attribute".
- Email [email protected] providing your domain and request that Okta SCIM be enabled. You will receive a response when this has been actioned.
- In Expensify, go to Domains > [Domain Name] > SAML > Show Token and copy the Okta SCIM Token you received.
- In Okta, go to Admin > Applications > Expensify > Provisioning > API Integration > Configure API Integration.
- Select Enable API Integration, paste the Okta SCIM Token in API Token field and then click Save.
- Go to To App, click Edit Provisioning Users, select Enable Deactivate Users and then Save. (You may also need to set up the Expensify Attribute Mappings if you have not previously in steps 9-11).
Successful activation of this function will be indicated by the green Push User Deactivation is enabled icon at the top of the app page:
Note: If importing users from Expensify to Okta, ensure Okta UserName Format is set on the To Okta page.