Transaction import from Wells Fargo paused. Please visit our status page for more details and to subscribe to updates.

How-to: Enable deactivating users with Okta

Mark LouisMark Louis Expensify Team Posts: 117 Expensify Team
edited August 18 in How-to Docs

Companies with Okta can now deactivate users in Expensify using the Okta SCIM API.  This means that when a user is deactivated in Okta their access to Expensify will expire and they will be logged out of both the web and mobile apps.

Requirements:

  • Verified domain
  • SAML is enabled and required

Included in the integration:

  • Deactivate Users in Expensify
  • Export Users (from Expensify to Okta)

Not in the integration:

  • Create/Provision Users in Expensify
  • Update User Attributes in Expensify
  • Group Push from Okta to Expensify
  • Import Groups from Expensify to Okta
  • Sync Password

To enable deactivating users in Okta, follow these steps:

  1. In Expensify, head to Settings > Domains > [Domain Name] > SAML.
  2. Ensure that the toggle is set to Enabled for “SAML Login” and “Required for login”
  3. In Okta, go to Admin > Applications > Add Application.
  4. Search for Expensify and click on Add.
  5. On the next screen, enter your company domain (e.g. yourcompany.com).
  6. In the tab Sign-On Options, click “Next” (leaving default settings).
  7. In the tab Assign to People, click “Next” and then click Done.
  8. Next, in Okta, go to Admin > Applications > Expensify > Sign On > View Setup Instructions and follow the steps listed.
  9. Then, go to Directory > Profile Editor > Okta user > Profile.
  10. Click the information bubble to the right of the "First name" and "Last name" attributes. 
  11. Uncheck "Yes" under "Attribute required" field and press "Save Attribute".
  12. Email [email protected] providing your domain and request that Okta SCIM be enabled. You will receive a response when this has been actioned.
  13. In Expensify, go to Domains > [Domain Name] > SAML > Show Token and copy the Okta SCIM Token you received.
  14. In Okta, go to Admin > Applications > Expensify > Provisioning > API IntegrationConfigure API Integration.
  15. Select Enable API Integration, paste the Okta SCIM Token in API Token field and then click Save.
  16. Go to To App, click Edit Provisioning Users, select Enable Deactivate Users and then Save. (You may also need to set up the Expensify Attribute Mappings if you have not previously in steps 9-11).

Successful activation of this function will be indicated by the green Push User Deactivation is enabled icon at the top of the app page:

Note: If importing users from Expensify to Okta, ensure Okta UserName Format is set on the To Okta page.

Related articles:

Tagged:
Sign In or Register to comment.