Skip to main content

Retrieve your organization’s SAML settings

Go to Settings > Security and locate the SAML section. Copy and save the SAML entity ID and SAML reply URL. You will enter these values in your IdP’s SSO configuration screen. SAML settings screen

Retrieve SAML metadata from your Identity Provider

You first need to create an SSO app. The steps vary depending on your Identity Provider (IdP).

Microsoft Entra ID (Azure AD)

  1. Select Enterprise Applications. Select Enterprise Application
  2. Click New Application. New Application
  3. Enter a name for your application (for example: service name). Set app name
  4. Click Create and wait a moment. When the app screen appears, select Single sign-on > SAML. Select SAML
  5. Enter the following values.
    FieldValue
    Identifier (Entity ID)The SAML entity ID shown on our SSO settings screen
    Reply URLThe SAML reply URL shown on our SSO settings screen
    Unique User IDChange from user.principalname to user.mail
    Enter settings
  6. After saving, copy the App Federation Metadata URL. Paste the copied URL into the SAML metadata URL field and save. Azure AD SAML configuration is now complete. Next, enable SAML.

Google Workspace

  1. Sign in to the GWS Admin Console and go to Apps > Web and mobile apps. Select Add Custom SAML App from the Add app menu. Add Custom SAML App
  2. Enter an application name and click CONTINUE. Set app name
  3. Click DOWNLOAD METADATA and save the metadata file. Download metadata
  4. Enter the values you copied into ACS URL and Entity ID, then click Continue. Enter ACS URL and Entity ID
  5. On the next screen, click FINISH without entering anything. Your SAML application is now created. Complete

Okta

Okta Integration Network (OIN) is now supported, making setup much easier. Follow the steps at the link below: SAML/SCIM setup with Okta Integration Network
  1. Go to the Okta Admin Console and click the button to add an application. Add application
  2. Click the button to create a new application. Create new application
  3. Set Platform to Web, select SAML 2.0 as the Sign on method, and click Create. Select SAML 2.0
  4. Enter an application name (for example: service name) and proceed to the next screen. Enter app name
  5. Enter the SAML settings and proceed to the next screen. Single sign on URL: enter the SAML reply URL shown earlier. Audience URI: enter the SAML entity ID shown earlier. Name ID format: select EmailAddress. Enter SAML settings
  6. On the next screen, click the Identity Provider metadata link. Identity Provider metadata
  7. The XML file opens in a new tab. Copy that URL and enter it into the SAML metadata URL field. Enter SAML metadata URL
  8. Okta SAML configuration is now complete. Next, enable SAML.

OneLogin

  1. In the OneLogin Admin Console, click the button to add an app. Add app
  2. Search for SCIM and select SCIM Provisioner with SAML (SCIM v2 Core). Select SCIM Provisioner
  3. Enter an application name and save (for example: company name). Save app name
  4. Open the Configuration tab, enter the following values, and save. SAML Audience URL: enter the SAML entity ID value. SAML Consumer URL: enter the SAML reply URL value. SCIM Base URL: enter a placeholder URL for now — you will configure this later on the SCIM settings page. Configuration settings
  5. Select the SSO tab and copy the Issuer URL. Paste it into the SAML metadata URL field and save. SSO settings
  6. OneLogin SAML configuration is now complete. Next, enable SAML.

HENNGE One

For SAML integration with HENNGE One, contact the HENNGE support center. After completing the setup, follow the steps below to enable SAML.

Enable SAML

Set the SAML metadata URL you obtained in the previous step.
  1. For Google Workspace, select a file and upload the metadata file. The screenshots below show how to configure using a URL. Set SAML metadata URL Set SAML metadata URL 2
  2. Turn on the SAML enable switch. Enable SAML Enable SAML 2
  3. SAML-based SSO setup is now complete. Assign users in each SaaS application and verify that single sign-on works. Next, configure SCIM for user provisioning. How to Configure SCIM

Update SAML settings

Go to Settings > Security and locate the SAML section. Before your SAML certificate expires, issue a new certificate in your IdP and update the SAML metadata URL.
  1. Click Edit next to SAML metadata. Edit SAML
  2. Before changing the SAML metadata URL, note down the current URL as a backup. Enter the new SAML metadata URL and click Save. Change SAML metadata URL

For Admin users

Users with the Admin role follow a slightly different login flow. This prevents Admin users from being locked out if the SAML configuration fails. We also recommend requiring multi-factor authentication (MFA) at sign-in. For users with the Admin role:
  1. When signing in from the login screen, the user logs in directly using their MoneyForward ID. The IdP does not receive a redirect.
  2. When signing in from the IdP login UI, the IdP Initiated Flow (sign in via SSO) is used.
Admin login flow

FAQ

Q. I am an Admin, but I cannot sign in with my MoneyForward ID on the login screen.

What should I check if the password reset email does not arrive? A. If you do not have a MoneyForward ID, you need to create one. See If you do not have a MoneyForward ID for details. If the email does not arrive, see If you cannot receive emails.

Q. After configuring SAML, how do I sign in with the Admin role?

A. The login method depends on where you initiate the sign-in. To prevent lockout if the SAML configuration fails, the following behavior applies. Signing in from the login screen: You log in directly using your MoneyForward ID. Signing in from the IdP login UI: The IdP Initiated Flow (sign in via SSO) is used.
Last modified on July 14, 2026