EN globe icon
user icon
On This Page
  • Last edited on: 14 January 2019
What can we help you find? Products Coupa Product Documentation Integration Technical Documentation Coupa SAML SSO Setup

Coupa SAML SSO Setup

Learn how to set up SAML SSO for your Coupa instance.

Method

  1. Import initial stage SP metadata (production SP metadata xml) file into stage IdP server.

    • If the IdP does not support Metadata exchange please open the xml file to extract the information.

    • Coupa's preferred setup is SP-Init-SSO. Coupa can also setup IdP-Init-SSO, IdP-Init-SSO requires IdP to send the  RelayState parameter along with SAML request. One way to do this is add a QueryString to AssertionConsumerService in the xml ..../sp/ACS.saml2?RelayState=https://<coupa-instance-domain-name>/sessions/saml_post. You can change the xml before creating connection.

    • Complete the connection setup at IdP.

  2. Send the following information to Coupa:

    • Metadata: The export the metadata xml from IdP

      • If the IdP does not support Metadata exchange, please provide Entity ID (a.k.a Connection ID) and X509 Certificate to verify digital signature in SAML response.

    • Login URL: The IdP login page for the user. Required for IdP Initiated SSO. Read FAQ for more details.

    • Logout URL: The page Coupa will display when user logout from Coupa application and their session are cleared. This can be internal page, home page or any landing page hosted by customer.

    • Test User: Create a test user on IdP to test the connection.

  3. Coupa to import the IdP metadata and complete the connection from SP to IdP and inform customer.

  4. The assigned Coupa Administrator to enable users to use SAML.

    1. Change  user settings to enable SAML authentication 

    2. Set "Single Sign-On ID", this is same as NameID passed in SAML request to Coupa, please check with your system administrator on how the NameID is provisioned.

Enable SSO in Coupa

  1. Go to https://<your_site>.coupahost.com/administration/security.

  2. Select Log in using SAML.
  3. Enter Login Page URL in the following format:
    • For SP-initiated login:
      • For test/staging: https://sso-stg1.coupahost.com/sp/startSSO.ping?PartnerIdpId= <stage_IdP_entityid>&TARGET=https://<your-test_site>.coupahost.com/sessions/saml_post
      • For production: https://sso-prd1.coupahost.com/sp/startSSO.ping?PartnerIdpId= <prod_IdP_entityid>&TARGET=https://<your_site>.coupahost.com/sessions/saml_post
    • For IdP initiated login:
      • Use your IdP login URL
  4. Supply the Logout Page URL if you would like to redirect your users upon logging out of Coupa.
  5. Supply the Timeout URL; it should be the same as your Login page URL.

 

Related Items

Querying Options

21 October 2016

See how you can use queries to quickly identify and pull the data you require.

Learn More

Special Actions and API Notes

21 October 2016

Additional info on how to use the Coupa API.

Learn More

Differences between XML and JSON in Coupa

16 December 2016

Learn More

Arguments

24 April 2017

Learn about the types of arguments that Coupa supports in conjunction with operators.

Learn More