Expensify.org is accepting proposals for new campaigns. Submit yours here by April 30th to receive up to $100,000 in funding for campaigns dismantling injustice related to: Climate, Homes, Hunger, Reentry, or Youth.
Have the ability to disable the ability for users to create their own accounts under a domain
brianmandeville
Expensify Customer Posts: 6
in Ideas
It would be optimal for domain managers/admins to have the ability to disable users from being able to create their own accounts under that managed domain.
Comments
@brianmandeville - you can easily enable SAML and link a SAML provider to manage who has and doesn't have access to create an account in Expensify with an email on your domain.
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up Awesomeyes, but the problem is users can still create their own accounts under that managed domain.
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up AwesomeWelcome to the Community @brianmandeville! Great news - that is an option!
Domain Groups can be accessed if you have claimed and verified your domain. Groups are used to set rules or permissions for groups of users.
You can read more about the group settings in the attached Community post.
Deep Dive: Domain Groups and permissions — what are they all about?
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up Awesomenot what I am referring to, i am talking about user creation. I know with Groups I can restrict them from switching away.
The expensify login page still allows users to create their accounts under domains being managed and required with SAML.
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up AwesomeAh, good point of clarification @brianmandeville you're right. Of course, they can't login to use that account at all though if you have SAML required.
What extra control does preventing this step of creating the account give you that having SAML enabled doesn't? Is it just that you don't like to see them in the list?
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up AwesomeWhen they create the account, they are logged in for that first time. And they can create Expense reports. Since we use Advanced Routing, setup routing for each individual user. Users think their report is pending, but in reality their account is not setup properly
Also, they will never be able to login again for a second time once logged out. Hence giving the ability to create accounts on SAML required domain is pretty pointless :)
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up AwesomeWhen they create the account, they are logged in for that first time
Hmm, this isn't quite correct if you have SAML enabled. When they click the validation link they're shown this:
After going "back" they then choose to login, when they're then redirected to their SAML provider. At that point, as long as they've not been allowed access to this app within the SAML provider, they will error upon login.
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up AwesomeThat's not what I have been seeing on my instance. Users are getting in and creating expense reports.
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up AwesomeIf that's the case, I think we'll need to dig in and figure out why! Could you message Concierge and reference this thread? It's likely we'll need you to test out a new user and show us this happening. FWIW, I just tested with our test accounts and there's no way I can get in when SAML is required.
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up AwesomePossible there is a mobile app loophole?
- Spam
- Abuse
- Report
1 · Accept Answer Off Topic 1Insightful Vote Up Awesome@brianmandeville that's a good question! I'll try to test that too shortly.
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up Awesome@brianmandeville - you were right! Great spot - we're working on this now.
- Spam
- Abuse
- Report
0 · Accept Answer Off Topic Insightful Vote Up Awesome