[No QA] Update Set-Up-SAML-Single-Sign-On.md

docs/_data/_routes.yml

@@ -118,6 +118,11 @@ platforms:
         title: Reports & Expenses
         icon: /assets/images/envelope-receipt.svg
         description: Learn more about expense tracking and submission.
+
+      - href: domains
+        title: Domains
+        icon: /assets/images/domains.svg
+        description: Claim and verify your company’s domain to access additional management and security features.
 
       - href: wallet-and-payments
         title: Wallet & Payments

docs/articles/expensify-classic/domains/Set-Up-SAML-SSO.md

@@ -0,0 +1,128 @@
+---
+title: Managing Single Sign-On (SSO) and User Authentication in Expensify
+description: Learn how to set up and manage SAML-based Single Sign-On (SSO) for secure member login in Expensify Classic.
+internalScope: Audience: Domain Admins. Covers setting up SAML and solutions to common configuration issues, Does not cover individual account access troubleshooting. 
+keywords: [Expensify Classic, SAML SSO, domain security, single sign-on, identity provider, verified domain, enable SAML, Okta, Google Workspace, Microsoft Entra, ADFS]
+---
+
+Set up secure and streamlined login across your organization by enabling SAML Single Sign-On (SSO) in Expensify Classic. This allows Workspace members to authenticate using your identity provider (IdP), rather than creating separate credentials.
+
+---
+
+# Where to find SAML Single Sign-On (SSO) settings in Expensify Classic 
+
+To set up SAML Single Sign-On (SSO), verify your domain. 
+[Learn how to claim and verify your domain](https://help.expensify.com/articles/expensify-classic/domains/Claim-And-Verify-A-Domain#step-2-verify-domain-ownership)
+
+Once you are a Domain Admin on a verified domain, you can configure SAML SSO login: 
+
+1. Go to **Settings > Domains > [Domain Name] > SAML**.
+2. Toggle **SAML Login** to **Enabled**.
+
+---
+
+# Who can manage SAML Single Sign-On (SSO)
+
+ Only **Domain Admins** can configure SAML for verified domains. SAML login applies to all Domain members whose email addresses match the verified domain.
+
+---
+
+# How to set up SAML Single Sign-On (SSO) 
+
+1. Go to **Settings > Domains > [Domain Name] > SAML**.
+2. Toggle **SAML Login** to **Enabled**.
+3. Download Expensify’s **Service Provider metadata** to upload to your IdP.
+4. Paste your IdP metadata in the **Identity Provider MetaData** field.
+5. Test logging in to confirm that SAML SSO is configured correctly (recommended).
+6. Enable **Required for login** to ensure  members sign in via SSO only.
+
+Select your Identity (SAML) Provider for detailed steps on configuring SAML Single Sign-On (SSO): 
+
+- [Amazon Web Services (AWS SSO)](https://static.global.sso.amazonaws.com/app-202a715cb67cddd9/instructions/index.htm)
+- [Google Workspace / SAML (Gsuite)](https://support.google.com/a/answer/7371682)
+- [Microsoft Entra ID (formerly Azure AD)](https://learn.microsoft.com/en-us/entra/identity/saas-apps/expensify-tutorial)
+- [Okta](https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Expensify.html)
+- [OneLogin](https://onelogin.service-now.com/support?id=kb_article&sys_id=e44c9e52db187410fe39dde7489619ba)
+- [Oracle Identity Cloud Service](https://docs.oracle.com/en/cloud/paas/identity-cloud/idcsc/expensify.html#Expensify)
+- [SAASPASS](https://saaspass.com/saaspass/expensify-two-factor-authentication-2fa-single-sign-on-sso-saml.html)
+- Microsoft ADFS – see instructions below
+
+**Note:** If your provider isn't listed, contact them directly for guidance with metadata and setup.
+
+---
+
+# How SAML Single Sign-On (SSO) affects login behavior
+
+- Members with email addresses matching your verified domain will be prompted to log in through your configured IdP.
+- Members using a personal or secondary email (e.g., Gmail) must [update their email address](https://help.expensify.com/articles/expensify-classic/settings/Change-or-add-email-address) to match the verified domain for SSO access.
+
+---
+
+# Troubleshooting SAML Single Sign-On (SSO)
+
+## If setup fails or login doesn't work:
+
+- Use [samltool.com](https://samltool.com) to validate your IdP metadata and certificate.
+- Make sure the email domain in your IdP exactly matches your verified domain in Expensify.
+
+## What is Expensify’s Entity ID?
+
+- Standard setup: `https://expensify.com`
+- Multi-domain setup: `https://expensify.com/yourdomain.com`
+
+Managing multiple domains with one Entity ID is supported. Contact Concierge or your Account Manager to enable this feature.
+
+# Advanced configurations for SAML Single Sign-On (SSO)
+
+## Okta SCIM API for account deprovisioning
+
+Once SAML is configured: 
+
+1. In Okta, add Expensify as an app and configure attribute mappings.
+2. Request SCIM API access via **concierge@expensify.com**.
+3. Add the SCIM token in your Okta provisioning settings.
+
+Refer to Okta’s documentation for complete instructions.
+
+## Microsoft ADFS configuration
+
+1. Open the **ADFS Management Console** and create a new trust.
+2. Upload Expensify’s metadata XML file.
+3. Map **LDAP attributes** (email or UPN) to outgoing claims.
+4. Add two claim rules:
+   - Send LDAP Attributes as Claims
+   - Transform Incoming Claim to Name ID
+
+## Microsoft Entra ID certificate update process
+
+To avoid setup errors during certificate renewal:
+
+1. Create the new certificate in Microsoft Entra.
+2. Remove the old certificate before activating the new one.
+3. Replace the existing IdP metadata in Expensify.
+4. Log in via SSO to confirm the new certificate works.
+
+# FAQ
+
+## Can I use SAML Single Sign-On (SSO) for multiple Workspaces?
+
+Yes, as long as all members are part of the same verified domain, SAML access applies across all Workspaces they belong to.
+
+## How can I confirm my SAML Single Sign-On (SSO) setup is working?
+
+Before enabling **Require SAML login**, make sure your SAML connection is working by testing both SP-initiated and IdP-initiated logins. You should also confirm that:
+
+- The correct certificate and endpoints are in your Expensify metadata
+- Members can log in successfully using the SAML flow
+
+## Can I test a new SAML Single Sign-On (SSO) setup without locking members out?
+
+Yes. Disable **Require SAML login** before making changes. This allows members to log in with email and password if SAML setup fails. Once you’ve confirmed that login works, you can re-enable enforcement.
+
+## What do I do if a member can’t log in after SAML Single Sign-On (SSO) is enabled?
+
+First, confirm that the member’s email matches your verified domain and that their account exists in your Identity Provider (IdP) with the correct access permissions. 
+
+## Are custom NameID, ACS, or SLO URLs supported in SAML Single Sign-On (SSO)?
+
+No, the NameID Format, Login URL (ACS URL), and Logout URL (SLO URL) are static and cannot be modified.

docs/articles/expensify-classic/domains/Troubleshoot-SAML-SSO-Login.md

@@ -0,0 +1,121 @@
+---
+title: Troubleshoot SAML SSO login
+description: Learn how to quickly diagnose and resolve issues with SAML SSO login in Expensify Classic, including lockouts, expired certificates, and identity provider errors.
+keywords: [Expensify Classic, SAML SSO, SSO login failed, Require SAML login, domain locked out, expired certificate, identity provider, IdP, metadata, troubleshooting]
+---
+
+If you're having trouble logging in with SAML Single Sign-On (SSO) in Expensify Classic, this guide will help you identify the issue, understand what’s causing it, and get access restored quickly.
+
+---
+
+# Where to find SAML SSO settings in Expensify Classic
+
+To check your domain's SAML SSO configuration, go to **Settings > Domains > [Domain Name] > SAML**.
+
+From this page, Domain Admins can: 
+
+- Enable SAML SSO login for the domain 
+- View and update your Identity Provider (IdP) metadata
+- Disable or enable **Require SAML login**
+
+**Note:** SAML SSO settings are not available on mobile. 
+
+# How to fix domain-wide SAML SSO login issues
+
+## SAML login suddenly fails for all members
+
+A domain-wide issue usually points to a problem with your Identity Provider (IdP). 
+
+**Has your IdP certificate expired or rotated?**
+
+ If yes, copy the updated metadata XML from your IdP and paste it into the **Identity Provider Metadata** field in your Expensify SAML settings.
+
+**Have any IdP settings changed?**
+
+Changes to entity IDs, SSO endpoints, or user attributes can break login.
+ - If your certificate or SSO endpoints have changed, upload updated metadata from your IdP to Expensify.
+ - If user attributes like NameID Format or email mappings have changed, confirm they match the values expected in your domain's SAML settings in Expensify.
+
+**Is “Require SAML login” turned on?**  
+
+ If enabled, no one — including Domain Admins — can log in without a working SAML configuration. If you're still signed in, go to your domain’s SAML settings and temporarily disable **Require SAML login** while troubleshooting. 
+
+## Some members can’t log in, but others can
+
+This is often caused by an email alias not recognized by your identity provider (IdP), or because the member hasn’t been added to the correct SAML rule or group. Confirm that the member’s email matches your verified domain in Expensify, and check your IdP to ensure they’re included in the appropriate SAML group or rule.
+
+## All Domain Admins are locked out
+
+If no Domain Admins can log in, you won’t be able to access SAML settings. Email **concierge@expensify.com** from an address that matches your verified domain for help.
+
+---
+
+# How to resolve common SAML SSO error messages 
+
+## Signature validation failed  
+
+This typically happens when the certificate has expired, is malformed, or doesn't match the one used by your IdP. To fix it, copy the updated metadata XML from your IdP and paste it into the **Identity Provider Metadata** field in your Expensify SAML settings.
+
+---
+
+## SAML Response not found. Only supported HTTP_POST Binding  
+
+Your Identity Provider is not sending the `SAMLResponse` in the POST body as expected. To fix it, update your IdP configuration to use **HTTP POST binding** when sending the SAML Response.
+
+---
+
+## No user with that partnerUserID/partnerUserSecret  
+
+This occurs when your IdP sends an email (NameID) that doesn’t match the one stored in Expensify for that member. To fix it, confirm that the NameID value sent by your IdP exactly matches the member’s email address in Expensify. If needed, update the member's email in your IdP or in Expensify to resolve the mismatch.
+
+---
+
+## Bad XML metadata
+
+Your metadata file may contain formatting issues — often extra line breaks or copy/paste errors in the x.509 certificate.  
+**How to fix it:** Use a certificate formatting tool (like [samltool.com](https://samltool.com)) to clean and validate your metadata before pasting it into Expensify.
+
+**Note:** When copying a certificate, make sure it includes the full `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` block with no formatting errors.
+
+---
+
+## SAML login not available on your domain  
+
+This appears when **Require SAML login** is enabled, but SAML isn’t fully configured. To fix it, follow the steps to [Configure Single Sign On (SSO)](https://help.expensify.com/articles/expensify-classic/domains/Managing-Single-Sign-On-(SSO)-in-Expensify) for your domain. 
+
+---
+
+# How to contact Expensify if you're locked out
+
+If you can't sign in due to a SAML issue, email **concierge@expensify.com** from an address that matches your verified domain.
+
+---
+
+# FAQ
+
+## What should I do before making changes to my domain's SAML SSO setup?
+
+Before making changes to your Identity Provider setup — like rotating certificates or updating endpoints — we recommend **temporarily disabling Require SAML login** in Expensify.
+
+This ensures Domain Admins can still sign in with email and password if the new configuration doesn’t work. Once you’ve uploaded the new metadata and confirmed login is working, you can safely re-enable Require SAML login.
+
+## Can I make SAML login optional for some members?
+
+No. SAML settings apply to the entire domain. If **Require SAML login** is enabled, **all members** must authenticate via SAML — there’s no way to allow some members to log in with email and password while others use SAML.
+
+## Can I test a new SAML setup without locking members out?
+
+Yes. You can disable **Require SAML login** while testing or updating your SAML settings. This allows members to log in with email/password if needed. Once you're confident the new metadata works, re-enable SAML enforcement.
+
+## How can I confirm my SAML setup is correct?
+
+Before enabling **Require SAML login**, make sure your SAML connection is working by testing both SP-initiated and IdP-initiated logins. You should also confirm that:
+
+- The correct certificate and endpoints are in your Expensify metadata
+- Your IdP sends the proper NameID (usually the member's email)
+- Members can log in successfully using the SAML flow
+
+For step-by-step setup and testing instructions, check out the [SAML setup guide](https://help.expensify.com/articles/expensify-classic/domains/Managing-Single-Sign-On-(SSO)-in-Expensify).
+
+
+