Configuring SAML for Coupa Cloud

REQUIRED ACCOUNT/PERMISSION LEVEL

Bitium: All account levels; must be an Admin to set up

Coupa Cloud: Must be an Admin to set up

In Bitium:

  1. Go to “Manage Apps.”

  2. Select “Coupa Cloud” from the list of installed apps.

  3. Select the “Single Sign-On” tab.

  4. From the dropdown, select “SAML Authentication.”

  5. Download the metadata XML.

    SAML Configuration

Leave your Bitium window open and continue in a new tab.

In Coupa Cloud:

  1. Login to https://{your subdomain}.coupacloud.com/.

  2. Select “Setup” and then “Security Controls” in the Company Setup section.

    Security Controls in Coupa Cloud

  3. Upload the Bitium metadata under the Upload IdP metadata field. If you are unable to upload the metadata, send it to your contact at Coupa Cloud, and let them know you would like SAML enabled for your account. There are two saml instances they can set you up on - devsso35 and prodsso40. Confirm which one they’re using for your account.

    Upload Bitium’s metadata in Coupa Cloud

  4. After you have uploaded your metadata or after Coupa completes the connection with your metadata, check the “Advanced Options” box.

  5. Confirm that the “Login page URL” and the “Timeout URL” are set to: https://{Your Instance - either devsso35 or prodsso40}.coupahost.com/sp/startSSO.ping?PartnerIdpId={The Entity ID, provided by Bitium}TARGET=https://{Your Coupa Subdomain}.coupacloud.com/sessions/saml_post

  6. Confirm that the Logout page URL field is set to the value of your Logout URL, as found in Bitium.

    Verify Login/Logout/Timeout URL’s

  7. Click “Save” in Coupa Cloud.

In Bitium:

  1. Fill in the blank Instance field with either devsso35 or prodsso40, depending on which instance is being used for your connection.

  2. Fill in the SP Entity ID field with devsso35.coupahost.com or prodsso40.coupahost.com, depending on which instance is being used for your connection.

    SP Entity ID & Instance

  3. Click “Save Changes” in Bitium.

In Coupa Cloud:

  1. Navigate to your Users list, and edit a user you wish to have SSO access.
  2. On the /edit_user page, fill in the Single Sign-On ID field with their email address in Bitium.
  3. Click “Save changes.”
Note: Every user to authenticate via SAML must exist in the system and have a Single Sign-On ID assigned to them in Coupa Cloud. JIT provisioning is not supported.

Testing:

SP Initiated Login

  1. Assign yourself or an appropriate user to the Coupa Cloud app in Bitium.
  2. In a fresh window or browser not logged into Coupa Cloud or Bitium, navigate to https://{your subdomain}.coupacloud.com
  3. You should be redirected to a Bitium login page. Sign into this.
  4. After signing in, you should be authenticated into your Coupa Cloud organization.

IDP Initiated Login

  1. Log out of Coupa Cloud.
  2. From the Bitium Dashboard, click on the Coupa Cloud app.
  3. You should be authenticated into the app.
SAML Enabled will be illuminated in green once completed.