Okta

How to Configure SAML 2.0 for Concur Travel and Expense


The Concur Travel and Expense app is currently in Early Access stage. For more information contact your Concur representative.

Contents


Supported Features

The Okta/Concur Travel and Expense SAML integration currently supports the following features:

For more information on the listed features, visit the Okta Glossary.


Configuration Steps

  1. Login to SSO management page based on the region your Concur entity is hosted in:

    Note: If you can’t access the URL, contact Concur Support.

  2. Scroll down to the IdP Metadata section and click Add:

    concur1.png

  3. Follow the steps below:

    • Custom IdP Name: Enter a name for your IdP.

    • Provide link to your IdP's metadata: Copy and paste the following:

      Sign in to the Okta Admin app to have this variable generated for you

    • Click Add Metadata:

    concur_new1.png

  4. Done!


Notes

This application does not support the encryption option. In order to activate this, you need to create your own private application through our SAML App Wizard. Instructions are provided below.

SP-initiated SSO

  1. Go to the URL below based on the region your Concur entity is hosted in, then click Try our new sign in experience once it’s available:

    concur_new2.png

  2. Enter your Username, then click Next:

    concur_new3.png


How to create your own SAML application with encryption option enabled

  1. Based on your location, save, then open one of the following SP metadata files in any text editor:

  2. Locate and save the values for the following parameters (we used the US SP metadata in our examples):

    • entityID:

      concur3.png

    • encryption certificate:

      concur4.png

      • Paste the copied certificate into a text file, between two BEGIN/END CERTIFICATE rows as shown below:

        -----BEGIN CERTIFICATE-----
        << your copied certificate >>
        -----END CERTIFICATE-----
      • Save as Encryption.crt.

        concur5.png

    • Location:

      concur6.png

  3. In Okta, select Applications > Add Application > Create New App:

    concur7.png

  4. Select SAML 2.0 as the Sign on method, then click Create:

    concur8.png

  5. Enter your preferred App name, optionally add a logo, then click Next:

    concur9.png

  6. Follow the steps below:

    • Single sign on URL: Enter your Location value you saved in step 2.

    • Select Use this for Recipient URL and Destination URL.

    • Audience URI (SP Entity ID): Enter the entityID value you saved in step 2.

    • Name ID format: select EmailAddress.

    • Click Show Advanced Settings:

    • concur10.png

    • Assertion Encryption: Select Encrypted.

    • Encryption Certificate: Click Browse to locate and upload the encryption.crt you saved in step 2.

    • concur11.png

    • Click Next:

    • concur12.png

  7. Follow the steps below:

    • Are you a customer or partner?: Select I'm an Okta customer adding an internal app.

    • App type: Select This is an internal app that we have created.

    • Click Finish:

    concur13.png

  8. Done!


Concur Mobile SSO Configuration Steps

Using the processes described above does not automatically activate mobile SSO. To enable SSO for the SAP Concur mobile app, follow the steps below:

  1. Find the HTTP-Redirect URL from your IdP metadata:

    1. Locate the IdP metadata you previously uploaded to SAP Concur. Look for HTTP-Redirect URL in the IdP metadata.

      For example:

      <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location=" https://acme.okta.com/app/concur_travel_expense/123456/sso/saml"/>

      Contains the URL https://acme.okta.com/app/concur_travel_expense/123456/sso/saml.

    2. Test the HTTP-Redirect URL in a web browser and verify that you can sign in to SAP Concur with this URL.

    3. Provide the HTTP-Redirect URL to SAP Concur support. They will ensure that this URL is added properly as the Mobile SSO URL on Concur side.

  2. Work with Concur Support and learn how to use SSO to login Concur mobile.