Concur Mobile App and Okta SSO Skip to main content
https://support.okta.com/help/answers?id=906f0000000qtfeiak&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Angela CragheadAngela Craghead 

Concur Mobile App and Okta SSO

I was wondering if anyone has launched the Concur Mobile App using Okta SSO? We are experiencing some odd behavior with the sign on and was curious about others experiences.
BHFSmor BHFSmorBHFSmor BHFSmor
We use it, and you're right, the way Concur has implemented delegated auth for the mobile app is clunky. The user has to open the app and click on the link labeled something like "sign in using SSO". They are then asked for their company code, which can be found in their Concur profile. After entering the company code, you are redirected to your IDP (Okta). I'm not sure why Concur is using a company code rather than email address domain, but assuming you know the code the process works (for us). 
Angela CragheadAngela Craghead
Thanks for the response Mark!

After we enter this information we also get redirected to the Okta log in screen the first time. From there on out that doesn't happen again unless the user logs out of their device. Do you experience this as well?
Parth SwadasParth Swadas
Hello,

We are planning for Concur SSO integration this week. As per my knowledge, Concur supports two modes for SSO :

1) Mixed mode : Supports both concur login and company login
If you click on login using company code then users will be redirected to OKTA embed login link otherwise users can login with concur username/password.
2) Enforced SSO : Supports login only through OKTA
Enter e-mail address -> Click on company sign-in -> Request will be redirected to OKTA for login.

How is the SSO working for Concur mobile? Anything to be taken care duering implementation or post-implementation? 
Angela CragheadAngela Craghead
Hello Parth, We are doing enforced SSO. However the login seems clunky in general. There is no passing of credentials, just a redirect to a different site.
Parth SwadasParth Swadas
Hi,

We are observing session time-out issue with Mobile SSO.

Without SSO : Concur has local username/password. So even after the session tiome-out (max. 120 minutes as per concur), concur can re-authenticates users as they Save Sign In and Automatically Sign in options enabled.

OKTA SSO : With SSO enabled, neither Concur/OKTA has the password (We are having AD delegated authentication). So concur re-directs to OKTA every 120 minutes for re-authentication. so users are not having a mobile friendly login as they have to login very frequenlty(after every 120 idle minutes) with mobile SSO enabled.

Is there any work-around for this? I am pretty sure many of us would have faced this issue.
Parth SwadasParth Swadas
Hi,

Has anyone observed session time-out issue? As per concur team, they have max. time-out of 120 minutes. So after every 120 idle minutes, user has to login to SSO. (Without SSO, concur has local credentials so it keeps user logged-in which is not the case for SSO).
David SDavid S
Has anyone else figured out a way to have a better experience on the iPad and iPhone with Concur and enforce SSO? Our IdP session timeouts are set in excess of 120 minutes for Concur, yet we are still be prompted more frequently. Actually on the iPad it seems to be even more frequently than on the iPhone. Our sales people use concur 3-4 times a day, and we are trying to find a way for them to only login once a day.

I was told that if you enfore SSO that 120 minutes is the max timeout that Concur can provide? Has anyone else figured how to increase the time-out with SSO enforced on mobile devices?