I have been a Technical Consultant at SAP Concur for many years and I understand how important security is in our digital world today. Security has always been a crucial element throughout the entire product lifecycle of all SAP products, including product development, planning, and quality assurance.

In this post, I will explain the three authentication methods that can be used by end users to log in to concursolutions.com.

Introduction

Security aspects that may require business decisions are managed by the customers of SAP Concur. A typical example of this is user and authorization management.

There are three different methods that users of SAP Concur can use to authenticate. In this blog post, I will provide a summary of the three different authentication methods, which can be defined as follows:

1. Sign in with SAP Concur password
2. Sign in with Email link (Passwordless Sign-in)
3. Sign in with Single Sign-on

Detailed Walkthrough

Sign in with SAP Concur password 

This method of authentication is represented by logging in on concursolutions.com via the username and password that are stored in SAP Concur.The password authentication is one of the most commonly used login methods. Therefore, it is important to educate users about the risks associated with weak passwords.
Users of SAP Concur can sign in to their personal profiles by using the password stored within SAP Concur. There are few points that I strongly recommend:

• Do not share your password with anyone. SAP Concur Support will never ask you to disclose your profile password.
• Use a unique and complex password for each account to prevent unauthorized access if one gets compromised.
• Be vigilant of phishing email messages that asks you to click on links of provide sensitive information. For more information, refer to the Phishing topic.

The user with the company administrator role for your SAP Concur system can define the password policy on the Sign-In Settings page.

Accessing Sign-In Settings

To access the Sign-In Settings page the company administrator clicks on the Home button -> Authentication Admin.

On the Authentication Administration page, click Sign-In Settings.

This page allows administrators to configure the following requirements and parameters:

• Password strength - There you can define the minimum length of passwords that users must use. Nowadays, passwords with 12 to 14 characters, including uppercase and lowercase letters, numbers, and special characters such as #, %, and @, are considered safe.

• Password change - In this section, you can set how long a user can use the same password and how often a user can change their password. The password expiration feature must be strictly applied to align with the 90-day password expiration policy recommended by SAP Concur.

• Account Lockout - This is a feature that specifies after how many failed password attempts, within a certain timeframe, the user will be locked out. The lockout will persist for a specified period or until the password is reset by either the user or the administrator if it is set to 'permanent lockout'. This feature provides a robust defense against brute force techniques, which rely on guessing the correct password.

• Session Timeout - This feature defines the idle time before automatic user sign-out from SAP Concur. For example, if you log in to concursolutions.com to perform an action and then go for lunch while still having the SAP Concur session open in your browser, it will enter an idle state. After 30 minutes of inactivity, while you are having lunch, you will be logged out from the website.

• Other Settings - Here you will find some additional policy settings. You can restrict the username from being sent to the user's email if it is forgotten. Additionally, you can require the user to change their initial password upon their first login.

The third option is related to the Two-Factor Authentication and the requirement for the user to receive an activation email link. Enabling this option is strongly recommended, as it adds an extra layer of security to user accounts in your SAP Concur system.

The fourth option involves the enablement of the passwordless sign-in feature, which will be covered in the section below: 'Sign in with Email Link (Passwordless Sign-in).' 

The authentication method to Sign in with SAP Concur password requires a two-factor authentication (2FA) to be setup and used.

When an SAP Concur user signs in using their username and password for the first time, they will be prompted to set up 2FA. During the setup process, the user will receive an email from SAP Concur with further instructions on how to configure 2FA.

The user must then use a third-party authenticator mobile application to scan a QR code or manually enter a key during the 2FA enrollment process.

Once 2FA is set up, users signing in to SAP Concur with a username and password must use 2FA during the sign-in process.

This means users will be prompted to enter a one-time 6-digit code generated by an authenticator mobile application each time they sign in to SAP Concur. For more information on the 2FA feature, you can read more here. - https://dam.sap.com/mac/app/p/pdf/asset/preview/FrhUmfQ?ltr=a&rc=10

Sign in with Email link (Passwordless Sign-in)

This feature is available only for the web-based version of SAP Concur. It is not available for the mobile-based login or the mobile application of SAP Concur.

By using it, the user can receive an email with a one-time link to sign in. The user should have a valid email address configured in their profile. This method of authentication provides a smoother and more efficient user experience without compromising security.

The one-time link has an expiry time of 1 hour and is sent only to the user.

The security aspect relies on the user's email account, which needs to be well-maintained and secured to prevent compromise. Passwordless sign-in is enabled by default for clients who have Single Sign-On set as optional. Company administrators can enable or disable the feature in the Sign-In Settings.

More about this feature can be found here - https://dam.sap.com/mac/app/p/pdf/asset/preview/z7oNDZn?ltr=a&rc=10&doi=SAP1114633

 Sign in with Single Sign-on

 The third option for user authentication that SAP Concur supports is Single Sign-On (SSO) via the SAML 2.0 standard.

SAML SSO functionality involves two parties: an Identity Provider (IdP) and a Service Provider (SP). In this situation, SAP Concur is the service provider.

SAP Concur supports any identity providers that comply with the SAML 2.0 standard. SAP Concur supports both IdP-Initiated and SP-Initiated SSO.

The IdP-Initiated SSO is explained with the following scenario: users sign in to the identity provider and then click on a link or tile on the IdP page to access SAP Concur.

With SP-Initiated SSO, the user navigates to concursolutions.com, enters their username, and selects the appropriate SSO option. After users successfully authenticate with the identity provider, an active session of SAP Concur will be opened. The SP-Initiated authentication flow is used by the mobile application of SAP Concur.

The SAP Concur user that has the permission called 'SSO admin' will have access to the Single Sign-On Self Service tool, where customer can manage their own SSO configuration.

From the SSO self-service tool the SSO administrators can obtain the SAP Concur SP metadata that needs to be uploaded into the customer's identity provider. After that the IdP metadata file needs to be generated from the customer's identity provider and uploaded to SAP Concur.

To access the SSO self-service tool the company administrator clicks on the Home button -> Authentication Admin. On the Authentication Administration page, click on Manage Single Sign-on.

The SSO admin of the company can set the SSO sign-in policy on the Manage Single Sign-on page.

By default, the SSO sign-in policy is set to "SSO Optional." This setting ensures that all three different methods of authentication in SAP Concur are enabled: "Sign in with SAP Concur password," "Sign in with email link (passwordless sign-in)," and "Sign in with single sign-on." 

"If the SSO sign-in policy is changed to 'SSO Required,' all users will need to sign in to SAP Concur through an identity provider using SSO."

Be cautious when enabling the SSO Required policy because all users in your SAP Concur system—including TMCs, administrators, web services, and test user accounts—will be blocked from signing into concursolutions.com with their username and password stored in SAP Concur.

Currently, the SSO sign-in policy can only be applied at the company level.

In the ‘Manage Single Sign-On’ page, customers can upload an unlimited number of IdP metadata files. This allows customers to connect an unlimited number of IdP applications to a single SAP Concur entity. The SSO administrators can assign different names to each configured IdP, such as ‘Okta (Company A).’

This helps users know which one to choose during SP-initiated SSO sign-in.

While configuring an IdP in Managed Single Sign-On, the SSO administrators can choose to hide the SSO option from the login page of SAP Concur. Enabling this setting is suitable if you are performing SSO testing.

The SSO admin can specify a logout URL that will redirect the user to a specific page after signing out of SAP Concur.

Here, you will find more resources about the SSO setup in SAP Concur - https://help.sap.com/docs/SAP_CONCUR_SECURITY/b92b8c7fc75a4c8faf62a6584077b022/8bfaad63987d455183bf7...

Conclusion

After reading this post, you will know more about the three authentication methods for accessing concursolutions.com and be able to choose the right combination for your needs.

Share and Connect

What do you think?  Do you have anything to add? Leave a comment below.
Did you find it useful? Give us a like and share on social media.
Want to know more about SAP Concur? Please follow here.
Want to ask questions about SAP Concur and its offerings? Ask here
Follow my profile for similar content.

Thank you!