Active Directory Using LDAP
Coupa can integrate with one LDAP at a time. Customers with multiple LDAP needs to create a virtual/proxy layer above multiple LDAP.
Introduction
Coupa supports the use of an external LDAP or Microsoft ActiveDirectory Server for authentication. This allows users to sign in to Coupa using the same credentials that give them access to his intranet applications.
Coupa can integrate with one LDAP at a time. Customers with multiple LDAP needs to create a virtual/proxy layer above multiple LDAP.
Advantages
Integrating your Coupa instance with your Directory Server provides several benefits, including:
- Users do not need to remember a new password for Coupa
- Password changes are reflected in Coupa instantaneously
- Enforce password policies defined in your Directory Server
- Centralize account control through your Directory Server
Implementation details
- Login to Directory Server as the provided unprivileged account.
- Perform a search for the user that's trying to sign in:
- Coupa matches
sAMAccountName
to the credentials provided by the user - Coupa matches
objectClass
toorganizationalPerson
- Coupa matches
- Coupa binds to the directory server using the Distinguished Name of the user we found and the password provided by the user.
- Let the user into Coupa if Step 3 was successful.
Required information
Info | Details | Provided by |
---|---|---|
Coupa Server IP addresses | Specific Coupa IPs that the customer will connect to. Use the IP addresses to keep the firewall rules as restrictive as possible. | Coupa |
Host | The server IP and hostname to connect to | Customer |
Port | The port to connect to. Coupa uses LDAPS connections which is commonly over port 636. A TLS certificate is required for LDAPS to function properly. | Customer |
Base | The base DN for searching LDAP | Customer |
Domain | The Active Directory domain | Customer |
Username | The username of the user to login with, this user should not have any permission besides to bind and search | Customer |
Password | The password for the above user | Customer |
Limitations
Our experience has uncovered a few limitations that may or may not be a concern to your organization:
- A firewall rule may need to be created to allow the Coupa Server to connect to the Directory Server if the latter resides within a firewall-protected intranet
- An unprivileged account needs to be created for the Coupa Server to bind to the Directory Server in order to perform the authentication
-
Credentials are sent outside the intranet (although all network communications with Coupa are protected with high-grade SSL encryption)
From Coupa R23 we enforce certificate validation for LDAP server connection. This means that you can no longer user an IP Address to connect through LDAP, but you need to use a valid FQDN (i.e. myldapserver.mydomain.com )
This also mean that the certificate present on the machine we are connecting to should match the name of the server.
Please validate this with your Internal IT deparment and if any questions open a support ticket before upgrading your production instance to R23.
Please also our Single Sign-On (SSO) FAQ article.