Configuring the Single Sign-On Service

Objectives

After completing this lesson, you will be able to:
  • Access SSO.
  • Configure SSO.

Path to Access SSO

To access the Manage Single Sign-On page, navigate to Home, then select Administration → Company → Authentication Admin.

Adropdown menu in SAP Concur. At the top left, the SAP Concur logo is displayed. Next to the logo, the Home menu is selected, indicated by a dropdown arrow. The dropdown menu is divided into two sections: APPLICATIONS and ADMINISTRATION. Under APPLICATIONS, there are three options: Expense, Approvals, and App Center. Under ADMINISTRATION, there are six options: Expense Settings, Company, Tools, Web Services, Change Log, and Authentication Admin. The Company and Authentication Admin options are highlighted in yellow.

From the Authentication Administration page, select theManage Single Sign-On link.

The Manage Single Sign-On page appears, where you can manage Single Sign-On for SAP Concur products.

The Authentication Administration page in SAP Concur. At the top left, the SAP Concur logo is visible. To the right, the Administration menu is selected. Below that, there are navigation links with Expense Settings and Company tabs, with the Company tab currently highlighted. Beneath the navigation, there is a breadcrumb trail showing Expense Settings / Authentication Admin. The main heading on the page is Authentication Administration. Below the heading, there are three options: Manage Single Sign-On, which is highlighted with an orange border and has a subtext Manage Single Sign-On for SAP Concur products, Sign-In Settings, with a subtext Manage Sign-In Settings for SAP Concur, and Company Request Token, with a subtext Generate a request token to obtain a Company JWT.

Configure the SSO Service - Introduction

SAP Concur’s self-activated SSO is a self-service configuration that allows customers to fast-track the SSO onboarding process and provides:

  • Easy and secure, long-term SSO management. As the designated SSO admin for your company, you can manage your own SSO configuration by using the Manage Single Sign-On page.
  • Full SAML 2.0 (Security Assertion Markup Language) compliance. SAML SSO involves two parties: an IdP and an SP. SAP Concur is the SP.

Caution

The SAP Concur SSO service supports various IdPs such as: SAP IAS, Microsoft Azure AD, Okta, Ping Identity, OneLogin, JumpCloud, Idaptive, Google G Suite, ADFS, Shibboleth, VMWare Workspace One, Siteminder, and more. For a list of the supported IdPs, refer to the SSO Management Setup Guide

How Does the SSO service Work?

Configuring SSO is a two-part process that includes the following tasks:

  • Uploading SAP Concur SP metadata to your company's IdP, a service that stores and manages digital identities.
  • Uploading IdP metadata to SAP Concur.

Note

The SSO self-service tool is used ONLY for the second part of the process - uploading your IdP metadata to SAP Concur.

This part of the process is accomplished in the following high-level steps:

  1. As your company's SSO admin, access the Manage Single Sign-On page and then retrieve the SAP Concur SP metadata.
  2. Configure the SSO settings at the IdP based on information from the SP metadata.
  3. Retrieve IdP metadata from the IdP and upload it to the Manage Single Sign-On page.
  4. Add a few test users, test the new SSO connection, and then your company rolls out SSO to their SAP Concur users.

How to Obtain the Required Permissions?

To gain the required permission, you must call SAP Concur Support. Accessing Manage Single Sign-On page requires permission form the Company Administration (Travel).

How to Configure the SSO Service

Follow these steps to set up a Limit-based Approval Workflow. We'll walk you through each part of the process, complete with detailed instructions and screenshots to help you along the way.

Once you complete these steps, a demo video is available at the end to reinforce what you've learned and provide a quick recap.

Steps

  1. On the Manage Single Sign-On page, from the SSO Setting select SSO Optional.

    A screenshot of the Manage Single Sign-On settings page for SAP Concur. At the top, there is a blue banner with a message stating, Please complete testing before changing the SSO Setting to SSO Required. Below this, the main section is titled Manage Single Sign-On for (blurred text) - with the option to visit the SAP Help Portal for more information about Single Sign-On with SAP Concur. The Enable SSO section features a dropdown menu labeled SSO Settings currently set to SSO Optional. The Get SAP Concur Metadata section provides a URL to copy or download the SAP Concur metadata and add it to the Identity Provider (IdP). The URL is displayed in a text box with a Copy URL button next to it. There is also a Download link to obtain the SAP Concur metadata. At the bottom of the page, there is a table titled SSO Configurations with columns for Entity ID, Name, Hidden, Active From, Expiration Date, and Logout URL. The table includes buttons for adding, editing, deleting, and viewing metadata configurations.

    Caution

    If you change the SSO Setting to SSO Required, all users are required to sign in to concursolutions.com using an IdP using SSO. Users, including TMCs, admins, web services, and test user accounts will be blocked from signing in to concursolutions.com with their username and password.
    A screenshot from an SAP Concur interface titled Manage Single Sign-On for Standard Configuration Training. The main content focuses on enabling Single Sign-On (SSO). There is a dropdown menu labeled SSO Setting with two options: SSO Optional (highlighted in blue, indicating users may sign in with a password or with SSO) and SSO Required (highlighted in yellow, indicating users must sign in using SSO). Below is a section titled Get SAP Concur Metadata, which allows users to copy or download metadata for their identity provider. A link for downloading SAP Concur metadata is also provided. Towards the bottom of the image, there is a section labeled SSO Configurations, which contains a table with columns for Entity ID, Name, Hidden, Active From, Expiration Date, and Logout URL. Options to add, edit, delete, and view metadata are available as buttons to the right of the table.

  2. Under the SSO Configuration section, select Add.

    A screenshot from an SAP Concur interface titled Manage Single Sign-On for Standard Configuration Training. At the top, there is a message in a blue box advising to complete testing before changing the SSO setting to SSO Required. Below this, the main content explains enabling Single Sign-On (SSO). There is a dropdown menu labeled SSO Setting with the option SSO Optional selected, indicating users may sign in with a password or with SSO. Next is a section titled Get SAP Concur Metadata, which provides an option to copy or download metadata for an identity provider (IdP). A URL is displayed with a Copy URL button next to it, and there is also a link to download the SAP Concur metadata. At the bottom of the image, there is a section labeled SSO Configurations containing a table with columns for Entity ID, Name, Hidden, Active From, Expiration Date, and Logout URL. To the right of the table, there are buttons labeled Add (highlighted in yellow), Edit, Delete, and View Metadata.

  3. The Add IdP Metadata page appears.

    A pop-up window from an SAP Concur interface titled Add IdP Metadata. Within the window, there are three main input sections. The first section, labeled Custom IdP Name, has a text field with an asterisk indicating it is a required field. A note below the field explains that the entered IdP Name is what users will see. The second section, labeled Logout URL, also contains a text field. A note below it indicates that users will be redirected to the Logout URL when they sign out. The third section is for uploading the IdP's metadata, featuring a button labeled Upload XML File. Below this, there is a checkbox option to hide the SSO option from users signing in to SAP Concur on web or mobile. At the bottom of the window, there are two buttons: one labeled Cancel and the other labeled Add Metadata, which is highlighted in blue.

    The table below outlines and explain the fields that are numbered in the preceding screenshot.

    Index #Field NameDescription
    1Custom IdP NameName the connection as you want and it to be displayed on the www.concursolutions.com page as Sign in with <value that you create here>.
    2Logout URLThe Logout URL is where your users land when they sign out of the service. This field is optional, and can remain blank. Users will be redirected to concursolutions.com after they sign out.
    3Upload XML FileYou select Upload XML File to load your IdP's metadata file.

    Select Add Metadata to save these changes. SSO is enabled for your SAP Concur site.

    Note

    Next, you need to assign user permissions so employees can use the connection within your IdP. You are now ready to test.

Result

How to Test Your SSO Service

Steps

  1. Go to www.concursolutions.com.

  2. Enter the Concur Login ID, Verified e-mail Address, or SSO Code (rare), and then select Next. The Concur system retrieves the user and presents the sign-in options.

  3. Select the SSO Configuration button.

Result

The Concur system contacts the IDP, the IDP authenticates the user, and the Concur interface launches.

Support of Multiple IdPs

You can upload an unlimited number of IdP metadata to SAP Concur through the SSO self-service tool. That means your company can connect an unlimited number of IdP apps or connectors to a single SAP Concur entity as illustrated in the following graphic.

Note

For a list of the supported IdPs, refer to the SSO Management Setup Guide.

Encrypted SAML

SAP Concur supports encrypted SAML assertion. The encryption key is available in the SAP Concur SP metadata.

Note

IdP-Initiated SSO and SP-Initiated SSO are supported.

Example of IdP login page

The user signs in to the IdP and then typically selects a link or tile on the IdP page to access SAP Concur.

You can also optionally initiate the sign-in using the SSO HTTP-Redirect URL (provided by the IdP).

Screenshot of the JumpCloud dashboard interface. The left sidebar contains three options: Applications, Profile, and Security. The Applications option is currently selected. The main section of the screen displays an Applications header, followed by a card for SSO Demo - p12...with a blue circle containing an S icon. The card also includes details that read: SSO Demo - p12031056mb5 and a link to hide the card. The JumpCloud logo is visible at the top left corner of the screen.

Example of SP login page

The user navigates to concursolutions.com , enters their username, verified e-mail address, or company SSO code, and then selects the appropriate SSO option.

The SP-Initiated SSO flow is used by the SAP Concur mobile app to sign in to that platform by using SSO.

A sign-in screen for SAP Concur. At the top, there is a Sign In heading. Below it, there is a field labeled Username, verified email address, or SSO code where a user entered expenseadmin@cvi.training.com. Below the input field, there is a blue Next button. Additionally, there is an option to toggle Remember me on or off, which is currently in the on position (indicated by a blue switch). Below these options are links for Forgot username and Need help signing in. At the bottom of the image, there is a link labeled Learn about SAP Concur for your business.

References

TitleLink
SAP Concur Solutions - Single Sign-On ManagementSAP Concur Solutions - Single Sign-On Management

Summary

Thank you for completing this unit!

Throughout the lessons, you have gained a solid understanding on how to configure self-activated Single Sign-On (SSO) in Concur Expense. This unit provided a detailed overview of the basics, along with step-by-step guidance on how to configure the single sign-on service for seamless user authentication.

Before you move on from this unit, there is a knowledge check to help reinforce and assess what you've learned.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn