Emburse Enterprise Implementation Toolkit

Single Sign On

Single Sign On (SSO): Allows you to Use One Set of Login Credentials to Access a Number of Different Applications.

The Emburse Expense Enterprise system supports two methods of SSO: Web-based Emburse Expense Enterprise SSO and a fully compliant Security Assertion Markup Language (SAML) implementation—the choice of which depends on your company’s preference and infrastructure capabilities. Regardless of the underlying technology or method used, the user experience is the same: Once logged in to the company intranet, the user simply clicks a link to launch the Emburse Expense Enterprise application without entering a separate user ID or password.

 

Emburse Expense Enterprise SSO Server:

This is a simple Web-based method that consults the company’s SSO server. With this method, a user clicks on a link on the organization’s internal intranet after logging in with his or her corporate network credentials. The intranet calls Emburse Expense Enterprise (with an HTTPS POST) and passes the user's login credentials. The Emburse Expense Enterprise system then makes a call to the organization's SSO server. The role of this server is to verify that the user ID and password are valid. The SSO server responds to Emburse Expense Enterprise with a simple valid/invalid message. Once the credentials are validated, the application is started. This method is based on similar and standard procedures offered by other Software as a Service (SaaS) providers.

Resources Available:

​If your organization would like to host and control the SSO servers in this fashion but does not have the internal resources, ALP Consulting & Development offers services compatible with the Emburse Expense Enterprise system.

SAML SSO Server:

​The Emburse Expense Enterprise system also supports SSO by means of SAML, a standards-based method that facilitates the exchange of authentication messages contained in XML documents among the Identity Provider (IdP), Service Provider (SP) and user. Authentication gives the user access to multiple software portals outside of an organization’s intranet access point without requiring repeated logins. Currently, Emburse Expense Enterprise is able to provide IdP- and SP-initiated SAML service for SAML versions 1.1 and 2.0. For further information on SAML 2.0 in general, consult the Wikipedia article SAML 2.0. Using a SAML approach, the organization maintains an IdP whose role is to deliver the authentication credentials to the Emburse Expense Enterprise system.

​Resources Available:

​There are a number of IdP options available. Your organization may use on-premises server options like Ping Identity or open-source alternatives like Shibboleth, which is used widely by the academic community. You may also outsource IdP service to such SaaS-hosted solutions as OneLogin, which offers integrated login capabilities for Emburse Expense Enterprise and many others.

​Below are the SSO servlet URLs:

• PRODUCTION - https://www.chromeriver.com/cr-sso/SingleSignOnServlet
• UAT (if subscribed)- https://qa.chromeriver.com/cr-sso/SingleSignOnServlet

Your organization should provide Emburse Expense Enterprise with the following information for each environment (UAT, if subscribed, and Production):

1. IP address(es) or URL(s) to use for the POST to your SSO server.
2. User name and password that enable Emburse Expense Enterprise to log in using your SSO Server for implementation and testing purposes. These credentials only need to provide basic access to the Emburse Expense Enterprise application.​

UAT ENVIRONMENTS:

Emburse Expense Enterprise will create a support ticket with the above information and coordinate with Emburse Expense Enterprise's development team and your organization to set up SSO reception.

1. Point your organization’s SSO server to the UAT (if subscribed) server for testing
2. Point your organization’s SSO server to the PRODUCTION server for use​

Emburse Expense Enterprise IP ADDRESSES:

The following are IP addresses from which Emburse Expense Enterprise messages will originate. Be sure that your organization’s firewall allows them access.

• UAT (if subscribed)- qa.chromeriver.com: 173.203.191.213
• PRODUCTION - www.chromeriver.com: 173.203.191.202
• STAGING - staging.chromeriver.com: 173.203.191.195