Configuring the SSO Service

Objective

After completing this lesson, you will be able to configure Self-Activated Single Sign On.

Accessing the Manage Single Sign-On Page

You use the Manage Single-Sign-On page to:

Enforce SSO-only sign-in policy for the entire company.
Obtain SAP Concur SP metadata.
Upload IdP metadata to SAP Concur.
Specify the name of each SSO sign-in option.
Specify the URL where users land when they sign out of SAP Concur.

To access the Manage Single Sign-On page, select Authentication Admin from the Home menu.

Screenshot showing the selection of the Authentication Admin option.

Then, select Manage Single Sign-On.

Screenshot showing the selection of the Manage Single Sign-On tools.

High-level Steps to Set Up the SSO Service

You can manage the SSO sign-in policy on the Manage Single Sign-On page by selecting SSO Setting dropdown as depicted in the screenshot below in step 2. You can choose to make SSO optional or required. SAP Concur recommends making SSO optional during the testing phase. Once testing is complete, you can decide which option is best for your company going forward.
Note
If you make SSO required, the only way users can access your site is through SSO. If you have any users who need to access your site with a SAP Concur login ID and password, such as TMC agents or test user accounts, it is recommended to set SSO as optional.
Under SSO Configurations, select the Add button.

The SSO Setting option and the Add button are highlighted.

Selecting the Add button opens the Add IdP Metadata dialog, allowing you to enter the details of this SSO configuration.

The various fields to add Metadata are displayed.

Review the table below to learn how to complete the dialog.

Field Name	Description
Custom IdP Name	Name the connection as you want it to be displayed on the www.concursolutions.com page as "Sign in with ﹤value that you create here﹥."
Logout URL	The Logout URL is where your users will land when they sign out of SAP Concur, such as your intranet or internal travel page. The Logout URL field is optional and can remain blank and users will be redirected to concursolutions.com after they sign out.
Upload XML File	You select Upload XML File to load your IDP’s metadata file.

Demonstration of How to Set Up the Self-Activating SSO Service

Select the Play button to watch a demonstration of how to set up the Self-Activating SSO Service.

Note

Self-Activated Single Sign-On is available to all SAP Concur services and platforms. Some of the screens in this video may be slightly different from those on your site.

After you complete these steps, SSO is enabled for your SAP Concur site.
The next step is to assign the correct user permissions so that employees can use the connection within your IdP.
Then, you are ready to test.

Summary

The SAP Concur Self-Activated SSO Service is a self-service tool for easy and secure configuration and management of Single Sign-On (SSO), supporting SAML 2.0 and popular Identity Providers like Azure AD, Okta, and Google G Suite.
SSO setup requires exchanging metadata between SAP Concur and your Identity Provider using the Manage Single Sign-On page, with access controlled by user roles in SAP Concur.
Administrators can choose to make SSO optional or required; it is recommended to keep SSO optional during testing to allow for password-based logins if needed.
Adding a new SSO configuration involves providing a custom IdP name, an optional logout URL, and uploading the IdP metadata XML file.

Continue to quiz