Login - Enable Windows Azure Active Directory Single Sign On
Ability to use Azure Active Directory for MFA.
Purpose: It makes Microsoft users easily log into Xero.
Hi community, we appreciate many businesses have adopted single sign on with providers like Google, Microsoft Azure/Entra, and Okta to easily streamline logins to many applications and manage operational risk. Our team are staying close to votes and feedback of the idea here, and though we can't commit to development at this time, we will be sure to let you know of any progress toward enabling single sign on
-
Adam Jones commented
Please do this, my IT department is pushing us to leave Xero for the lack of support.
-
Aaron Angel commented
See also https://productideas.xero.com/forums/939198-for-small-businesses/suggestions/44960674-sso-add-saml-authentication-support. These ideas should be combined. Separating similar ideas spreads out the votes leading to poor visibility of user demands for product managers.
Like other SSO solutions, Microsoft Entra (formerly Azure AD) supports SAML for external applications, so these ideas are essentially the same. In 2023, people have grown tired of too many passwords and the disparity of security requirements between vendors.
SSO is no longer an esoteric enterprise requirement. It's a minimum requirement for modern SaaS products.
We are considering more expensive products and considering budgets and the potential for migrations because of basic requirements like this.
-
Peter Laycock commented
Guys I don't understand why this will take such a long time? I know Dev's that can punch this out in a few weeks, let alone years? I'm a security engineer in Azure that works with a lot of apps and I know this incorrect.
?????
-
Matthew Smith commented
This is a must have in so many industries. Luckily my company is small right now, in a year from now, we will likely need to move to a provider that uses SSO.
-
Luigi Bufalino commented
This isn't a several-year process to implement..... If you spent half as much on development as you did on your parties and events, Xero may find that this would be a really short journey.
-
Martin Burns commented
As a SaaS company born in the cloud, it amazes me that you haven't yet implemented Azure AD SSO...
-
Ryan Byrne commented
This is urgently required.
-
Josh Hunter commented
The application in our environment that needs the most security is one of our least protected. Strongly requesting this feature from Xero. Thanks.
-
Daniel Suttle commented
Xero - please accelerate this. It was so long ago that this was originally requested. I voted for a post previously that now seems to have been deleted, and doesn't show in your closed history. What's going on? Come clean and tell people why it hasn't been done yet, and when it will be done by. You have got to realise that your position on this just doesn't make any sense!
-
Tom Burton commented
With Azure (as well as Google suite) offering industry standard OAuth and OIDC interfaces it really shouldn't be a several year journey. If this was important you could implement it within little more than a month. Big vote from me.
-
Alex Parkinson commented
Will likely have to leave Xero in the next 12 months if this isn't addressed. Basic requirement these days, disappointing from an otherwise great product.
-
Jason Hensley commented
In 2023 this is now a basic requirement for org security. SAML 2.0 to integrate with major Identity Providers, including Azure. Xero, step it up and get this done!
-
Keith Fountain commented
Apologies for my passive aggressive comments in the past, they are borne from the frustration of not getting any real commitment, response or timeline for this request.
The reason we want SSO is so that when we disable a users account, they are locked out of everywhere from that moment. If we have multiple applications with multiple user accounts and we have to send requests to different department administrators to get these accounts disabled, it invariably means delay. In the current climate, the damage that can be done by an employee on a GDPR level can be immense if one account is overlooked, or the person that manages that application is off on that day. When all logins are controlled by a single account disabled=blocked, which you would think a company of Xero's size and reach would understand.
Please give us some kind of indication about the current roadmap and a projected date for implementation so we can remove Xero from our risk register.
-
Ben Nichols commented
As everyone says, this is absolutly critical. Being able to restrict access to Xero via Azure AD Conditional Access is critical.
Xero! Why would you NOT want to absolve yourself of the responsibility of handling authentication - hand that off to Azure AD, and that's one less thing to worry about (and be compromised!)- it makes it the customer's (and Microsoft's) responsibility then.
-
Ben Humphreys commented
We are likely to have to move away from Xero due to Qld Law Society Cyber Security requirements. Even as a small law firm, we are now required to have in place Conditional Access for all prctice accounts, systems and data. If Xero cannot provide Azure SSO we will not have a choice but move to a provider who can!
-
Alex Steer commented
Unfortunately, the lights are on but it doesn't appear that in many many years of customers begging for SSO through a 3rd party IdP via the open standard SAML2.0 protocol that they're listening, or maybe just do not understand what is being asked.
-
Patrick Burgess commented
Just SSO. Pllleeeeaaaassseeee. You are now the only SaaS platform we use outside our SSO. Don't be that company who has to get breached before they start implementing basic security requirements.
-
Dan Harmer commented
The issue is even greater than that - without SSO we can't enable Conditional Access, which means users (staff, outsourcing companies, anyone) can access Xero on their home computers, library computers, anywhere, and download our client data. In its current form Xero is fundamentally not secure for business.
-
Lauren Child commented
Just to be clear, it's not just about the ease of login. At the moment Xero doesn't provide a method of enforcing MFA or adding security monitoring & control on the login.
That makes it a liability, for example a user without MFA is potentially a regulatory breach and potential lawsuit, aside from the obvious security and privacy impact. Being divorced from the enterprise means it's not being monitored the same way.
In short if a user falls victim to phishing and a hacker gets caught and blocked automatically in the enterprise, they still potentially get full access to Xero accounts until somebody pops over and resets the account manually, and who knows what personal & financial data access and damage they could do in the interim
That's why we need SAML or Azure SSO etc.
Ease of use is a bonus, but really it's all about de-risking the use of Xero in a normal enterprise.
-
Richard Crozier commented
No, we don't want Azure integration, we want generic SAML that works with any ID provider. But you've closed that idea, even though it is the solution to SSO.