Concur Connector
Version 1.0
© 2015 Ping Identity® Corporation. All rights reserved. PingFederate Concur Connector Quick Connection Guide Version 1.0
May, 2015
Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202
U.S.A.
Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909
Web Site: www.pingidentity.com Trademarks
Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners.
Disclaimer
The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Document Lifetime
Ping Identity may occasionally update online documentation between releases of the related software.
Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to documentation.pingidentity.com for the most current information.
From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: May 15, 2015.
Contents
Introduction ... 4
Supported Features ... 4
System Requirements ... 4
ZIP Manifest... 4
Installation and Setup ... 4
Getting Started ... 4
Installing the Connector... 9
Configuring Server Settings ... 9
Configuring a Connection ... 9
Complete Setup of SAML SSO to Concur... 12
Attribute Index ... 12
Introduction
This document assumes you have read the Introduction section of the SaaS Connector User Guide. (http://documentation.pingidentity.com/display/SaaSQCG/Introduction)
Supported Features
• Outbound User Provisioning
• Browser-based IDP-initiated SSO
System Requirements
The Concur Connector requires installation of PingFederate 7.2.1 or higher and the Common Provisioning Layer (CPL) 2.0.2 or higher (prov-cpl-2.0.2.jar).
ZIP Manifest
The distribution ZIP file for the Connector contains the following:
• ReadMeFirst.pdf – contains links to this online documentation. • saml-metadata.xml – The metadata used for Browser SSO • /legal:
– Legal.pdf – copyright and license information. • /dist – contains libraries needed for the Connector:
– pf-concur-quickconnection-1.0.jar – PingFederate Concur Connector
– prov-cpl-2.0.2.jar – PingFederate Common Provisioning Layer
Installation and Setup
The following sections explain how to obtain the necessary information required for installing and configuring this SaaS Connector. Please follow these sections completely and in order.
Getting Started
Before you can configure this Connector, you will need to complete the following steps.
Tip: Some of the following steps result in information to be used at a later time in this User Guide. It is recommended that you copy this information to a secure location to reference in later steps.
Obtain Your OAuth 2.0 Access Token
The Concur Connectors Outbound Provisioning functionality is built using Concur’s REST API, which requires an OAuth 2.0 access token for authentication. To obtain the access token, you will need to first obtain your Consumer Key and Secret from Concur.
To Obtain Your Consumer Key & Secret from Concur:
Note: Concur provides Web Services such as provisioning as an optional extra to its customers. Check with Concur that you have Web Services available as part of your setup. Concur will provide you with the OAuth key and secret you require.
1. Log into Concur as an administrative user. 2. Go to the WebServices Admin panel 3. Select the Register Partner Application
4. Create a new or modify an existing application and ensure it is configured as follows: Enter any descriptive name into the Name field.
Enter any description or “PingFederate Concur Connector Outbound Provisioning” into the
Description field.
Ensure the Active status is set to Active.
Ensure the Users- Add or Update User Accounts option is enabled in the APIs list.
Copy the Application Authorization’s Key and Secret value to use in the next section.
1. Visit Ping Identity’s OAuth Configuration Service (OCS) here.
(https://oauth.pingone.com/ocs/ppm/rest/v1/oauth/oasrequestform)
2. Select the Concur Web Connector option from the select menu. 3. Enter your Concur Consumer Key in the ClientID text box.
4. Enter your Concur Consumer Secret in the Client Secret text box. 5. Click the Connect button.
6. Log into Concur with an administrative account.
Note: If you are already signed in to Concur, you will not be asked to log in again. Please be sure that the account you are signed in under is an administrative account. 7. You will be informed that your Application is requesting access to Add or update Concur user
accounts. Click the Allow button to continue.
8. You should have been redirected back to the OCS and presented with an Access Token. Make note of the Access Token to use in a later step when Cofiguring your connection.
Obtain the Concur SAML 2.0 Metadata XML
This Connectors quick-connection template uses a metadata XML file to assist in configuring many settings in the SP Connection. When asked during the Connection configuration steps, import the
saml-metadata.xml packaged with this connector.
Synchronizing Existing Concur Users
Important: If your Concur account already has Users you wish to provision with the Concur connector, this is possible by following the steps below.
To provision existing User accounts on Concur:
Ensure that the value mapped to the empId attribute, (when configuring the connector) matches the
existing Concur Users EmployeeId exactly as it appears in Concur.
For example, if on the Attribute Mapping screen, the User empId attribute is mapped to the User employeeID attribute in your LDAP. This will synchronize a User that already exists on Concur with
an EmployeeId in Concur of 123abc to the User in your LDAP who has an employeeID attribute value
of 123abc.
When the Concur connector provisions for the first time, this address will be used to synchronize the User in your LDAP data store with the User in Concur.
Installing the Connector
To install the Concur Connector, please follow the instructions in the Installing the Connector section of the SaaS Connector User Guide.
(http://documentation.pingidentity.com/display/SaaSQCG/Installation+and+Setup# InstallationandSetup-pID0E0SC0HA)
Configuring Server Settings
To configure Server Settings in preparation of configuring the Concur Connector, please follow the instructions in the Configuring Server Settings section of the SaaS Connector Guide.
(http://documentation.pingidentity.com/display/SaaSQCG/Configuring+Server+Sett ings#ConfiguringServerSettings-pID0E0FC0HA)
Configuring a Connection
Important: This section directs you to the SaaS Connector User Guide for most of the steps to configure this Connector but contains additional steps that need to be followed to
successfully configure this Connector. Ensure you follow the additional steps below as directed.
To Configure a Connection using the Concur Connector, please follow the instructions in the
Configuring a Connection section of the SaaS Connector User Guide, making the adjustments listed in the following section.
(http://documentation.pingidentity.com/display/SaaSQCG/Configuring+a+Connectio n#ConfiguringaConnection-pID0E0VB0HA)
Additional Steps
• On the Connection Template screen, select Concur as the Connection Template to use for this SP Connection. You will be asked to provide the saml-metadata.xml file you obtained earlier in the
Getting Started section of this User Guide.
• On the General Info screen, the default values are taken from the metadata file you selected in an earlier step. We recommend using these default values.
• On the Target screen when configuring provisioning, enter the Access Token value you obtained in the Obtain Your OAuth 2.0 Access Token section of this User Guide into the
OAUTH_ACCESS_TOKEN field and click Done.
Complete Setup of SAML SSO to Concur
The following section describes the steps for configuring IDP-initiated SSO to Concur. 1. Obtain the base-64 x509 certificate that will be used for SSO in your SP Connection.
2. Contact your Concur account representative to obtain a work order which will enable the Concur technical team to assist you in setting up SSO for your organization. Be sure to include your base-64 x509 certificate in your request.
Important: The SAML_SUBJECT configured in the Attribute Contract Fulfillment section of this SP Connection must match the user’s loginId in Concur.
Attribute Index
The following table consists of the attributes that can be mapped on a User during provisioning.
Important: Many fields are required based on your Concur account’s configuration. Please ensure that you are sending data for all user fields that are required based on your
configuration.
Attribute Description
loginId The user's logon ID. This value must be unique.
empId The unique identifier for the user. This value must be unique. emailAddress The user's email address.
Password The user's password. This element can be used to enter the password for a
new user, but cannot be used to update the password for an existing user.
firstName The user's first name.
mI The user's middle initial.
lastName The user's last name.
crnKey The 3-letter ISO 4217 currency code for the user's reimbursement
currency. (http://en.wikipedia.org/wiki/ISO_4217)
Example: The crnKey for the United States Dollar is USD. ctryCode The ISO 3166-1 alpha-2 country code.
(http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2)
Example: The ctryCode for the United States is US.
ctrySubCode The user's two-character country code and two-character state or
Example: Washington State, United States is US-WA. ledgerKey The user's assigned account code ledger.
Example: DEFAULT
localeName The user's language locale code. List of the Supported Locales. (https://developer.concur.com/node/640)
Example: United States English is en_US. The supported languages vary by company but always include en_US.
tripUser Whether the user has access to Travel. Valid values include: Y/N. expenseUser Whether the user has access to Expense. Valid values include: Y/N. expenseUserApprover Whether the user is an Expense approver. Valid values include: Y/N. invoiceUser Whether the user has access to Invoice. Valid values include: Y/N. invoiceUserApprover Whether the user is an Invoice approver. Valid values include: Y/N. isTestEmp Whether the user is a Test Employee. Valid values include: Y/N. custom1 through
custom21
The custom fields on the Employee form. Varies depending on configuration. There are two types of custom lists: simple lists and connected (multi-level) lists. We do not support connected lists.
orgUnit1 through orgUnit6
The custom organizational unit fields on the Employee form. Varies depending on configuration.