Login - Enable Windows Azure Active Directory Single Sign On
Ability to use Azure Active Directory for MFA.
Purpose: It makes Microsoft users easily log into Xero.
Hi community, we appreciate many businesses have adopted single sign on with providers like Google, Microsoft Azure/Entra, and Okta to easily streamline logins to many applications and manage operational risk. Our team are staying close to votes and feedback of the idea here, and though we can't commit to development at this time, we will be sure to let you know of any progress toward enabling single sign on
-
Dan Harmer commented
The issue is even greater than that - without SSO we can't enable Conditional Access, which means users (staff, outsourcing companies, anyone) can access Xero on their home computers, library computers, anywhere, and download our client data. In its current form Xero is fundamentally not secure for business.
-
Lauren Child commented
Just to be clear, it's not just about the ease of login. At the moment Xero doesn't provide a method of enforcing MFA or adding security monitoring & control on the login.
That makes it a liability, for example a user without MFA is potentially a regulatory breach and potential lawsuit, aside from the obvious security and privacy impact. Being divorced from the enterprise means it's not being monitored the same way.
In short if a user falls victim to phishing and a hacker gets caught and blocked automatically in the enterprise, they still potentially get full access to Xero accounts until somebody pops over and resets the account manually, and who knows what personal & financial data access and damage they could do in the interim
That's why we need SAML or Azure SSO etc.
Ease of use is a bonus, but really it's all about de-risking the use of Xero in a normal enterprise.
-
Richard Crozier commented
No, we don't want Azure integration, we want generic SAML that works with any ID provider. But you've closed that idea, even though it is the solution to SSO.
-
Nathan Morris commented
Bump! Let's do this Xero.
-
Cameron Ritchie commented
Microsoft Azure AD as the IdP doing user provisioning using SCIM please. Will sort out more than SSO.
-
Jesse Jones commented
My team and I can achieve this for you within two weeks. Please reach out to us and we will sort it. It doesn't need to take years. I promise.
-
John McRoberts commented
"and this will take a few years to achieve..." Seriously???
-
Noel Ashpole commented
In todays digital world, this is a critical security function that should be urgently added to Xero.
-
Ian Lazzari commented
Unbelievable. The relative ease to implement and the criticality of the functionality means, at the very least, there should be a date planned for this. Should really have been in place for years now though. It's nothing new!
-
Aimee white commented
How is this still not on a roadmap?!
-
Luigi Bufalino commented
I would not classify this as important I would classify this as critical or must have.
This shouldn't be an optional extra or an after thought.
How far from the roadmap is this functionality?
-
Amedeo Fazi commented
We would like to setup (SSO) Setup Single Sign-On with "our" Microsoft tenant to control any security breeches
I have looked around your documentation however I only find links to setting up SSO for the HUB or MFA which is not what we are looking for.
-
Dave Philp commented
Hello! I was the second person to vote for this feature back in 2013... and here I am, voting again in 2022.
"A few years"... will it be another 9? I certainly hope not.
If there's a concern around 2FA with the ATO, then there's nothing stopping Xero from enforcing its own 2FA after the login flow via SAML or OAuth has completed.
-
Matthew Stringer commented
I'm actually flabbergasted that this has been an item on Xero's agenda since 2013, and here we are in 2022 and you are telling us its a few years to achieve Dana. Quite unbelievable to be honest.
You do not need further input on how this will help us better manage our accounts. I am quite sure your CTO understands very clearly why supporting Azure SSO/SAML integration leads to better client security, he was, after all, CTO of Microsoft New Zealand.
-
Milena Lowe commented
So it has been 9 years, when are you likely to put this critical security feature in place? I would have thought 9 years was a few years. I cannot believe it hasn't been done already. This will make or break our decision in moving to the platform fully.
In our current world of cybersecurity threats, you do not take this seriously enough. Look at Optus, Medibank, Clinical Labs and so on and so on! -
Ian Lazzari commented
This is the only SaaS product in use by our business that doesn't support SAML authentication. We have even added it to our own offering and I'm quite sure our resources are a lot less than yours!
You don't even have to choose a specific IDP such as Azure. The vast majority would be covered once you support SAML. -
Tom Sander commented
Unbelievable that this suggestion was made in 2013 and no progress has been made. This is close to essential in providing security through a single point of truth for user account management, not to mention any conditional access rules implemented within the Azure tenancy.
-
Keith Fountain commented
This should be your number one priority and shouldn't take long to implement, especially with a development team of the size we presume you have as a multinational company. It's just an Azure Enterprise application that you should be able to put together in a couple of months at the outside, not years. I will be suggesting to our finance department that they look at different software.
-
Angus Hayes commented
Dana, Azure SSO integration (and integration with all external identity providers for that matter) should be relatively easy to implement with the Security Assertion Markup Language (SAML). We're not asking Xero to re invent the wheel here, most software as a service companies have had this functionality for several years at least by now. It's a little concerning that a financial software company with a large market share in AU/ NZ and beyond considers this matter a long running journey. I suggest that this should be prioritized or Xero will risk losing customers to other providers who prioritize their customers security.
-
Nathan Morel commented
It should not be 'a few years to achieve', this is a security hole and needs to be prioritized.