Guide - Ping Identity

Guide - Ping Identity
Coupa Connector
Version 1.0
Quick Connection Guide
© 2015 Ping Identity® Corporation. All rights reserved.
PingFederate Coupa Connector Quick Connection Guide
Version 1.0
March, 2015
Ping Identity Corporation
1001 17th Street, Suite 100
Denver, CO 80202
U.S.A.
Phone: 877.898.2905 (+1 303.468.2882 outside North America)
Fax: 303.468.2909
Web Site: www.pingidentity.com
Trademarks
Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered
trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the
property of their respective owners.
Disclaimer
The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims
all warranties, either express or implied, including the warranties of merchantability and fitness for a particular
purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers
have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages so the foregoing limitation may not apply.
Document Lifetime
Ping Identity may occasionally update online documentation between releases of the related software.
Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please
refer to documentation.pingidentity.com for the most current information.
From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in
this date: March 18, 2015.
PingFederate Coupa Connector
2
Quick Connection Guide
Contents
Introduction ..................................................................................................................................... 4
Supported Features ................................................................................................................... 4
System Requirements ................................................................................................................ 4
ZIP Manifest ............................................................................................................................... 4
Installation and Setup .................................................................................................................... 4
Getting Started ........................................................................................................................... 4
Installing the Connector ............................................................................................................. 6
Configuring Server Settings ....................................................................................................... 6
Configuring a Connection .......................................................................................................... 6
Complete Setup of SAML SSO to Coupa .................................................................................. 9
Attribute Index .......................................................................................................................... 12
PingFederate Coupa Connector
3
User Guide
Introduction
This document assumes you have read the Introduction section of the SaaS Connector User Guide.
(http://documentation.pingidentity.com/display/SaaSQCG/Introduction)
Supported Features
•
Outbound User Provisioning
•
Browser-based SAML SSO
System Requirements
The Coupa Connector requires installation of PingFederate 7.2.1 or higher and the Common
Provisioning Layer (CPL) 2.0.1 or higher (prov-cpl-2.0.1.jar).
ZIP Manifest
The distribution ZIP file for the Connector contains the following:
•
ReadMeFirst.pdf – contains links to this online documentation.
•
idp-metadata.xml – The metadata used for Browser SSO
•
/legal:
–
•
Legal.pdf – copyright and license information.
/dist – contains libraries needed for the Connector:
–
pf-coupa-quickconnection-1.0.jar – PingFederate Coupa Connector
–
prov-cpl-2.0.1.jar – PingFederate Common Provisioning Layer
Installation and Setup
The following sections explain how to obtain the necessary information required for installing and
configuring this SaaS Connector. Please follow these sections completely and in order.
Getting Started
Before you can configure this Connector, you will need to complete the following steps.
Tip: Some of the following steps result in information to be used at a later time in this User
Guide. It is recommended that you copy this information to a secure location to reference in
later steps.
PingFederate Coupa Connector
4
Quick Connection Guide
Obtain Your Coupa Subdomain
This Connector requires your Coupa subdomain to access your Coupa account for SSO and Outbound
Provisioning. Your Coupa subdomain is the subdomain portion of the URL you visit to access your
Coupa account.
Example: YourSubDomain.Coupa.com
Obtain Your Coupa API Key
The Coupa Connectors Outbound Provisioning functionality is built using Coupa’s REST API, which
requires an API Key for authentication. This key can be created and obtained using the steps outlined
below:
To Obtain Your API Key:
1. Log into your Coupa account as an administrative user.
2. Click the Setup tab.
3. Select API Keys under the Company Setup category.
4. Click the Create button.
5. Complete the form and click the Create button.
Obtain your Coupa (SP) SAML 2.0 Metadata XML
This Connectors quick-connection template uses a metadata XML file to assist in configuring many
settings in the SP Connection. Before configuring your SP Connection, you must first download the
metadata.xml from Coupa.
Note: To enable Single Sign-on (SSO), you will need to follow the steps outlined in the
Complete Setup of SAML SSO to Coupa section of this guide once you have completed the
Configuring a Connection section.
To obtain the metadata.xml from Coupa:
1. Log into Coupa as an administrative user.
2. Click the Setup tab.
3. Select Security controls under the Company Setup category.
4. Click the Coupa SP metadata link labled Download and import SP metadata.
Synchronizing Existing Coupa Users
Important: If your Coupa account already has Users you wish to provision with the Coupa
connector, this is possible by following the steps below.
To provision existing User accounts on Coupa:
PingFederate Coupa Connector
5
User Guide
Ensure that the value mapped to the email attribute, (when configuring the connector) matches the
existing Coupa Users email address exactly as it appears in Coupa.
For example, on the Attribute Mapping screen, the User email attribute on Coupa is mapped to the
User mail attribute in your LDAP. This will synchronize a User that already exists on Coupa with an
email address in Coupa of john.smith@mydomain.com. In this case, the Users mail attribute in
LDAP would also have to be john.smith@mydomain.com.
When the Coupa connector provisions for the first time, this address will be used to synchronize the
User in your LDAP data store with the User in Coupa.
Installing the Connector
To install the Coupa Connector, please follow the instructions in the Installing the Connector section of
the SaaS Connector User Guide.
(http://documentation.pingidentity.com/display/SaaSQCG/Installation+and+Setup#
InstallationandSetup-pID0E0SC0HA)
Configuring Server Settings
To configure Server Settings in preparation of configuring the Coupa Connector, please follow the
instructions in the Configuring Server Settings section of the SaaS Connector Guide.
(http://documentation.pingidentity.com/display/SaaSQCG/Configuring+Server+Sett
ings#ConfiguringServerSettings-pID0E0FC0HA)
Configuring a Connection
Important: This section directs you to the SaaS Connector User Guide for most of the steps
to configure this Connector but contains additional steps that need to be followed to
successfully configure this Connector. Ensure you follow the additional steps below as
directed.
To Configure a Connection using the Coupa Connector, please follow the instructions in the
Configuring a Connection section of the SaaS Connector User Guide, making the adjustments listed in
the following section.
(http://documentation.pingidentity.com/display/SaaSQCG/Configuring+a+Connectio
n#ConfiguringaConnection-pID0E0VB0HA)
Additional Steps
•
On the Connection Template screen, select Coupa as the Connection Template to use for this SP
Connection. You will be asked to provide the Metadata File you edited earlier in the Getting Started
section of this User Guide.
PingFederate Coupa Connector
6
Quick Connection Guide
•
On the General Info screen, the default values are taken from the metadata file you selected in an
earlier step. We recommend using these default values.
PingFederate Coupa Connector
7
User Guide
•
On the Target screen when configuring provisioning, enter the API Key and subdomain you
obtained in the Getting Started section of this User Guide and click Done.
PingFederate Coupa Connector
8
Quick Connection Guide
Complete Setup of SAML SSO to Coupa
The following steps outline how to complete the configuration of your Coupa account and/or SP
Connection to enable IdP or SP initiated SAML SSO.
Important: Coupa only supports that either SP or IdP initiated SAML SSO on a given Coupa
account (not both).
Tip: For additional information on configuring SAML SSO for Coupa, please see Coupa’s
online documentation here. (http://www.coupa.com/success/coupa-sso-setup)
To complete the configuration you will have to:
1. Obtain the EntityId and Base Url of PingFederate.
2. Obtain the EntityDescriptor’s Id from your SP Connection’s metadata.
3. Update the idp-metadata.xml that comes packaged with the Coupa connector with the EntityId,
Base url and EntityDescriptor’s Id you obtained in steps 1 and 2 above.
4. (IdP-initiated SSO only) Update the Assertion Consumer Service url in your SP Connection to
include a RelayState.
5. Configure Coupa for SAML SSO.
To obtain the EntityId and Base url of your PingFederate:
1. From the main screen of your PingFederate admin console Click Server Settings under the System
Settings.
2. Click the Federation Info tab.
3. Make note of the Base URL and SAML 2.0 Entity Id to use in a later step.
To obtain the Id of your Entity Descriptor from your SP Connection:
You will first need to export your SP Connection’s metadata.xml:
1. From the main screen of your PingFederate admin console click Manage All SP under the SP
Connection section.
2. Click Export Metadata for your Coupa SP Connection.
3. Select the Signing Certificate you used in that SP Connection and click Next.
4. Click the Export button to download the metadata file.
5. Click Done and then Save.
Once you have the metadata from your SP Connection, view the metadata file you exported and make
note of the ID value of the EntityDescriptor tag at the top of the file.
PingFederate Coupa Connector
9
User Guide
In the following image, I have highlighted the value of the ID within the EntityDescriptor of a sample
SP Connection:
To prepare the idp-metadata.xml:
1. Edit the idp-metadata.xml file that is packaged with the Coupa connector with a text editor of your
choice.
2. Replace the placeholder <YOUR_ENTITY_DESCRIPTOR_ID> with the Id you obtained above.
3. Replace the <YOUR_PF_ENTITY_ID> with the PingFederate EntityId you obtained above.
4. Replace the <YOUR_PF_BASE_URL> with the PingFederate Base url you obtained above.
5. Save your changes.
To Configure your SP Connection for IdP-initiated SSO:
Note: This step is only required if you wish you enable IdP-initiated SSO.
To successfully configure your SP Connection for IdP-initiated SSO, you will need to add a RelayState
parameter to your SP Connection’s Assertion Consumer Service (ACS) url.
1. From the main screen of your PingFederate admin panel, click your Coupa SP Connection to edit it.
2. Click the Assertion Consumer Service URL link under Protocol Settings.
PingFederate Coupa Connector
10
Quick Connection Guide
3. Click Edit for the Endpoint URL you are using in your SP Connection.
4. Enter the following Endpoint URL, which contains the RelayState parameter:
/sp/ACS.saml2?RelayState=https://YourSubDomain.coupacloud.com/sessions/saml
_post
Where:
YourSubDomain equals your Coupa Subdomain, which you obtained in the Getting Started.
5. Click Update.
6. Click Done, Done and Save.
To Configure Coupa for SAML SSO:
Tip: Coupa recommends you send your prepared idp-metadata.xml to them along with Login
page URL, Logout page URL, Timeout URL and a test user that exists in your IdP to their
support team or your Coupa Implementation Administrator to assist you in configuring Coupa
for SAML SSO.
1. Log into your Coupa account as an administrative user.
2. Click the Setup tab.
3. Select Security controls under Company Setup.
4. Import the idp-metadata.xml you preparted above into the Upload IdP metadata field.
Note: During development and testing of the Coupa connector, we were unable to upload the
idp-metadata.xml into Coupa without receiving errors so we did contact Coupa to assist with
this configuration.
5. Enable the Advanced Options checkbox.
6. Enter the Login page, Logout page and Timeout urls
PingFederate Coupa Connector
11
User Guide
Where:

Login page URL:
(For SP-initiated SSO):
https://prdsso40.cloudcoupa.com/sp/startSSO.ping?PartnerIdpId=<YOUR_PF_ENTI
TY_ID>&TARGET=https://<YOUR_COUPA_SUBDOMAIN>.cloudcoupa.com/sessions/saml_p
ost
(For IdP-initiated SSO): Points to the login page of your IdP.


Logout page URL: Is set to where your users should be directed when they log out of Coupa.
Timeout URL: Is set to where your users should be directed if their session times our before
they log in.
7. Click Save.
Attribute Index
The following table consists of the attributes that can be mapped on a User during provisioning.
Attribute
Description
login
Login name for the user.
This value must be unique.
email
User’s email address.
This value must be unique.
firstName
User's first name.
lastName
User's last name.
employee-number
User's Employee Number.
This value must be unique.
authentication-method
The method of authentication for the user. Acceptable values include
‘coupa-credentials’, ‘saml’ and ‘ldap’. If no value is specified, the
user will be created with ‘coupa-credentials’.
Please note: when setting a user’s authentication-method to ‘saml’ or
‘ldap’, you will first need to configure the security settings of your Coupa
account first.
role
The names of roles the user is a member of. If you do not set a role users
will be assigned to the “User” role by default.
Please note: The roles must already exist in Coupa before you can add a
user to them.
PingFederate Coupa Connector
12
Quick Connection Guide
Important: Users’ roles cannot directly be cleared by the Coupa
Connector. However, you can set the role to “User”, the default user
role.
password
The User’s Coupa password.
Please note: This value is ignored when generate-password-andnotify is set to ‘true’.
generate-passwordand-notify
When creating or updating users with this field set to ‘true’, an email
will be sent to the email set for the user allowing the user to reset their
own password. Acceptable values include ‘true’ and ‘false’.
Please note: If you wish to set the password for a user using the
password attribute, generate-password-and-notify must be set to
‘false’.
SSO-identifier
User's Single Sign-on ID (SSO ID).
This value must be unique.
phone-mobile
User's Mobile Phone Number.
For example:
1 222-333-4444 ext. 12345
Please note: Coupa only accepts certain formats for phone numbers. If
you have difficulty correctly formatting numbers, Coupa’s support can be
reached online at https://support.coupa.com, by email at
support@coupa.com or through your Coupa Implementation
Administrator.
phone-work
User's Work Phone Number.
For example:
1 222-333-4444 ext. 12345
Please note: Coupa only accepts certain formats for phone numbers. If
you have difficulty correctly formatting numbers, Coupa’s support can be
reached online at https://support.coupa.com, by email at
support@coupa.com or through your Coupa Implementation
Administrator.
manager
The login attribute value of the user’s manager.
Please note: The manager must already exist on the Coupa account
before it can be added as a manager of another user.
Requisition Approval
Limit Amount
User's Approval Limit. For example:
1000.00
PingFederate Coupa Connector
13
User Guide
Requisition Approval
Limit Currency
User's Approval Limit Currency Code. For Example: ‘CAD’.
Please note: the list of valid currency codes available for your use can be
found on your Coupa accounts currencies list:
https://YourSubDomain.coupacloud.com/currencies
Invoice Approval
Limit Amount
User's Approval Limit. For example:
1000.00
Invoice Approval
Limit Currency
User's Approval Limit Currency Code. For Example: ‘CAD’.
Please note: the list of valid currency codes available for your use can be
found on your Coupa accounts currencies list:
https://YourSubDomain.coupacloud.com/currencies
Content-Groups
The names of content groups the user is a member of.
Please note: The content groups must already exist in Coupa before you
can add a user to them.
Important: Content groups cannot directly be cleared by the Coupa
Connector. However, you can remove a user from all content groups
through the Coupa admin console.
Requisition SelfApproval Limit Amount
User's Self-Approval Limit. For example:
1000.00
Requisition SelfApproval Limit
Currency Code
User's Self-Approval Limit Currency Code. For Example: ‘CAD’.
Please note: the list of valid currency codes available for your use can be
found on your Coupa accounts currencies list:
https://YourSubDomain.coupacloud.com/currencies
Approval Groups
The names of approval groups the user is a member of.
Please note: The approval groups must already exist in Coupa before you
can add a user to them.
Important: Approval groups cannot directly be cleared by the Coupa
Connector. However, you can remove a user from all approval groups
through the Coupa admin console.
Default Currency
User's Default Currency Code. For Example: ‘CAD’.
Please note: the list of valid currency codes available for your use can be
found on your Coupa accounts currencies list:
https://YourSubDomain.coupacloud.com/currencies
Departments
The names of departments the user is a member of.
Please note: The departments must already exist in Coupa before you
PingFederate Coupa Connector
14
Quick Connection Guide
can add a user to them.
PingFederate Coupa Connector
15
User Guide
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising