Coupa SAML SSO Setup

Learn how to set up SAML SSO for your Coupa instance.

Method

  1. Import initial stage SP metadata (production SP metadata xml) file into stage IdP server.
      • If the IdP does not support Metadata exchange please open the xml file to extract the information.
      • Coupa's preferred setup is SP-Init-SSO. Coupa can also setup IdP-Init-SSO, IdP-Init-SSO requires IdP to send the RelayState parameter along with SAML request. One way to do this is add a QueryString to AssertionConsumerService in the xml ..../sp/ACS.saml2?RelayState=https://<coupa-instance-domain-name>/sessions/saml_post. You can change the xml before creating connection.
      • Complete the connection setup at IdP.
  2. Send the following information to Coupa:
      • Metadata: The export the metadata xml from IdP
        • If the IdP does not support Metadata exchange, please provide Entity ID (a.k.a Connection ID) and X509 Certificate to verify digital signature in SAML response.
      • Login URL: The IdP login page for the user. Required for IdP Initiated SSO. Read FAQ for more details.
      • Logout URL: The page Coupa will display when user logout from Coupa application and their session are cleared. This can be internal page, home page or any landing page hosted by customer.
      • Test User: Create a test user on IdP to test the connection.
  3. Coupa to import the IdP metadata and complete the connection from SP to IdP and inform customer.
  4. The assigned Coupa Administrator to enable users to use SAML.
    1. Change user settings to enable SAML authentication
    2. Set "Single Sign-On ID", this is same as NameID passed in SAML request to Coupa, please check with your system administrator on how the NameID is provisioned.

Enable SSO in Coupa

  1. Go to https://<your_site>.coupahost.com/administration/security.
  2. Select Log in using SAML.
  3. Enter Login Page URL in the following format:
      • For SP-initiated login:
        • For test/staging: https://sso-stg1.coupahost.com/sp/startSSO.ping?PartnerIdpId= <stage_IdP_entityid>&TARGET=https://<your-test_site>.coupahost.com/sessions/saml_post
        • For production: https://sso-prd1.coupahost.com/sp/startSSO.ping?PartnerIdpId= <prod_IdP_entityid>&TARGET=https://<your_site>.coupahost.com/sessions/saml_post
      • For IdP initiated login:
        • Use your IdP login URL
  4. Supply the Logout Page URL if you would like to redirect your users upon logging out of Coupa.
  5. Supply the Timeout URL; it should be the same as your Login page URL.