Our Single Sign-On (SSO) utility gives Enterprise users the ability to log in to DivvyHQ through their company's SSO portal. Once SSO has been enabled on an account, and users have been authenticated, they can bypass DivvyHQ's login page altogether.

TABLE OF CONTENTS

• The Divvy Details
  • Enabling SSO
  • Step 2a: Giving an Existing Team Member SSO Authentication Permissions
  • Step 2b: Giving a New Team Member SSO Authentication Permissions
  • Utilizing SSO Via ADFS
    • Step 1: Add A Additional Rule - Send Claims Using a Custom Rule
    • Step 1b: Code Results of Custom Rule
    • Step 2: Add Additional Rules - Transform an Incoming Claim
    • Step 2b: Edit Rule Details
    • Step 3: Click Ok

The Divvy Details

Below is a step-by-step walkthrough on how to enable SSO on an account and give team members SSO authentication permissions. For those using ADFS, please note the additional steps under the section below, entitled Utilizing SSO Via ADFS.

If you are using Okta for your SSO needs, please refer to this article.

If you are using Azure for SSO, please refer to this article.

Enabling SSO

1. As a Global Admin, click your name in the upper right hand of the platform and select the Account Admin option from the dropdown.

2. From the Account Admin, click the Integrations tab, then the Single Sign On tab.

3. Click the checkbox Enable Single Sign On.

4. After clicking the checkbox you will be presented with a few required fields that need to be filled in to start the authentication process.

5. Input your XML metadata URL or upload your metadata file into the provided field. This URL or file would come from your SSO provider.

6. Input your X.509 Certificate into the provided field. This value would come from your SSO provider.

7. OPTIONAL: Input your IdP login URL

8. Provide our DivvyHQ Metadata URL and DivvyHQ Assertion Consumption Service URL, as well as the following attribute mappings, to your IT department.

Note: The name format for these attribute mappings should be unspecified.

Attribute name             Value

mail            Email address of the user

givenName       Users first name

sn              Users last name

DivvyHQ Metadata URL

https://app.divvyhq.com/saml2/metadata/

DivvyHQ Assertion Consumption Service URL

https://app.divvyhq.com/saml2/acs/

9. After you've filled in all required fields, click Save Settings in the upper righthand.

Step 2a: Giving an Existing Team Member SSO Authentication Permissions

After you've enabled SSO via the Integration Admin, you need to specify which existing users will be utilizing SSO to log in to DivvyHQ.

1. Venture back to the Account Admin interface and select the Team Members tab.

2. Hover over the team member's name that needs to Authenticate through SSO, then click the blue View/Edit User link.

3. This will bring up the Edit Team Member overlay. Check the Authenticate through SSO box and then click the green Apply Changes button.

Step 2b: Giving a New Team Member SSO Authentication Permissions

When adding new team members, you can give them the ability to authenticate through SSO. Follow the steps below:

1. Click the + ADD NEW option in the upper righthand of the platform, then click TEAM MEMBER within the dropdown.

2. This will bring up the Add Team Member overlay. Fill out the required fields (First name, Last Name, Email address) and check the Authenticate through SSO box.

Important Note 1: When you add a new team member with SSO authenticated, the team member will not receive a DivvyHQ invitation email. You might want to alert them that they have been added to your DivvyHQ account and show them how to get to DivvyHQ via your SSO portal.

Important Note 2: Once you give a user Authenticate through SSO permissions, they will no longer be able to login via the DivvyHQ Login Page. If you ever disable SSO via the Integration Admin or by downgrading your plan level to Pro or Starter, read this FAQ to learn how to gain access via the traditional login method.

Important Note 3: If you are the original Global Admin on an account you will not be able to give yourself SSO authentication permissions. This provides an account with a login fail-safe for the original Global Admin, in case there is ever an issue with SSO authentication.

Utilizing SSO Via ADFS

If you are implementing SSO via ADFS there are a few more steps involved to get the NameID to send appropriately.

As mentioned above, please make sure you're sending over the outgoing claim types as mail, givenName and sn.

Step 1: Add A Additional Rule - Send Claims Using a Custom Rule

Step 1b: Code Results of Custom Rule

Custom Rule Code

c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

 && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant"]

 => add(store = "_OpaqueIdStore", types = ("http://mycompany/internal/sessionid"), query = "{0};{1};{2};{3};{4}", param = "useEntropy", param = c1.Value, param = c1.OriginalIssuer, param = "", param = c2.Value);

Step 2: Add Additional Rules - Transform an Incoming Claim

Step 2b: Edit Rule Details

Step 3: Click Ok

After clicking ok, your settings should be configured correctly. You can now make requests on behalf of users and log them into Divvy seamlessly!