Configuring the Single Sign-On Service

Objective

After completing this lesson, you will be able to configure Single Sign-On service for Concur Standard Edition.

Path to Access SSO

To access the Manage Single Sign-On page, navigate to Home, then select AdministrationCompanyAuthentication Admin.

Adropdown menu in SAP Concur. At the top left, the SAP Concur logo is displayed. Next to the logo, the Home menu is selected, indicated by a dropdown arrow. The dropdown menu is divided into two sections: APPLICATIONS and ADMINISTRATION. Under APPLICATIONS, there are three options: Expense, Approvals, and App Center. Under ADMINISTRATION, there are six options: Expense Settings, Company, Tools, Web Services, Change Log, and Authentication Admin. The Company and Authentication Admin options are highlighted in yellow.

From the Authentication Administration page, select theManage Single Sign-On link.

The Manage Single Sign-On page appears, where you can manage Single Sign-On for SAP Concur products.

The Authentication Administration page in SAP Concur. At the top left, the SAP Concur logo is visible. To the right, the Administration menu is selected. Below that, there are navigation links with Expense Settings and Company tabs, with the Company tab currently highlighted. Beneath the navigation, there is a breadcrumb trail showing Expense Settings / Authentication Admin. The main heading on the page is Authentication Administration. Below the heading, there are three options: Manage Single Sign-On, which is highlighted with an orange border and has a subtext Manage Single Sign-On for SAP Concur products, Sign-In Settings, with a subtext Manage Sign-In Settings for SAP Concur, and Company Request Token, with a subtext Generate a request token to obtain a Company JWT.

Configure the SSO Service - Introduction

SAP Concur’s self-activated SSO is a self-service configuration that allows customers to fast-track the SSO onboarding process and provides:

  • Easy and secure, long-term SSO management. As the designated SSO admin for your company, you can manage your own SSO configuration by using the Manage Single Sign-On page.
  • Full SAML 2.0 (Security Assertion Markup Language) compliance. SAML SSO involves two parties: an IdP and an SP. SAP Concur is the SP.

Caution

The SAP Concur SSO service supports various IdPs such as: SAP IAS, Microsoft Azure AD, Okta, Ping Identity, OneLogin, JumpCloud, Idaptive, Google G Suite, ADFS, Shibboleth, VMWare Workspace One, Siteminder, and more. For a list of the supported IdPs, refer to the SSO Management Setup Guide

How Does the SSO service Work?

Configuring SSO is a two-part process that includes the following tasks:

  • Uploading SAP Concur SP metadata to your company's IdP, a service that stores and manages digital identities.
  • Uploading IdP metadata to SAP Concur.

Note

The SSO self-service tool is used ONLY for the second part of the process - uploading your IdP metadata to SAP Concur.

This part of the process is accomplished in the following high-level steps:

  1. As your company's SSO admin, access the Manage Single Sign-On page and then retrieve the SAP Concur SP metadata.
  2. Configure the SSO settings at the IdP based on information from the SP metadata.
  3. Retrieve IdP metadata from the IdP and upload it to the Manage Single Sign-On page.
  4. Add a few test users, test the new SSO connection, and then your company rolls out SSO to their SAP Concur users.

How to Obtain the Required Permissions?

To gain the required permission, you must call SAP Concur Support. Accessing Manage Single Sign-On page requires permission form the Company Administration (Travel).

How to Configure the SSO Service

Follow these steps to set up a Limit-based Approval Workflow. We'll walk you through each part of the process, complete with detailed instructions and screenshots to help you along the way.

Once you complete these steps, a demo video is available at the end to reinforce what you've learned and provide a quick recap.

Steps

  1. On the Manage Single Sign-On page, from the SSO Setting select SSO Optional.

    The image shows the Manage Single Sign On Settings page for SAP Concur. Highlighted on the page is the Enable SSO section, which features a dropdown menu labeled SSO Setting, which is currently set to SSO Optional.

    Caution

    If you change the SSO Setting to SSO Required, all users are required to sign in to concursolutions.com using an IdP using SSO. Users, including TMCs, admins, web services, and test user accounts will be blocked from signing in to concursolutions.com with their username and password.
    A portion of the Authentication Admin page is displayed. Three options are shown below the header: Manage Single Sign-On (which is highlighted), Sign-In Settings, and Company Request Token.

  2. Under the SSO Configuration section, select Add.

    The image shows the Manage Single Sign On Settings page for SAP Concur. On the bottom of the page is a section labeled SSO Configurations containing tables for Entity ID, Name, Hidden, Active From, Expiration Date, and Logout URL. To the right of the table, there are buttons labeled Add (highlighted), Edit, Delete, and View Metadata.

  3. The Add IdP Metadata page appears.

    A pop-up window from an SAP Concur interface titled Add IdP Metadata. Within the window, there are three main input sections. The first section, labeled Custom IdP Name, has a text field with an asterisk indicating it is a required field. The second section, labeled Logout URL, also contains a text field. The third section is for uploading the IdP’s metadata, featuring a button labeled Upload XML File. At the bottom of the window, there are two buttons: one labeled Cancel and the other labeled Add Metadata, which is highlighted in blue.

    The table below outlines and explain the fields that are numbered in the preceding screenshot.

    Index #Field NameDescription
    1Custom IdP NameName the connection as you want and it to be displayed on the www.concursolutions.com page as Sign in with <value that you create here>.
    2Logout URLThe Logout URL is where your users land when they sign out of the service. This field is optional, and can remain blank. Users will be redirected to concursolutions.com after they sign out.
    3Upload XML FileYou select Upload XML File to load your IdP's metadata file.

    Select Add Metadata to save these changes. SSO is enabled for your SAP Concur site.

    Note

    Next, you need to assign user permissions so employees can use the connection within your IdP. You are now ready to test.

Result

How to Test Your SSO Service

Steps

  1. Go to www.concursolutions.com.

  2. Enter the Concur Login ID, Verified e-mail Address, or SSO Code (rare), and then select Next. The Concur system retrieves the user and presents the sign-in options.

  3. Select the SSO Configuration button.

Result

The Concur system contacts the IDP, the IDP authenticates the user, and the Concur interface launches.

Support of Multiple IdPs

You can upload an unlimited number of IdP metadata to SAP Concur through the SSO self-service tool. That means your company can connect an unlimited number of IdP apps or connectors to a single SAP Concur entity as illustrated in the following graphic.

Note

For a list of the supported IdPs, refer to the SSO Management Setup Guide.

Encrypted SAML

SAP Concur supports encrypted SAML assertion. The encryption key is available in the SAP Concur SP metadata.

Note

IdP-Initiated SSO and SP-Initiated SSO are supported.

Example of IdP login page

The user signs in to the IdP and then typically selects a link or tile on the IdP page to access SAP Concur.

You can also optionally initiate the sign-in using the SSO HTTP-Redirect URL (provided by the IdP).

Screenshot of the JumpCloud dashboard interface. The left sidebar contains three options: Applications, Profile, and Security. The Applications option is currently selected. The main section of the screen displays an Applications header, followed by a card for SSO Demo with a blue circle containing an S icon. The card also includes details that read: SSO Demo and a link to hide the card.

Example of SP login page

The user navigates to concursolutions.com , enters their username, verified e-mail address, or company SSO code, and then selects the appropriate SSO option.

The SP-Initiated SSO flow is used by the SAP Concur mobile app to sign in to that platform by using SSO.

A sign-in screen for SAP Concur. At the top, there is a Sign In heading. Below it, there is a field labeled Username, verified email address, or SSO code where a user entered admin@cprasadinv.com. Below the input field, there is a blue Next button. Additionally, there is an option to toggle Remember me on or off, which is currently in the on position (indicated by a blue switch). Below these options are links for Forgot username and Need help signing in. At the bottom of the image, there is a link labeled Learn about SAP Concur for your business.

References

TitleLink
SAP Concur Solutions - Single Sign-On ManagementSAP Concur Solutions - Single Sign-On Management

Summary

  • Access and manage Single Sign-On (SSO) using the Manage Single Sign-On page in SAP Concur Administration.
  • Configure SSO by exchanging metadata between SAP Concur and your company’s Identity Provider (IdP).
  • Test the SSO connection with selected users before rolling out to all SAP Concur users.
  • SAP Concur supports multiple IdPs and encrypted SAML assertions for secure authentication.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn