SAP Concur SSO Integration with Microsoft Entra ID via Proxy

Step 1: Download the IdP Certificate from Microsoft Entra ID

1. Log in to the Azure portal as an admin and go to Microsoft Entra ID > Enterprise Applications.
2. Search for SAP Concur and add it. If it is not listed under Enterprise Applications, click + New application > search for SAP Concur > click Create.
3. Click the SAP Concur app and select the Single Sign-On option to configure SSO.
4. Click SAML.
5. Under Set up Single Sign-On with SAML > Basic SAML Configuration section, click Edit.
   
   
    
6. Under Basic SAML Configuration, configure the URIs based on the Users Concur instance and region. The instance name of the URI varies depending on the region. An example is shown below for URL format:
   • Identifier (Entity ID). Enter the URL in the following format : https://<instance-name>concursolutions.com/saml2. For example: https://us-impl.api.concursolutions.com/saml2
   • Reply URL (Assertion Consumer Service URL). Enter the URL in the following format: https://instance-name.concursolution...m/saml2/V1/acs. For example, https://www-us-impl.api.concursoluti.../saml2/V1/acs/
   • Sign-on URL. Enter the URL in the following format: https://<instance-name>concursolutions.com/saml2. For example, https://us-impl.api.concursolutions.com/saml2

6. Click Save.
7. Under SAML Signing Certificate, click the Certificate (Base64) Download link to download the IdP (Azure) certificate, then save it to your local folder. This is your IdP Certificate used to configure the SAML proxy in Skyhigh CASB.
   
   

Step 2: Download the SP Certificate from SAP Concur

1. Log in to the SAP Concur portal as an admin with SSO permissions.
2. Go to Administration > Company > Authentication Admin and click Manage Single Sign-On.
3. Under the IdP Metadata section, select the existing IdP and view the metadata. Then export and save the metadata file to your local folder. This is your SP Certificate used to configure the SAML proxy in Skyhigh CASB. 

Step 3: Configure SAML Proxy in Skyhigh CASB

1. Log in to Skyhigh CASB.
2. Go to Settings > Service Management.
3. Select your SAP Concur instance from the Services list. (If no services are listed, contact Skyhigh Security Support for help.)
4. Click the Setup tab, and under Proxy, click Get Started.
   
   

5. Under Configure SAML, click Configure.
   
   
    
6. Under Upload Identity Provider Certificate, upload the IdP Certificate downloaded earlier from Step 1 and click Next.
7. Under Upload Service Provider Certificate, upload the SP Certificate downloaded earlier from Step 2 and click Next.
8. Under Download SAML Certificate, download the Proxy Certificate and save it in your local folder. This certificate is used in Step 5.
9. Once the SAP Concur SAML proxy configuration is successful, go to Actions > Edit Properties and add the following Company ID property.
   • Name: rewrite.additional.domain.names
   • Value: False
     
     

Step 4: Configure SSO in Microsoft Entra ID

1. Log in to the Azure admin portal.
2. Go to Enterprise application > SAP Concur > Single Sign-on > SAML-based Sign-on.
3. Click the pencil icon to edit Basic SAML Configuration. For Reply URL and Sign on URL, replace the Original URL (Concur domain) with the Proxy URL. For example,
   • Reply URL (Assertion Consumer Service URL). Replace the original URL with the Proxy URL.
     • Original URL: https://us-impl.api.concursolutions.com/saml2 
     • Modified Proxy URL: https://us-impl.api.concursolutions....yshn.net/saml2.
   • Sign on URL. Replace the original URL with the Proxy URL.
     • Original URL: https://www-us-impl.api.concursoluti.../saml2/V1/acs/
     • Modified Proxy URL: https://us-impl.api.concursolutions..../saml2/V1/acs/

Step 5: Add IdP Metadata in SAP Concur

SAP Concur allows only IdP configuration through metadata files. Before adding IdP metadata in Concur, make sure to modify the IdP metadata with the Skyhigh CASB Certificate and URLs.