SAML/SSO + New Domain = Huge Headache
Hello, I want to preface this with the statement, I am not an expensify guru, if you can help me out here I would be very appreciative!
Here is the situation, the company I support has gotten a new domain name, and has had me change over a handful of users to use this domain as their primary SMTP address. They can numerous SSO authentication applications, and for the vast majority, I just signed into those platforms, changed their username to match the new UPN, and everything worked as expected.
Then we have Expensify. I know the issue. https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/expensify-tutorial In the Reply URL, you force us to specify the domain. That's the reason this entire problem exists. Secondly, because of how you manage and allow users to be invited. These two things together make adding another domain for SSO very complex, unnecessarily. Anyway, rant over.
Whats the process for doing this? After working with concierge for a couple hours, this is my understanding of how to proceed:
- Unverify my 'new' domain - a.k.a reset it. Which I have already done.
- This removes my users, and anything else per the pop up. Now to add my 'new' users, I need to invite them to the main company policy.
- They accept invite, and login to a 'blank' account. From here, since this 'new' domain is still unverified, they can 'merge' their account with their old primary login.
- Once I have all users added, and once they have all 'merged' I can then proceed to verify my domain, and setup all my stuff like SSO etc..
Is this correct? If someone has an easier way to accomplish this, please help me lol.