Single Sign-on Experience Concur as an example

Background

Single Sign-on is a great solution but can be difficult to deliver a great experience. If you are an adminstrator like myself, setting up SSO isn’t as standardized as you would hope. Recently I migrated 50+ applications from OneLogin to Microsoft Azure Active Directory. Our company adopted SSO much before we adopted Microsoft’s Office 365 and Azure. Microsoft’s features improved so much over the past year or so we decided to make the switch.

For users, they go to a single portal to find all of the apps you’ve setup for them. In Microsoft’s case, Office 365 customers can go to https://myapps.microsoft.com to access their apps. As your company connects more apps to SSO they will all show up in this same portal. That’s it, pretty simple concept! Administrators who have setup SSO will cringe at that thought, it’s much more pain on their side since each company has their own requirements on it will work for an Identity as a Service provider like Microsoft Azure Active Directory.

Example

Let’s look at Concur in more detail. To start with, they don’t provide Administrator access to the SSO settings in your portal. You will need to open a support case with them to make a change. For a company as large as SAP, you would hope their support would be top class. From my experience they respond once every 24 hours to a ticket, but if you press them they will get on a call with you to help speed things up.

If you are an administrator setting up their application for Azure AD, the steps are documented here. After we set it up though we noticed after logging into the mobile app on iOS or Android the user would get redirected to our SSO portal, not the Concur dashboard. After months of troubleshooting with Concur and 2 identity providers I figured it out. When Concur support asks you for a “mobile friendly URL” for your application follow these steps for the “User access URL”
1. Go to your Enterprise Application you’ve setup
2. Click on Properties in the left pane
3. Copy the User access URL – PROVIDE THIS URL TO CONCUR SUPPORT

Summary

I can’t speak for Concur, but I believe they’re asking for some kind of Relay State to redirect users to your SSO application for Concur. If you provide them with the User access URL everything will work as expected. After you log into the Concur mobile app it redirects you to the Concur dashboard. Again, Single Sign-on is a great solution but can be difficult to deliver a great experience. It’s a simple concept but getting it just right for your users to have a great experience can take quite a bit of work. It will be worth it!