• Last edited on: 14 January 2019

Coupa SAML SSO Setup

Learn how to set up SAML SSO for your Coupa instance.


  1. Import initial stage SP metadata (production SP metadata xml) file into stage IdP server.

    • If the IdP does not support Metadata exchange please open the xml file to extract the information.

    • Coupa's preferred setup is SP-Init-SSO. Coupa can also setup IdP-Init-SSO, IdP-Init-SSO requires IdP to send the  RelayState parameter along with SAML request. One way to do this is add a QueryString to AssertionConsumerService in the xml ..../sp/ACS.saml2?RelayState=https://<coupa-instance-domain-name>/sessions/saml_post. You can change the xml before creating connection.

    • Complete the connection setup at IdP.

  2. Send the following information to Coupa:

    • Metadata: The export the metadata xml from IdP

      • If the IdP does not support Metadata exchange, please provide Entity ID (a.k.a Connection ID) and X509 Certificate to verify digital signature in SAML response.

    • Login URL: The IdP login page for the user. Required for IdP Initiated SSO. Read FAQ for more details.

    • Logout URL: The page Coupa will display when user logout from Coupa application and their session are cleared. This can be internal page, home page or any landing page hosted by customer.

    • Test User: Create a test user on IdP to test the connection.

  3. Coupa to import the IdP metadata and complete the connection from SP to IdP and inform customer.

  4. The assigned Coupa Administrator to enable users to use SAML.

    1. Change  user settings to enable SAML authentication 

    2. Set "Single Sign-On ID", this is same as NameID passed in SAML request to Coupa, please check with your system administrator on how the NameID is provisioned.

Enable SSO in Coupa

  1. Go to https://<your_site>.coupahost.com/administration/security.

  2. Select the "Log in using SAML" checkbox.
  3. Supply the "Login Page URL" in the following format:
    • For SP-initiated login:
      • For test/staging: https://sso-stg1.coupahost.com/sp/startSSO.ping?PartnerIdpId= <stage_IdP_entityid>&TARGET=https://<your-test_site>.coupahost.com/sessions/saml_post
      • For production: https://sso-prd1.coupahost.com/sp/startSSO.ping?PartnerIdpId= <prod_IdP_entityid>&TARGET=https://<your_site>.coupahost.com/sessions/saml_post
    • For IdP initiated login:
      • Use your IdP login URL
  4. Supply the Logout Page URL if you would like to redirect your users upon logging out of Coupa.
  5. Supply the Timeout URL; it should be the same as your Login page URL.
  6. The certificate is a legacy feature. It offers no extra functionality and will be removed in a future release. However, it is still required. Please use this dummy cert server.crt. Select DER as the cert type from the dropdown. The application will raise a parse error but will actually upload the cert. The cert is then accessible in the dropdown.


Related Items

Querying Options

21 October 2016

See how you can use queries to quickly identify and pull the data you require.

Special Actions and API Notes

21 October 2016

Additional info on how to use the Coupa API.

Differences between XML and JSON in Coupa

16 December 2016


24 April 2017

Learn about the types of arguments that Coupa supports in conjunction with operators.