Exploring the SSO Service

Objective

After completing this lesson, you will be able to explain the key features of the Self-Activated SSO Service.

Overview of the Self-Activated SSO Service

The SAP Concur self-activated SSO service is a self-service configuration that allows customers to fast-track the SSO onboarding process and provides:

  • Easy and secure, long-term SSO management. As the designated SSO administrator for your company, you can manage your own SSO configuration by using the Manage Single Sign-On page.
  • Full SAML 2.0 (Security Assertion Markup Language) compliance. SAML SSO involves two parties: an IdP and an SP. SAP Concur is the SP.

Note

The SAP Concur SSO service supports various IdPs such as: SAP IAS, Microsoft Azure AD, Okta, Ping Identity, OneLogin, JumpCloud, Idaptive, Google G Suite, ADFS, Shibboleth, VMWare Workspace One, Siteminder, and more. For a list of the supported IdPs, refer to the SSO Management Setup guide.

How Does the Self-Activate SSO Service Work?

Configuring SSO is a two-part process that includes the following tasks:

  • Uploading SAP Concur SP metadata to your company’s IdP, a service that stores and manages digital identities.
  • Uploading IdP metadata to SAP Concur.

The Single Sign-On self-service tool is used only for the second part of the process – uploading your IdP metadata to SAP Concur. This part of the process is accomplished in the following four high-level steps:

  1. As your company’s SSO administrator, access the Manage Single Sign-On page and then retrieve the SAP Concur SP metadata.
  2. Configure the SSO settings at the IdP based on information from the SP metadata.
  3. Next, you retrieve IdP metadata from the IdP and upload it to the Manage Single Sign-On page.
  4. Finally, you add a few test users, test the new SSO connection, and then your company rolls out SSO to their SAP Concur users.

How to Obtain the Required Permissions?

How you gain the permission to access the Manage Single Sign-On page varies depending on the SAP Concur services that your company purchased.

Professional Edition

The Authentication Admin menu automatically appears for all users who have the SSO Manager permission.

All Standard Edition

The Authentication Admin menu automatically appears for all users who have the Can Administer checkbox selected on their profile.

Additional Resource

For more information about how the self-activated SSO works, refer to the Single Sign-On Overview document.

Summary

  • The SAP Concur Self-Activated SSO Service is a self-service configuration tool that streamlines the onboarding and management of Single Sign-On (SSO) for customers, offering secure and long-term SSO administration.
  • It is fully SAML 2.0 compliant and supports a wide range of Identity Providers (IdPs) such as Azure AD, Okta, Google G Suite, and more.
  • The SSO setup process involves uploading SAP Concur’s Service Provider (SP) metadata to your IdP, then uploading IdP metadata to SAP Concur via the Manage Single Sign-On page.
  • Permissions to access the Manage Single Sign-On page are granted based on role assignments in either the Professional or Standard edition of SAP Concur.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn