October 2021 Concur Expense Professional Edition Admin Summary

Authentication

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

SAP Concur will decommission Concur Expense Service (CES) SSO on October 29, 2021.

SAP Concur now provides a Single Sign-On self-service option that enables client admins to setup their SAML v2 connections without involving an SAP Concur admin.

Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.

Authentication Administration

In late August, a new Company Request Token self-service tool will be available to SAP Concur admins who have been assigned the Company Admin or Web Services Admin role.

Business Purpose / Client Benefit: The Company Request Token self-service tool enables clients to generate Company Request Tokens without contacting SAP Concur support. This tool also enables clients to generate a replacement Company Request Token without assistance from SAP Concur support if their Company Request Token expires or is lost.

Client Web Services

On August 21, the Register Partner Application page was deactivated.

With the October release, a new application management self-service tool will replace the Register Partner Application page.

For more information, refer to the Self-Service Tool for Application Management release note in these release notes.

Prior to the release of the new self-service tool, clients with SAP Concur Client Web Services can contact Client Web Services to register new applications.

Clients who do not have SAP Concur Client Web Services can still contact SAP Concur support to obtain an App ID as needed.

Business Purpose / Client Benefit: The Register Partner Application page was used to create Oauth 1.0 (legacy) applications. Oauth 1.0 was deprecated on February 4, 2017.

For more information about the deprecation of Oauth 1.0 and migration to Oauth 2.0, refer to the SAP Concur Developer Portal.

The new self-service tool for application management will enable clients to create Oauth 2.0 compliant applications.

Beginning with the October release, clients who have SAP Concur Client Web Services can request access to a new application management self-service tool, OAuth 2.0 Application Management. This self-service tool is enabled by the Client Web Services team for SAP Concur Web Services clients who request it.

When enabled, the tool is available from the Authentication Administration page to admin users who have been assigned the Web Services Admin role.

Business Purpose / Client Benefit: The OAuth 2.0 Application Management tool enables clients to generate Client IDs (App IDs) and Client Secrets without contacting SAP Concur support.

Expense Pay – Global

An existing label in the user interface (UI) has been renamed. This change is only cosmetic.

Business Purpose / Client Benefit: This change aligns with continued enhancements to the Expense Pay solution.

Expense Pay – Global now supports the following credit card programs for the Canadian Dollar (CAD $) and the United States Dollar (USD $):

• Citizens Bank – MasterCard – USD

• Fifth Third – MasterCard - USD

• Scotiabank – Visa – CAD

• Scotiabank – Visa – USD

All cards use the same Electronic Data Interchange (EDI) format to different bank accounts.

Business Purpose / Client Benefit: These additional options can expedite the processing of credit card expenses.

For clients using Bambora as their payment partner, a new optional field has been added to the Concur Expense user interface (UI) for some card programs. This field is for future use only.

File Transfer Updates

This release note is intended for technical staff responsible for file transmissions with SAP Concur products. For SAP Concur customers and vendors participating in data exchange through various secure file transfer protocols, SAP is making changes that provide greater security for those file transfers.

As of April 10, 2021, non-SFTP (Secure File Transfer Protocol) protocols and SFTP password authentication are not allowed to connect to SAP Concur for file transfers:

• Non-SFTP file transfer accounts must switch to SFTP with SSH Key Authentication.

• SFTP file transfer accounts that use password authentication must switch to SSH key authentication.

• SFTP password reset requests require the client to provide an SSH key for authentication.

On April 12, 2021, SAP started disabling non-compliant file transfer connections. The process of disabling non-compliant accounts will continue throughout 2021. If you have multiple file transfer connections configured, this change applies to all of your file transfer connections.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

• st-eu.concursolutions.com

• vs.concursolutions.com

• vs.concurcdc.cn

Business Purpose / Client Benefit: These changes provide greater security for file transfers.

This release note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and vendors participating in data exchange, SAP Concur is maintaining our file transfer subsystem to provide greater security for those file transfers.

SAP Concur is in the process of migrating entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.

Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and January 24, 2022. After they are migrated to the more efficient process, clients will see the following improvement:

• With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.

Files transferred to SAP Concur products must be encrypted with the SAP Concur public PGP key, concursolutionsrotate.asc.

concursolutionsrotate.asc

• Key file is available in client’s root folder

• Key ID 40AC5D35

• RSA 4096-bit signing and encryption subkey

• Key expires every 2 years

• Client is responsible for replacing the key before it expires

  • Next expiry date: September 4, 2022

  • SAP Concur plans to replace the current rotating public PGP key in the client’s root folder 90 days before the expiration date

The SAP Concur legacy PGP key (key ID D4D727C0) remains supported for existing clients but will be deprecated in the future.

SAP Concur strongly recommends that clients use the more secure rotating public PGP key for file transfers. To facilitate the use of the more secure rotating public PGP key for file transfers, SAP Concur added the key to existing client’s home folders on Friday, January 15, 2021.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

• mft-us.concursolutions.com

• vs.concursolutions.com

• st-eu.concursolutions.com

• mft-eu.concursolutions.com

Business Purpose / Client Benefit: The rotating public PGP key provides greater security for file transfers.

Miscellaneous

In Q4, 2021, SAP Concur began redirecting clients to a new homepage. The appearance of the new homepage is identical to the previous SAP Concur homepage. The new homepage has enhanced functionality when services become temporarily unavailable.

The roll out of the new homepage is phased:

• Phase 1: At the beginning of Q4, SAP Concur began redirecting Concur Expense, Concur Invoice, and Concur Request clients in the US Datacenter to the new homepage.

• Phase 2: In November 2021, SAP Concur will begin redirecting Concur Expense, Concur Invoice, and Concur Request clients in the EU Datacenter to the new homepage.

• Phase 3: In Q2 of 2022, SAP Concur will begin redirecting the remaining clients in the US and EU datacenters to the new homepage. The remaining clients include those with Concur Travel standalone or Concur Travel with Expense, Invoice, and/or Request.

Business Purpose / Client Benefit: This change ensures that the SAP Concur homepage is available even when some services are unavailable and improves the consistency of the sign in experience.

On October 25, servers that support SAP Concur callouts in the EMEA datacenter will be upgraded. This maintenance includes migration of some services to new servers. When the migration occurs, the IP addresses associated with these services will change.

These servers support the following functionality:

• Fetch Attendee Data Callout

• Fetch List Item Callout

• Event Notification Callout

• Launch External URL Callout

• Concur Salesforce Connector

Business Purpose / Client Benefit: The migration improves the stability and reliability of connections that pass these servers.

On September 20, a new permission, SAP Fiori Theme Preview, was added to the list of permissions in Concur Travel Professional edition. When the SAP Fiori Theme Preview permission is assigned to a user, the user sees a new switch in the header of their SAP Concur site. They will also see a New Theme info bubble.

The switch enables the user to switch from the SAP Concur standard theme, to the SAP Fiori Theme. The info bubble displays a brief message about the switch.

The new theme includes changes to visual elements such as fonts, colors, and icons. In addition, some top-level tabs and menu items are relocated to the SAP Concur Home menu. These changes are site-wide and apply to all of the user’s SAP Concur products.

Business Purpose / Client Benefit: The SAP Fiori theme harmonizes the look and feel of the SAP Concur UI with the look and feel of other SAP products, providing a more consistent user experience. The permission enables a client admin to allow designated users to preview and test the SAP Fiori theme.

NextGen UI

The continued evolution of the Concur Expense solution user interface experience is the result of thoughtful design and research that provides a modern, intuitive, and streamlined experience for creating and submitting expense reports.

Concur Expense customers are now strongly encouraged to preview and then move to the NextGen UI well before the automatic transition date of October 1, 2022.

Business Purpose / Client Benefit: The result is the next generation of the Concur Expense user interface designed to provide a modern, consistent, and streamlined user experience. This technology not only provides an enhanced user interface, but also allows us to react more quickly to customer requests to meet changing needs as they happen.

SAP Concur App Center

With the October 2021 release, administrators will be able to control which Enterprise Applications are visible and/or active in their company’s SAP Concur App Center. Prior to this release, administrators could disable and hide User Applications within the SAP Concur App Center. This update expands that functionality to Enterprise Applications.

Business Purpose / Client Benefit: This update provides greater control to administrators over the apps that appear in their company’s SAP Concur App Center.

Web Services Administration

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

To meet new security requirements, the length of the username and password associated with an application connector on the Application Connectors page must be at least 10 characters long and not more than 50 characters long.

Some clients currently have usernames and passwords configured that do not meet these parameters.

In an upcoming release, the 10-character minimum and 50-character maximum will be enforced. If the usernames and passwords are not updated prior to this change, some aspects of SAP Concur solutions might stop working. For example, workflow steps will not complete if using notifications, LEU windows will not open, and there will be no results in fields using fetch lists.

To avoid disruption of callouts through application connections and subsequent disruption of some end-user tasks, SAP recommends updating your application connector username(s) and password(s) as soon as possible.

Application connection usernames and passwords can be updated by an administrator with the Company Administrator or Web Services Administrator role.

Business Purpose / Client Benefit: Enforcing password and username length restrictions improves the security standards for callouts made through the application connector.

Expense Pay Classic

SAP Concur has been pursuing a multi-year effort to transition our portfolio of payment solutions to payment provider-enabled solutions. This is evidenced by our existing Expense Pay Global solution with Bambora and planned Expense Pay Flex solution with Western Union Business Solutions.

Currently, SAP Concur is planning to decommission the legacy Expense Pay classic solution effective January 1, 2022. As we move into the next phase of our pay strategy via payment provider solutions, this decommission will require customers using Expense Pay classic to enable alternative solutions. Payments for Expense Pay classic for all currencies will discontinue to employees and credit card providers as of December 15, 2021. Customers using Expense Pay classic have been communicated to directly regarding this change.

Business Purpose / Client Benefit: This change is part of a transition to payment provider-enabled solutions to support future product enhancements and richer integration.

Workflow

Using the setting, Automatically assign authorized approvers, ensures that all Authorized Approval steps in the workflow are pre-populated with an assigned Authorized Approver. If there are multiple possible Authorized Approvers that could be assigned to a specific Authorized Approver workflow step, the system will order the choices alphabetically by last name, followed by first name (if there is more than one person with the same last name) and then select the first choice from the alphabetized list.

Prior to this enhancement, the names were ordered by first name.

Business Purpose / Client Benefit: This change provides a consistent user experience.