navan-deploy-integration

Navan Deploy Integration

Overview

Navan connects to enterprise systems through multiple integration methods: direct REST API with OAuth 2.0, SCIM for user provisioning, SFTP for batch file exchange, SAML/OIDC for SSO, and webhooks for real-time events. There is no SDK — all integrations use Navan's REST endpoints or admin console configuration. This skill provides deployment checklists for the three most common integration categories: ERP expense sync, HRIS user provisioning, and identity provider SSO.

Prerequisites

• Navan Admin account with integration management permissions
• OAuth 2.0 credentials — client_id and client_secret from Admin > API Settings
• Target system admin access — NetSuite/Sage Intacct/Xero admin, Workday/BambooHR admin, or Okta/Azure AD admin
• API base URL: https://api.navan.com/v1

Instructions

Category A — ERP Expense Sync (NetSuite, Sage Intacct, Xero, QuickBooks)

Deployment Checklist:

1. Create OAuth credentials in Navan Admin > API Settings
2. Configure GL code mappings — Map Navan expense categories to your chart of accounts
3. Set cost center mappings — Align Navan departments with ERP cost centers
4. Enable expense export via REST API:

# Fetch approved expenses ready for ERP sync
curl -s -X GET "https://api.navan.com/v1/expenses?status=approved&limit=50" \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  -H "Content-Type: application/json"

# Response includes fields for ERP mapping:
# {
#   "uuid": "exp_abc123",
#   "amount": 245.50,
#   "currency": "USD",
#   "category": "meals_entertainment",
#   "cost_center": "engineering",
#   "gl_code": "6200",
#   "receipt_url": "https://api.navan.com/v1/receipts/exp_abc123",
#   "approved_at": "2026-03-20T14:30:00Z"
# }

5. Set up sync schedule — Navan supports daily or real-time export via webhooks
6. Validate with test expenses — Submit 3-5 test expenses through the full approval flow
7. Enable in production — Switch from sandbox to production OAuth credentials

Category B — HRIS User Provisioning (Workday, BambooHR, ADP)

SCIM Provisioning Setup:

1. Enable SCIM in Navan Admin > Integrations > User Provisioning
2. Configure SCIM endpoint in your HRIS:
   • SCIM Base URL: https://api.navan.com/scim/v2
   • Authentication: OAuth 2.0 Bearer Token
3. Map user attributes:

HRIS Field	Navan SCIM Attribute	Required
Email	userName	Yes
First Name	name.givenName	Yes
Last Name	name.familyName	Yes
Department	urn:navan:department	Recommended
Manager	urn:navan:manager_email	Recommended
Cost Center	urn:navan:cost_center	Optional

4. Test provisioning — Create a test user in HRIS and verify they appear in Navan within 15 minutes
5. Test deprovisioning — Deactivate the test user and confirm Navan access is revoked
6. Verify via API:

# Check provisioned users
curl -s "https://api.navan.com/v1/users?provisioning_source=scim&limit=10" \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" | jq '.[] | {email, status, provisioned_at}'

Category C — SSO Deployment (Okta, Azure AD)

SAML Configuration:

1. Create SAML application in your IdP (Okta or Azure AD)
2. Configure Navan SAML settings in Admin > Security > SSO:
   • Entity ID: https://app.navan.com/saml/metadata
   • ACS URL: https://app.navan.com/saml/acs
   • Name ID Format: emailAddress
3. Map SAML attributes:

email       → user.email        (Required)
firstName   → user.firstName    (Required)
lastName    → user.lastName     (Required)
department  → user.department   (Optional — enables policy routing)

4. Upload IdP metadata XML to Navan Admin console
5. Enable JIT provisioning (optional) — Auto-create Navan accounts on first SSO login
6. Test with a pilot group — Assign 5-10 users before org-wide rollout
7. Enforce SSO — After pilot validation, enable "SSO Required" to disable password login

Output

Each integration deployment produces:

• Connection validation confirming data flows between systems
• Field mapping documentation for ongoing maintenance
• Test results from pilot user group
• Rollback instructions if issues arise post-deployment

Error Handling

HTTP Code	Meaning	Resolution
400	Invalid field mapping or malformed request	Review GL code / attribute mappings
401	OAuth token expired or invalid	Rotate credentials in Navan Admin
403	Integration not enabled for your plan	Verify Navan plan includes this integration (Enterprise required for some)
409	Duplicate user in SCIM provisioning	Check for existing user with same email
422	Validation error on expense export	Verify required fields (amount, currency, category) are present
429	Rate limited	Reduce sync frequency or implement exponential backoff

Examples

Automated daily expense export to NetSuite:

#!/usr/bin/env bash
# scripts/navan-netsuite-sync.sh
set -euo pipefail

# Authenticate
TOKEN=$(curl -sf -X POST https://api.navan.com/ta-auth/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials&client_id=${NAVAN_CLIENT_ID}&client_secret=${NAVAN_CLIENT_SECRET}" \
  | jq -r '.access_token')

# Fetch yesterday's approved expenses
YESTERDAY=$(date -d "yesterday" +%Y-%m-%d)
curl -s "https://api.navan.com/v1/expenses?status=approved&approved_after=${YESTERDAY}T00:00:00Z" \
  -H "Authorization: Bearer $TOKEN" \
  -o /tmp/navan-expenses.json

EXPENSE_COUNT=$(jq length /tmp/navan-expenses.json)
echo "Exporting $EXPENSE_COUNT expenses to NetSuite"

Resources

• Navan Help Center — Integration setup guides
• Navan Integrations Directory — Full list of supported connectors
• SCIM Protocol Spec (RFC 7644) — SCIM provisioning standard
• Navan Pricing — Plan comparison for integration availability

Next Steps

• Add navan-observability to monitor integration health post-deployment
• Add navan-webhooks-events for real-time event-driven sync instead of polling
• See navan-security-basics for credential rotation and access control