PingOne for Enterprise

Adding Coupa to Your PingOne for Enterprise Dock

Add the Coupa application your PingOne for Enterprise dock from the application catalog.

Steps

  1. In the PingOne for Enterprise admin console, go to Applications → Application Catalog.

  2. Optional: In the Search field, search for the application.

  3. Click the Coupa application line to expand it and click Setup.

  4. On the SSO Instructions page, click the Download link to download the PingOne for Enterprise signing certificate.

Next steps

Click Continue to Next Step.

Coupa Connection Configuration

About this task

PingOne automatically populates the values for the ACS URL and Entity ID fields. All other fields are optional.

Steps

  1. Import the metadata for Coupa:

    Choose from:

    • Click Select File to upload the metadata file.

    • Click Or use URL to enter the URL of the metadata.

  2. In the ACS URL field, make sure the value is https://prdsso40.coupahost.com/sp/ACS.saml2.

  3. In the Entity ID field, make sure the value is prdsso40.coupahost.com.

  4. In the Target Resource field, enter a URL to redirect the user to after IdP-initiated single sign-on (SSO).

  5. In the Single Logout Endpoint field, enter a URL for PingOne to send single logout (SLO) requests to.

  6. In the Single Logout Response Endpoint field, enter a URL for PingOne to send SLO responses to.

  7. On the Primary Verification Certificate line, click Browse to locate and upload a local certificate file used to verify SLO requests and responses.

  8. On the Secondary Verification Certificate line, click Browse to locate and upload a local certificate used to verify SLO requests and responses if the primary certificate fails.

  9. Select the Force Re-authentication check box to require your identity bridge to re-authenticate users with an active SSO session.

  10. Select the Encrypt Assertion check box to encrypt outgoing SAML assertions.

  11. On the Signing line:

    Choose from:

    • Click Sign Assertion to have PingOne sign outgoing SAML assertions. This is the default option.

    • Click Sign Response to have PingOne sign responses to incoming SAML assertions.

  12. From the Signing Algorithm list, select an algorithm with which to sign SAML assertions.

  13. Select the Use Custom URL check box to enter a customer URL to launch Coupa from the dock.

  14. Select the Set Up Provisioning check box to configure user provisioning to Coupa.

Next steps

Click Continue to Next Step.

Coupa Provisioning

About this task

If you don’t need to set up user provisioning, proceed to Coupa Attribute Mapping.

If you selected Set Up Provisioning on the Connection Configuration tab:

Steps

  1. On the Provisioning Instructions tab, click Continue to Next Step to proceed to the Application Configuration tab.

  2. In the COUPA_SUBDOMAIN field, enter your Coupa subdomain.

    Your Coupa subdomain is the subdomain in the URL for your Coupa login.

    Example:

    https://<subdomain>.coupacloud.com

  3. In the API_KEY field, enter the API key used to authenticate provisioning requests.

    To obtain your API key:

    1. Sign on to your Coupa account as an administrative user.

    2. Go to Setup → API Keys.

    3. Click Create.

    4. Complete the creation form and click Create.

    5. Copy the API key value and paste into the API_KEY field.

Next steps

Click Continue to Next Step.

Coupa Attribute Mapping

About this task

PingOne will automatically populate required SAML attributes.

For Coupa, the required attribute is SAML_SUBJECT.

If you enabled provisioning, the required provisioning attributes are:

  • login

  • email

  • firstname

  • lastname

Provisioning creates and populates a number of optional attributes. Clear the Identity Bridge Attribute field for any attribute you don’t intend to use.

Steps

  1. To add an additional optional attribute, click Add new attribute.

  2. In the Application Attribute field, enter the attribute name as it appears in the application.

  3. In the Identity Bridge Attribute or Literal Value field, choose one of the following:

    Choose from:

    • To map to the application attribute: Enter or select a directory attribute.

    • To assign to the application attribute: Select As Literal, then enter a literal value.

  4. To create advanced attribute mappings, click Advanced.

    For more information, see Create advanced attribute mappings.

Next steps

Click Continue to Next Step.

Coupa Customization

Steps

  • To change the application icon, click Select image and upload a local image file.

    The image file must be:

    • PNG, GIF, or JPG format

    • 312 x 52 pixels maximum

    • 2 MB maximum file size

      Images are scaled to 64 x 64 pixels for display.

  • To change the name of the application displayed on the dock, in the Name field, enter a new name.

  • To change the description of the application, in the Description field, enter the new description text.

  • To change the category to which the application is assigned on the dock, in the Category list, select a category.

    For information about creating custom application categories, see Creating a custom application category.

Next steps

Click Continue to Next Step.

Coupa Group Access

About this task

The Group Access tab shows every user group that you have created.

For more information about creating user groups, see Add user groups.

Steps

  • To add a group’s access to the application, on the line for that group, click Add.

  • To remove a group’s access, on the line for that group, click Remove.

  • When you’re finished assigning groups, click Continue to Next Step.

Next steps

Click Continue to Next Step.

Coupa SAML Connection

Steps

  1. On the Review Setup tab, on the SAML Metadata line, click Download to download the metadata file.

  2. Click Finish to add Coupa to your PingOne Dock.

  3. Send an email to inform your Coupa representative that you want to enable SSO. Include the following information.

    • The SAML metadata file you downloaded, attached to the email.

    • A login URL. The login URL should be in the following format.

      https://prdsso40.coupahost.com/sp/startSSO.ping?PartnerIdpId=<Issuer>&TARGET=https://<your_site>.coupahost.com/sessions/saml_post

      • Replace <Issuer> with the Issuer value on the Review Setup tab.

      • Replace <your_site> with the complete URL of your site as registered at Coupa.

    • A logout page URL. Consider using the PingOne dashboard URL, which you can find in the Configure Single Sign-on box on your PingOne Dashboard.

    • Test user. Coupa needs a test user name and password to test SSO functionality.

  4. Sign on to Coupa.

  5. Go to Setup → Company Setup → Security Controls.

    1. Check the Log in using SAML check box.

    2. In the Login Page URL field, enter the login URL that you emailed to your Coupa representative.

    3. In the Logout Page URL field, enter the logout page URL that you emailed to your Coupa representative.

    4. In the Timeout URL, enter the same URL as the Logout Page URL.

    5. In the Certificate field, upload the signing certificate that you downloaded in Adding Coupa to Your PingOne for Enterprise Dock.

  6. Save your configuration in Coupa.