Enter your idea

I think we all want to see SAML SSO available as soon as is reasonable, but "adopting a professional identity provider" is the exact opposite of what is needed. Instead of calling for Xero to dictate that companies use a specific Identity Provider (IdP) platform (365/Entra), the goal should be to support SAML SSO authentication from _ANY_ SAML authentication provider (Microsoft Entra/ADFS, Google, Okta, Auth0, OneLogin, etc). I will be severely disappointed if this feature is launched and only works for Entra.

Also, the SSO standards already exist (https://www.oasis-open.org/standard/saml/), so what is actually needed here is time for the development team incorporate robust eternal authentication feature support into the product.

As for MFA, Xero already supports TOTP-based MFA, and I use it every time I login, so allow me to point you to the MFA setup instructions for Xero that is available today: https://central.xero.com/s/article/Set-up-multi-factor-authentication

For everyone who is berating Xero as "I can't believe in 202x that...", remember that Stripe only rolled out SAML support a year or so ago themselves, so Xero really is not that far behind other SMB financial service providers in supporting 3rd party authentication services. Keep in mind, Intuit does not support native SAML SSO for QBO today, nor does Sage 50 support SAML SSO. You might be thinking about Sage Intacct, but I see that platform occupying a different part of the marketplace at a different price point, and not directly comparable.

The only "support" for QBO is HTML forms stuffing (aka "Forms-based auth" or "SWA" depending on the IdP terminology), so the main competitor in the small business accounting space (Intuit) does not support SAML SSO either. To the best of my knowledge Intuit has not announced plans to support SAML for QBO, so Xero is already ahead of the curve here among its peers.

What I am hoping to see is that Xero is taking the time to do this implementation correctly and that they are following Stripe's example where they allow users and roles to be completely defined in the IdP system and communicated to Stripe (as the Service Provider [SP]) upon every login (https://docs.stripe.com/get-started/account/sso). Under Stripe's design, user permissions are managed centrally at the IdP and access rights are assigned to the user account in the IdP. This is not a trivial change, and is going to take time to implement all of the necessary hooks for this to work correctly.

Xero has already stated that they are working on this barely over 6 months ago. I would rather they take their time and get this implementation right than to rush the implementation to end users and launch a half-baked product. Stripe worked on SSO for 2-3 years before they made it generally available, so give Xero time to get this right and please don't pressure them into delivering a shallow implementation that exists only to check a checkbox to shut up auditors and winds up disappointing those of us who want to see a robust feature set with JIT provisioning and full role assignments that permits for more granular access support than exists today with the "Invoice Only", "Standard", "Advisor", and "Read Only". In my ideal implementation, there will be permission hooks surrounding all major features and functions, with the ability to provision user accounts in the IdP to give very granular access to every feature that is addressable in all of the menus (Sales, Purchases, Reporting, Accounting, Tax, Contacts), as well as file management, and administration functions. This level of work is non-trivial, and not something that one just "turns on".

As someone who works with authentication technology every day, this is not just a matter of spreading magic pixie dust over the code base for it to work. The first step is that Xero needs to define what they want to achieve with the new feature support (hopefully this has been completed by now). Second, they need to define a permission set that will map to SAML attributes to support the functional definition, and validate that the permission set meets all of the design goals. Third, they need to instrument all of the functions to add the permission set checks that work in parallel with the existing user permissions so that non-SAML sites are not impacted by deploying the new feature. And finally, they need to test the new code extensively to make sure that it is working as designed with no corner cases that would allow for unauthorized access via unprotected paths.

For everyone who is trying to pressure Xero into launching a half-baked SSO implementation "because it limits adoption", take a step back and ask yourself what a botched launch of a major authentication feature would do to Xero's reputation, and how that might "limit adoption" far longer than the "we do not currently support SSO, but that feature is in development" answer currently may.

As a shareholder it’s maddening to see this idea being ignored for so long. All these requests for SSO and MFA could be addressed at once by adopting a professional identity provider and standards. Most Xero customers would already have M365/Entra ID and the fact that this isn’t acknowledged by management is concerning because it’s clearly limiting Xero’s adoption.

Struggling to believe in 2026 an app this big does not have basic SSO functionalities. Completely against Australian Cyber Standards so was immediately Vetoed as an idea. Shame.

Like everyone else, this is crucial to enable me to ensure application access for core business products is centrally managed.

Ability to manage users and their access directly from EntraID with a SCIM as well as SSO using corporate Microsoft account (same for Google or other providers)

This is really important to us, as others have said both for Compliance, things like CE/CE+ and general security.

This is massively important for us and is preventing our businesses from using Xero more widely ( ISO27001, Cyber Essentials plus, etc ) - our information security team insist on data only being accessed on managed devices so need SSO via Entra with adaptive conditional access. Please!

I owuld be interested in this solution also tesing.

For any users in the UK who undertake the Cyber Essentials Plus accreditation, SSO is a big deal for cloud services, especially under the new iteration of CE+ Cloud Services will be covered heavily and it is kind of expected now that most cloud services will be covered by SSO in tandem with MFA.

Upvote!! This would be super valuable for security and compliance in our business.

I ended up here while looking for SSO and have added my vote. I was fairly surprised to find that, despite this thread going back to 2022, it still isn’t a native capability!

Hi Greg,

I truly wish I could share a more positive update. As I mentioned, I have been a strong advocate for this initiative and have taken the opportunity to discuss it with senior leadership. Unfortunately, the information I received was not encouraging.

Given the circumstances, I would recommend requesting a call to obtain a detailed update directly. That may provide greater clarity and allow you to hear the position firsthand.

It is certainly disappointing, and I share your frustration.

A note to everyone on this thread, the status of this idea is still "In Development". If Xero has abandoned this idea, as has been mentioned, then I would expect the status to change to "Not in pipeline".
As of today, there are 11 ideas marked as "In Development". Of those this idea is the highest voted by 178 votes. (651 votes to 473 for the second-place idea).
That said development effort for many SAS companies seems to be on the new shiny AI stuff. I hope Xero hasn't diverted dev time away from this 13+ year old idea that many SAS companies have had for years.

Huge upvote. This would be super valuable for security and other reasons.

Can you get this done, crazy its taking you so long?

as i say guys i think literally only way for this to work is tell companies like free agent quickbooks name and shame xero at accountex in there q&A maybe they will realise when there competitors know they lack basic features like this the devs might actually go ahead and make a move... xero will fall if they continue with this behaviour

This is incredibly frustrating.

This idea is one of the top rated requests on this site, with consistent demand from users for updates and growing frustration at why it has so far taken 13 years to get this prioritised.

We need at least an immediate update on this idea - ideally some confirmation of when this will be delivered.

I'd strongly suggest you put a rocket up your developers to get this basic, important feature live as soon as possible.

total smack in the face just spoke with a higher up from xero james he has advised sso is paused dev team doesnt think its important and they are no longer going to go ahead with the idea "Agent profile pic
James
Support specialist
16 Feb 2:35 PM
Hi

Thanks for your time on the phone this afternoon.

As discussed our Product Team understand the importance of single sign on and this feature to you. While they can't currently commit to development, we’re gauging a sense of interest in this through the community on Xero Product Ideas.

I've shared a link to the product idea where you can view and support the idea surrounding this topic. Xero Product Ideas is where our customers can share and support ideas for change. Any change or progress of this feature will be shared with everyone through the idea.

Xero Product Ideas: MFA - Enable Windows Azure Active Directory Single Sign On

Kind regards

James" i have a phone call conversation discussing his text nothing will apparently change the dev team decision as its final guys i think we should make a pettion or go to the ceo and address these concerns... maybe name and shame the lack of this feature we may only then get it...

Please add a seamless provision/hooking with Okta too