May 2020 Request Professional Edition Admin Summary

Request

As of January 31, 2020 – in order to meet security requirements – SAP Concur no longer supports the Riskline/DFAT option for the Risk Referential setting in Risk Management. The Riskline/DFAT option has been deprecated.

DFAT stands for the Australian government's Department of Foreign Affairs and Trade.

Customers who have been using the Riskline/DFAT option may continue to use the data, but that data might be outdated. It is strongly recommended that customers switch to using the Riskline option.

To update your company's Risk Referential setting from Riskline/DFAT to Riskline, contact SAP Concur support.

Business Purpose / Client Benefit: This change provides greater security for SAP Concur customers.

Authentication

On October 31, 2019, SAP Concur introduced a new experience for users signing into SAP Concur.

Since introducing the new sign in experience, users have been able to choose between signing in through the new Sign In page and reverting to the old sign in experience. Beginning with the May release, the old sign in experience is no longer available.

Business Purpose / Client Benefit: The new sign in experience provides better security and is faster and more convenient for users logging in to SAP Concur products and services. This change makes the sign in experience uniform for all users.

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

SAP Concur will soon begin the deprecation process of removing Hash-Based Message Authentication Code (HMAC) as an SSO option. The replacement service for HMAC is SAML SSO is a self-service method of setup whereby client admins have access within SAP Concur to complete their SAML connections.

Clients currently using HMAC are encouraged to migrate to the SSO self-service tool as soon as it is released (targeted for Q2 2020). The new SSO self-service tool allows multiple portals (Identity Providers) to be added.

The HMAC deprecation includes two phases:

PHASE I:

• Clients must have an Identity Provider (IdP) or a custom SAML 2.0 solution.
• Clients begin testing the new SSO self-service tool.
• Travel Management Companies (TMCs) prepare for onboarding new SAP Concur clients using the new SSO self-service tool, which is targeted for release in Q2 2020.
• Once the SSO tool is available, customers will be notified via release notes about the official deprecation date of HMAC. As of the official deprecation date, no new clients can be onboarded using HMAC; new clients must be onboarded using the new SSO self-service tool.
• Existing clients using HMAC need to be migrated using the new SSO self-service tool.

PHASE II:

• Travel Management Companies (TMCs) continue migrating existing SAP Concur clients from the HMAC service to the new SSO self-service tool.
• Shut down the HMAC service after everyone has migrated from HMAC to the new SSO self-service tool. Phase II is targeted to end mid-year 2020.

Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.

Data Retention

The description of the Manage Holds & Purge Users data retention feature that appears on the Administration > Company > Data Retention page has been updated.

Business Purpose / Client Benefit: This update provides more accurate information about where a user with the Data Retention Administrator role can find the Hold User, Remove Hold, and Purge User buttons.

File Transfer Updates

This release note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and vendors participating in data exchange, SAP Concur is maintaining our file transfer subsystem to provide greater security for those file transfers.

SAP Concur will begin migrating entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.

Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and the end of 2020. After they are migrated to the more efficient process, clients will see the following improvement:

• With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.

Languages

With this release, SAP Concur solutions now supports the following language:

• Thai

Business Purpose / Client Benefit: This change enables users to configure the SAP Concur solutions UI text to display in Thai.

Miscellaneous

When a user signs into SAP Concur, if some products or services are unavailable while other products and services are up and running, a modified version of the user’s Home page appears, providing access to the products and services that are up and running.

Prior to implementing this improvement, if a user attempted to sign in to SAP Concur when one or more products or services was not available, a 503 (service unavailable) message appeared, the user’s Home page could not be accessed, and the user had to wait until all services and products were available before signing in to SAP Concur.

Business Purpose / Client Benefit: This enhancement enables users to complete tasks that rely on the products and services that are up and running even when other products and services might be unavailable.

Beginning in May, users who connect to the US Data Center through www.concursolutions.com will be redirected to us1.concursolutions.com.

Business Purpose / Client Benefit: This change makes the format of the URL for SAP Concur data centers consistent from one data center to another. For example, users connecting to the EMEA data center are redirected to eu1.concursolutions.com.

Security Enhancements

In an effort to ensure the ongoing security of our products and services, SAP Concur has issued a new concursolutions.com SSL certificate. The current certificate expired on April 14, 2020.

Any customer who pinned the expired certificate needed to update to the new certificate prior to April 14, 2020. If the pinned certificate was not updated prior to April 14, 2020, your organization and users will experience disruption to SAP Concur products and services.

Customers who have not pinned the certificate do not need to take any action as the new certificate was updated automatically. Most customers do not pin the certificate.

Please be aware: As an enhancement to our Security and Compliance program, this certificate will be updated on an annual basis.

Business Purpose / Client Benefit: This update provides ongoing security for our products and services.

Next Generation (NextGen) Request

SAP Concur is dedicated to the consistent improvement of our products, not only the features they provide, but also the experience of using those features. How users interact with technology changes over time, along with needs and expectations. We are constantly listening to our customers and soliciting feedback on how we can improve the user experience.

NextGen Request is the continued evolution of the SAP Concur user experience. It was built and will continue to be informed by what we learn from both user research and behavioral data.

Customers will have the ability to preview and then opt in to NextGen Request before the mandatory cutover.

Business Purpose / Client Benefit: The result is the next generation of the Concur Request user interface designed to provide a modern, consistent, and streamlined user experience. This technology not only provides an enhanced UI, but also allows SAP Concur to react more quickly to customer requests to meet changing needs as they happen.

SAP Concur Platform

SAP Concur will be deprecating the existing Concur Request APIs (v1.0, v3.0 and v3.1) in a future release (targeted for December 1, 2020). Those APIs will be replaced by the Concur Request v4 APIs.

Business Purpose / Client Benefit: The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.

In addition, SAP Concur has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not iso-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.