Integrate Coupa with Okta

Learn how to configure SSO and provisioning for Coupa in your Okta org.

Configure SSO

Follow these steps to integrate Coupa with your Okta org.

  1. Sign in to Coupa as a user with Coupa administrative rights.
  2. Click Setup in the top menu bar.
  3. Click Security Controls in the Company Setup section.
  4. In the Sign in using SAML section, select Sign in using SAML.

  5. In the Admin Console, go to ApplicationsApplications.

  6. Find your Coupa app integration in the apps list and click it.

  7. Click the Sign On tab.
  8. In the Sign on methods section, open the Metadata URL in a web browser.
  9. Copy the XML metadata and save it to a file named metadata.xml. The metadata looks similar to the following: <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exk9..."> <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> ... </md:EntityDescriptor>
  10. Return to Coupa. Click Choose File beside Upload IdP metadata. Locate and upload metadata.xml.
  11. Click Edit in the Settings section of the Sign On tab for your Coupa app integration in Okta.
  12. Set the Default Relay State to <your-coupa-login-url>/sessions/saml_post (for example, if you sign in to https://acme.coupacloud.com, enter https://acme.coupacloud.com/sessions/saml_post).
  13. Enter one of the following URLs for Your Coupa SAML URL:
    • For staging environments, enter: https://sso-stg1.coupahost.com/sp/ACS.saml2
    • For production environments, enter: https://sso-prd1.coupahost.com/sp/ACS.saml2
  14. Enter one of the following values for the Audience URI:
    • For staging environments, enter: sso-stg1.coupahost.com
    • For production environments, enter: sso-prd1.coupahost.com
  15. Click Save.
  16. In Coupa, select Users from the All Setup Items menu bar under Setup.
  17. Find the user for whom you want to set SAML as their authentication method. Click the Edit icon (a pencil) in the Actions column for that user.
  18. Copy the email address from the Login field to the Single Sign-On ID field. The values of these fields must be the same.
  19. Scroll down and click Save.
  20. Optional. Set the Single Sign-On ID for more users, if desired.

Configure provisioning

  1. In the Admin Console, go to ApplicationsApplications.

  2. Open your Coupa app instance.
  3. Go to the Provisioning tab and click Configure API Integration.
  4. Select the Enable API integration checkbox.
  5. Click Authenticate with Coupa. A window opens.
  6. Enter your Coupa credentials.
  7. In Coupa, go to the Setup tab. Select the OAuth filter, and then click OAuth2/OpenID Connect Clients.
  8. Click Create.
  9. Enter the following values:
    • Grant Type: Set to Authorization Code.
    • Name: Enter a name.
    • Redirect URL: Enter an Okta redirect URL.
    • Shared Secret: Set to Enabled.
    • Enable Scopes: Select core.common.read, core.user.read, core.user.write, offline_access, and openid.
  10. Click Save.
  11. In Okta, enter the following values:
    • API Endpoint: Set to https://your-instance-name.coupahost.com/api.
    • OAuth Client Identifier: Enter the value from the OIDC client that you created earlier.
    • OAuth Client Secret: Enter the value from the OIDC client that you created earlier.
    • Import Groups: Optional. Select the checkbox to import groups from Coupa to Okta.
  12. Click Save.