We use it, and you're right, the way Concur has implemented delegated auth for the mobile app is clunky. The user has to open the app and click on the link labeled something like "sign in using SSO". They are then asked for their company code, which can be found in their Concur profile. After entering the company code, you are redirected to your IDP (Okta). I'm not sure why Concur is using a company code rather than email address domain, but assuming you know the code the process works (for us).
After we enter this information we also get redirected to the Okta log in screen the first time. From there on out that doesn't happen again unless the user logs out of their device. Do you experience this as well?
We are planning for Concur SSO integration this week. As per my knowledge, Concur supports two modes for SSO :
1) Mixed mode : Supports both concur login and company login If you click on login using company code then users will be redirected to OKTA embed login link otherwise users can login with concur username/password. 2) Enforced SSO : Supports login only through OKTA Enter e-mail address -> Click on company sign-in -> Request will be redirected to OKTA for login.
How is the SSO working for Concur mobile? Anything to be taken care duering implementation or post-implementation?
We are observing session time-out issue with Mobile SSO.
Without SSO : Concur has local username/password. So even after the session tiome-out (max. 120 minutes as per concur), concur can re-authenticates users as they Save Sign In and Automatically Sign in options enabled.
OKTA SSO : With SSO enabled, neither Concur/OKTA has the password (We are having AD delegated authentication). So concur re-directs to OKTA every 120 minutes for re-authentication. so users are not having a mobile friendly login as they have to login very frequenlty(after every 120 idle minutes) with mobile SSO enabled.
Is there any work-around for this? I am pretty sure many of us would have faced this issue.
Has anyone observed session time-out issue? As per concur team, they have max. time-out of 120 minutes. So after every 120 idle minutes, user has to login to SSO. (Without SSO, concur has local credentials so it keeps user logged-in which is not the case for SSO).
Has anyone else figured out a way to have a better experience on the iPad and iPhone with Concur and enforce SSO? Our IdP session timeouts are set in excess of 120 minutes for Concur, yet we are still be prompted more frequently. Actually on the iPad it seems to be even more frequently than on the iPhone. Our sales people use concur 3-4 times a day, and we are trying to find a way for them to only login once a day.
I was told that if you enfore SSO that 120 minutes is the max timeout that Concur can provide? Has anyone else figured how to increase the time-out with SSO enforced on mobile devices?