Coupa
Last reviewed: 4 months ago
This guide covers how to configure Coupa ↗ as a SAML application in Cloudflare Zero Trust.
Prerequisites
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a Coupa Stage or Production account
1. Add a SaaS application to Cloudflare Zero Trust
- In Zero Trust ↗, go to Access > Applications.
- Select Add an application > SaaS > Select.
- For Application, enter
Coupa
and select the corresponding textbox that appears. - For the authentication protocol, select SAML.
- Select Add application.
- Fill in the following fields:
- Entity ID:
sso-stg1.coupahost.com
for a stage account orsso-prd1.coupahost.com
for a production account - Assertion Consumer Service URL:
https://sso-stg1.coupahost.com/sp/ACS.saml2
for a stage account orhttps://sso-prd1.coupahost.com/sp/ACS.saml2
for a production account - Name ID format: Email
- Entity ID:
- Copy the Access Entity ID or Issuer and SAML Metadata Endpoint.
- In Default relay state, enter
https://<your-subdomain>.coupahost.com/sessions/saml_post
. - Select Save configuration.
- Configure Access policies for the application.
- Select Done.
2. Download the metadata file
- Paste the SAML metadata endpoint from application configuration in Cloudflare Zero Trust in a web browser.
- Follow your browser-specific steps to download the URL’s contents as an
.xml
file.
3. Add a SAML SSO provider in Coupa
- In Coupa, go to Setup > Company Setup > Security Controls.
- Under Sign in using SAML, turn on Sign in using SAML.
- In Upload IdP metadata, select Choose File, and upload the
.xml
file you downloaded in step 2. Download the metadata file. - Turn on Advanced Options.
- For Sign in page URL and Timeout URL, enter
https://sso-stg1.coupahost.com/sp/startSSO.ping?PartnerIdpId=<access-entity-id-or-issuer>&TARGET=https://<your-subdomain>.coupahost.com/sessions/saml_post
using the Access Entity ID or Issuer from application configuration in Cloudflare Zero Trust. - Select Save.
3. Create a test user and test the integration
- In Coupa, go to Setup > Company Setup > Users.
- Select Create, then enter the user details for your test user. For Login and Single Sign-On ID, enter the user’s email address.
- Select Save.
- Open an incognito browser window and go to your Coupa URL. You will be redirected to the Cloudflare Access login screen and prompted to sign in with your identity provider.
- Once the login is successful, you can configure other users for SSO by adding their email to the Single Sign-On ID field in Setup > Company Setup > Users > user’s name.