Setting Up Single Sign-On (SSO) In TextExpander
Single Sign-On (SSO) allows you to sign in to multiple services using one set of login credentials managed by an identity provider such as Okta or OneLogin.
Companies with a large number of permanent and temporary users choose SSO because it enables them to easily give and revoke access to systems and services. See Does TextExpander Support SSO? for more information.
Identity Providers (IdP) supported:
SAML-based Single Sign-On (SSO) provides access to TextExpander through an identity provider (IdP). TextExpander offers configurations for the most popular IdPs, including:
- Microsoft Azure
- Generic SAML
Things to note:
- TextExpander uses Just in Time (JIT) provisioning. SCIM provisioning is currently available with Okta, in addition to Okta w/SAML.
- TextExpander uses the SAML protocol to support SSO. If you are using a non-standard SAML-based Identity Provider, contact us with the details to ensure it works with our system.
Steps to turn on SSO:
Note: you must be an Admin of your TextExpander Organization to follow these steps.
Step 1. Notify support
Drop a note to Support with the following information:
- IdP you will use
- Domain(s) you will add
- A technical point of contact
Note: For SSO to work, your TextExpander organization type should be Closed. If your TextExpander organization was created after June 13, 2019, then it is Closed.
For more information on Closed organizations, see the article What’s the Difference Between “Closed” And “Open” Organizations. Our TextExpander Support team can identify your organization type and, if necessary, help you transition.
Step 2. Enable a company email domain
Your company needs to enable an email domain to prevent users with email addresses that match that domain from creating new accounts outside of your IdP. To enable your domain, follow these steps:
1. Sign in to TextExpander.com.
2. From the menu on the left side of the page, choose the name of your TextExpander Organization and scroll down to choose Members.
3. Click Enable Domain.
4. We’ll review your domain and send you an email once the process is complete.
Step 3. Configure your IdP
TextExpander Support will contact you with instructions to configure your IdP. When you’re done, you will send them the XML metadata file.
Note: Your file should be plain-text – not RTF or anything with formatting.
Step 4. Test the configuration
You’ll want to test that SSO is working before deploying it across your organization.
We’ll provide the following for testing:
- IdP initiated sign-in
- IdP initiated account creation
- Client initiated sign-in
During the test phase, users will be able to access TextExpander by both signing in with their username and password and via Single Sign-On (SSO).
Step 5 – Complete SSO configuration
Once your testing is complete, notify TextExpander Support of any issues. They will complete your SSO configuration once those issues have been solved.
What to expect:
- All accounts with your domain will be swept into your organization.
- Inactive accounts will not appear in your members’ list but will be eligible for reactivation if you add the user to your IdP.
You have two choices for rolling up SSO:
- SSO Forced (Default)
- SSO Fallback – SSO and TextExpander username/password*
*For accounts that were not created with your IdP. Accounts created with your IdP will not have TextExpander username/password credentials.
Let TextExpander Support know which of these 2 options you prefer.
Since this change to SSO can confuse some end users, we’ve found that it’s best to send an email blast informing employees of the change, and instructing them to sign in via SSO moving forward.
Ensure your team is using an SSO compatible version of TextExpander:
- TextExpander 6.2.8 or higher for Mac
- TextExpander 1.6.19 or higher for Windows
- TextExpander for Chrome (all versions)