cpj24 (cpj24) asked a question.
This (https://support.okta.com/help/s/question/0D50Z00008G7Uvj/concur-mobile-app-and-okta-sso?language=en_US) thread had some data regarding how the Concur mobile application was to be configured and behaved. We are looking at attaching the Concur mobile app to Okta in our environment, but are concerned about what impact doing so will have, and how to do so.
First, in that thread "Former Okta Community Member (Customer)" said that "They are then asked for their company code, which can be found in their Concur profile." However, I have looked through my concur profile and have not been able to locate something that is obviously identifiable as the company code. Where specifically in the profile is the company code found?
Caveat 1: We do not have SSO enabled for Concur mobile at this time. If enabling it is required for revealing the company code, that may be our issue.
Caveat 2: That quote was put in 5 years ago, and whether or not the company code is available to users of concur may have changed. This (https://bus.lmu.edu/media/bus/controllersoffice/systems/concur/communication/webinformationportal/formsandreferencematerials/Getting_Started_with_Concur_Mobile_with_SSO_Android.pdf) PDF from Loyola Marymount University provides the company code directly. Concur documentation is relatively silent on the issue, or not published in a manner that Google is aware of it.
Second, in that thread it is also mentioned that the Concur mobile app closes the session after two hours. That was verified as recently as 9 months ago. However, even 9 months is a long time in technology. Can anyone confirm whether a Concur session times out in 2 hours when not utilizing a stored username and password? Can a user maintain an SSO produced session for longer than that period?
I ran into the Concur company code issue in a previous job. I'm pretty sure that to get it you sign in to the normal Concur web page, look under your Profile Settings, and there will be a section for mobile registration. The company code you need for Concur mobile should be found there.
On the session timeout: I think that depends on what your company has configured for its Concur mobile app session length, and a SSO session can last longer if you configure Concur to do so. That's what this thread implies.
Tim,
Thank you. I do not see the company code in the Concur Mobile Registration section. However, we currently do not have SSO enabled in Concur and that could account for why it is missing. Once we have it turned on, I'll update here.
On session time out: I don't see anything about changing the session timeout (on the Concur side) in that thread. They mention that turning on the PIN is an alternative to SSO. However, the timeout change referenced was related to ADFS (Active Directory Federated Services) which is apparently their SSO provider. Changing the ADFS timeout to three hours had no impact on the Concur behavior. It appears the two hour timeout is a Concur-side function and the Concur support personnel (KevinD) did not mention anything about extending that timeout, only testing the "Auto-Sign In" function.
You're right, I read too quickly and saw the comment about turning on the feature and mistakenly assumed that was a timeout config but in fact it was for Auto Sign-In, which might not be desirable. I have not played with integrating Concur's mobile app, but I don't see anything in the Okta config settings that makes changing this possible, so I'd guess it's still the same.
To provide an update on this:
The Company Code is hidden until you enable SSO in the Concur Mobile App. After that within the Concur web interface you can go to Profile - Profile Settings - Concur Mobile Registration and just above the Pin fields will be a new Company Code field. It is not editable so will look like just more text if you're not looking for it.
We did testing on the login and timeout durations with the Concur mobile app.
If you log out of the app (through the apps Sign Out menu option) you will be prompted for your company code the next time you try to login.
If you reboot the phone, force quit the app through the phone's app manager, or otherwise cause the app to stop running, you will be prompted to log back in, but you will not be asked for the company code again.
The session timeout still occurs at two hours.