How to Migrate TextExpander from One Identity Provider (IdP) to Another
If you plan to move from one IdP (Identity Provider) to another — whether switching from Okta to Microsoft Entra, OneLogin to Google Workspace, or any other combination — this guide will help you transition your TextExpander integration without disrupting user access.
✅ Critical Requirements for a Successful Migration
To avoid users being locked out or accidentally provisioning new accounts, it’s essential to preserve the following identifiers:
1. Email Address
The email address used in the old IdP must remain the same in the new IdP configuration.
2. NameID
Ensure that the NameID value in the SAML assertion stays the same. This is how we match your users across IdPs.
3. User Provisioning
Before switching over, provision the same set of users (or groups) in the new IdP and assign them to the TextExpander tenant.
Warning: If any of the values above change, users may be unable to sign in or may inadvertently create duplicate accounts — causing confusion and support tickets.
We recommend testing this with at least one user and validating which attributes are being sent with a SAML tracer.
🧱 Pre-Migration Setup
You can start the migration preparation before disabling the old IdP.
Here’s what you can do:
1. Add TextExpander to your new IdP dashboard.
Follow your new IdP’s app setup instructions and integrate TextExpander using the SAML-based SSO configuration. You can find instructions here.
2. Mirror user assignments
Make sure the same users (or equivalent groups) from the old IdP are added to the TextExpander app in your new IdP.
3. Verify attributes
Confirm that email and NameID match the values from the old IdP to avoid re-provisioning.
MIgration Time
Once your pre-migration prep is complete and your users are provisioned in the new IdP, it’s time to officially switch over the metadata in your TextExpander SSO settings.
1. Log in to the TextExpander Admin Portal
Navigate to your TextExpander SSO portal using your admin credentials.
2. Select the new IdP name from the dropdown.
Use the dropdown menu to choose your new IdP name (e.g., Azure AD, Okta, OneLogin, etc.).
3. Backup Your Current Metadata
• Copy the existing SAML metadata shown in the portal.
• Paste it into a plain text file (e.g., old-IdP-metadata.txt) and save it in a secure location for backup.
4. Paste New IdP Metadata
• Open your new IdP’s SAML metadata XML.
• Copy and paste the full content into the IdP Metadata field in the TextExpander portal.
• Click the ✅ checkmark to save and apply the new configuration.
5. Test Sign-In from the New IdP
• Use a test user account that has been provisioned in the new IdP and assigned to the TextExpander app.
• Sign in via https://app.textexpander.com/sign-in using the “Sign in with SSO” option.
• Confirm successful access and that the user is not re-provisioned or treated as a new user.
6. Test Provisioning a new User
Add a new user to your IdP and test account creation via Just-in-time (JIT) provisioning.
Pro Tip: After a successful test, monitor sign-ins over the next 24–48 hours and keep your backup metadata handy just in case a rollback is needed to your prior IdP.
📣 Communicate to Admins and Users
For Admins:
Share the new onboarding steps and verify they can access TextExpander through the new IdP dashboard.
If you take the time to mirror identifiers, provision users correctly, and communicate proactively, the migration should be smooth and transparent for users.
Have questions or need help with the setup? Is your setup more complex? Feel free to contact our support team.