EN globe icon
user icon
On This Page
  • Last edited on: 16 January 2019
What can we help you find? Products Coupa Product Documentation Integration Technical Documentation Active Directory Using LDAP

Active Directory Using LDAP

Coupa can integrate with one LDAP at a time. Customers with multiple LDAP needs to create a virtual/proxy layer above multiple LDAP.

Introduction

Coupa supports the use of an external LDAP or Microsoft ActiveDirectory Server for authentication. This allows users to sign in to Coupa using the same credentials that give them access to his intranet applications.

Coupa can integrate with one LDAP at a time. Customers with multiple LDAP needs to create a virtual/proxy layer above multiple LDAP.

Advantages

Integrating your Coupa instance with your Directory Server provides several benefits, including:

  • Users do not need to remember a new password for Coupa
  • Password changes are reflected in Coupa instantaneously
  • Enforce password policies defined in your Directory Server
  • Centralize account control through your Directory Server

Implementation details

  1. Login to Directory Server as the provided unprivileged account.
  2. Perform a search for the user that's trying to sign in:
    1. Coupa matches sAMAccountName to the credentials provided by the user
    2. Coupa matches  objectClass to organizationalPerson
  3. Coupa binds to the directory server using the Distinguished Name of the user we found and the password provided by the user.
  4. Let the user into Coupa if Step 3 was successful.

Required information

Info Details Provided by
Coupa Server IP addresses Specific Coupa IPs that the customer will connect to. Use the IP addresses to keep the firewall rules as restrictive as possible. Coupa
Host The server IP and hostname to connect to Customer
Port The port to connect to. Coupa uses LDAPS connections which is commonly over port 636. A TLS certificate is required for LDAPS to function properly.  Customer
Base The base DN for searching LDAP Customer
Domain The Active Directory domain Customer
Username The username of the user to login with, this user should not have any permission besides to bind and search Customer
Password

The password for the above user

 Customer

Limitations

Our experience has uncovered a few limitations that may or may not be a concern to your organization:

  • A firewall rule may need to be created to allow the Coupa Server to connect to the Directory Server if the latter resides within a firewall-protected intranet
  • An unprivileged account needs to be created for the Coupa Server to bind to the Directory Server in order to perform the authentication
  • Credentials are sent outside the intranet (although all network communications with Coupa are protected with high-grade SSL encryption)
     
Warning

From Coupa R23 we enforce certificate validation for LDAP server connection. This means that you can no longer user an IP Address to connect through LDAP, but you need to use a valid FQDN (i.e. myldapserver.mydomain.com )

This also mean that the certificate present on the machine we are connecting to should match the name of the server.

Please validate this with your Internal IT deparment and if any questions open a support ticket before upgrading your production instance to R23.

Please also our Single Sign-On (SSO) FAQ article.

Related Items

Querying Options

21 October 2016

See how you can use queries to quickly identify and pull the data you require.

Learn More

Special Actions and API Notes

21 October 2016

Additional info on how to use the Coupa API.

Learn More

Differences between XML and JSON in Coupa

16 December 2016

Learn More

Arguments

24 April 2017

Learn about the types of arguments that Coupa supports in conjunction with operators.

Learn More