I have been a Technical Consultant at SAP Concur for some time and have worked with many clients to help them build their interfaces between their systems and SAP Concur. One requirement I regularly see come up is the configuration of SAP Identity Authentication Service.
In this blog we are focusing on SAP customers who can make use of the SAP Identity Authentication Service (IAS) as Identity Management and single sign-on tool for the users for connecting to SAP cloud applications. This can be achieved by using IAS either as an IdP or as a proxy for an already existing IdP. This particular use case describes the usage of IAS as IdP, but documentation about using IAS as proxy can be found in the Documentation section.
SAP Identity Authentication Service (IAS) : The Identity Authentication service provides customers with controlled cloud-based access to business processes, applications and data. It simplifies the user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options. IAS offers a common platform for user identity management, pre-configured or semi-automated trust configuration and central SSO endpoint for all SAP Cloud applications.
IAS can be used by Concur customers to Set up SSO for connecting to Concur either by using IAS as an IdP or as proxy for a third party IdP - As source system for user identity provisioning into Concur using SAP IPS (Identity Provisioning Service)
Features :
- Central SSO endpoint for all SAP Cloud applications
- Pre-configured or semi-automated trust configuration
- MFA
- Common identity for users
- Unified way for user management
Prerequisites:
- Concur Expense/Request/Travel/Invoice Module
- SAP IAS tenant already provisioned
- Concur SSO Admin Config Access is required
Implementation Considerations:
- Customer’s IAS tenant must be already deployed
- Users must be created in IAS, unless IAS is used as proxy
- Login Name field in user creation
Detailed Walkthrough
A Concur company administrator may or may not have the correct permissions to use this feature. The administrator may have limited permissions, for example, they can affect only certain groups and/or use only certain options (view but not create or edit). If a company administrator needs to use this feature and does not have the proper permissions, they should contact the company's Concur administrator. Also, the administrator should be aware that some of the tasks described in this guide can be completed only by Concur. In this case, the client must initiate a service request with Concur Client Support.
A company administrator may or may not have the correct permissions to use this feature. If a company administrator needs to use this feature and does not have the proper permissions, they should contact the company's Concur administrator or Concur support.
Login to Concur as the Admin
In the Authentication Admin Click on Manage Single Sign-On
In the Manage Single Sign-On download the Metadata of Concur
Click on the Application & Resources Tab and then Click on Create for application creation.
In the Window Write the Display Name required and the Choose SAP Concur Solution in the Type, click SAML 2.0 as the authentication Method.
After user is successfully added, Go To Applications and ensure the app to use Concur is there. Current Name of the App is ‘Test IAS. You can check the App and how it is configured, but all Sandboxes will connect to same app.
Once the App is created click on the SAML 2.0 Configuration
Upload the Metadata downloaded from Concur.
The details are filled in automatically from the metadata. Then click Save:
Once Completed Save the SAML 2.0 Configuration and now Click on Subject Name identifier
On the Basic Configuration Select one of the Basic attributes available and then click on Save.
Now Click the Default Name ID Format configuration and choose the Nameid and save the Configuration.
Now Click on Application Resources and then choose Tenant Settings
Now Choose Single Sign-On and Click on SAML 2.0 Configuration.
This will help you to be able to View and download the Metadata File Required to Upload on Concur.
After reviewing configuration of the App, proceed to download the Metadata.
Login to Concur as the Admin
In the Authentication Admin Click on Manage Single Sign-On
Add the Metadata you downloaded from IAS.
Give the app a name on Concur
Upload the Metadata on Concur by clicking on Upload XML File
You have successfully added the metadata on Concur.
Conclusion:
Combining SAP Concur’s Authentication and Cloud Identity Services should provide customers with controlled cloud-based access to business processes, applications and data.It simplifies the user experience through authentication mechanisms, single sign-on, on-premise integration, and convenient self-service options.
Documentation:
Single Sign-On Setup Guide
Identity Authentication Service
SAP Identity Authentication (IAS) Security Features
IAS User Management