Skip to main content

 

 

Coupa Success Portal

Active Directory Using LDAP

Introduction

Coupa supports the use of an external LDAP or Microsoft ActiveDirectory Server for authentication. This allows users to sign in to Coupa using the same credentials that give them access to his intranet applications.

Coupa can integrate with one LDAP at a time. Customers with multiple LDAP needs to create a virtual/proxy layer above multiple LDAP.

Advantages

Integrating your Coupa instance with your Directory Server provides several benefits, including:

  • Users do not need to remember a new password for Coupa
  • Password changes are reflected in Coupa instantaneously
  • Enforce password policies defined in your Directory Server
  • Centralize account control through your Directory Server

Implementation details

  1. Login to Directory Server as the provided unprivileged account.
  2. Perform a search for the user that's trying to sign in:
    1. Coupa matches sAMAccountName to the credentials provided by the user
    2. Coupa matches  objectClass to organizationalPerson
  3. Coupa binds to the directory server using the Distinguished Name of the user we found and the password provided by the user.
  4. Let the user into Coupa if Step 3 was successful.

Required information

Info Details Provided by
Coupa Server IP addresses Specific Coupa IPs that the customer will connect to. Use the IP addresses to keep the firewall rules as restrictive as possible. Coupa
Host The server IP and hostname to connect to Customer
Port The port to connect to. Coupa uses LDAPS connections which is commonly over port 636. A TLS certificate is required for LDAPS to function properly.  Customer
Base The base DN for searching LDAP Customer
Domain The Active Directory domain Customer
Username The username of the user to login with, this user should not have any permission besides to bind and search Customer
Password

The password for the above user

Customer

Limitations

Our experience has uncovered a few limitations that may or may not be a concern to your organization:

  • A firewall rule may need to be created to allow the Coupa Server to connect to the Directory Server if the latter resides within a firewall-protected intranet
  • An unprivileged account needs to be created for the Coupa Server to bind to the Directory Server in order to perform the authentication
  • Credentials are sent outside the intranet (although all network communications with Coupa are protected with high-grade SSL encryption)
     

 

 

  • Was this article helpful?