Active Directory Using LDAP

Coupa can integrate with one LDAP at a time. Customers with multiple LDAP needs to create a virtual/proxy layer above multiple LDAP.


Coupa supports the use of an external LDAP or Microsoft ActiveDirectory Server for authentication. This allows users to sign in to Coupa using the same credentials that give them access to his intranet applications.

Coupa can integrate with one LDAP at a time. Customers with multiple LDAP needs to create a virtual/proxy layer above multiple LDAP.


Integrating your Coupa instance with your Directory Server provides several benefits, including:

  • Users do not need to remember a new password for Coupa
  • Password changes are reflected in Coupa instantaneously
  • Enforce password policies defined in your Directory Server
  • Centralize account control through your Directory Server

Implementation details

  1. Login to Directory Server as the provided unprivileged account.
  2. Perform a search for the user that's trying to sign in:
    1. Coupa matches sAMAccountName to the credentials provided by the user
    2. Coupa matches objectClass to organizationalPerson
  3. Coupa binds to the directory server using the Distinguished Name of the user we found and the password provided by the user.
  4. Let the user into Coupa if Step 3 was successful.

Required information

Info Details Provided by
Coupa Server IP addresses Specific Coupa IPs that the customer will connect to. Use the IP addresses to keep the firewall rules as restrictive as possible. Coupa
Host The server IP and hostname to connect to Customer
Port The port to connect to. Coupa uses LDAPS connections which is commonly over port 636. A TLS certificate is required for LDAPS to function properly. Customer
Base The base DN for searching LDAP Customer
Domain The Active Directory domain Customer
Username The username of the user to login with, this user should not have any permission besides to bind and search Customer
Password The password for the above user Customer


Our experience has uncovered a few limitations that may or may not be a concern to your organization:

  • A firewall rule may need to be created to allow the Coupa Server to connect to the Directory Server if the latter resides within a firewall-protected intranet
  • An unprivileged account needs to be created for the Coupa Server to bind to the Directory Server in order to perform the authentication
  • Credentials are sent outside the intranet (although all network communications with Coupa are protected with high-grade SSL encryption)


From Coupa R23 we enforce certificate validation for LDAP server connection. This means that you can no longer user an IP Address to connect through LDAP, but you need to use a valid FQDN (i.e. )

This also mean that the certificate present on the machine we are connecting to should match the name of the server.

Please validate this with your Internal IT deparment and if any questions open a support ticket before upgrading your production instance to R23.

Please also our Single Sign-On (SSO) FAQ article.