Authentication

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

Support for the Director SAML service is being deprecated. Travel Management Companies (TMCs) and SAP Concur personnel will soon begin assisting customers who currently use Director SAML to migrate to SAP Concur SAML v2 SSO (SAML v2).

Clients currently using Director SAML are encouraged to migrate to SAML V2 as soon as possible.

Deprecation of support for the Director SAML service is dependent on the following requirements:

• SAP Concur technicians and TMCs assist existing SAP Concur clients to migrate from the Director SAML service to SAML V2.

• All clients that currently rely on the Director SAML service have migrated from Director SAML to SAML V2.

Migration from Director SAML to SAML V2 requires the following general steps:

• The client identifies an admin to act as the SSO admin and assigns the proper permission/role.

• The SSO admin coordinates with their SAP Concur technician to obtain the SAP Concur SP metadata.

• The SSO admin configures the SSO settings at the IdP based on information from SP metadata.

• The SSO admin retrieves IdP metadata from the IdP and delivers the metadata to the SAP Concur technician.

• The SSO admin adds a few testing users and tests the new SSO connection.

• With successful testing, the company rolls out SSO to their SAP Concur users.

For more detailed information about migrating to SAML v2, refer to the SSO Service: Overview Guide (English Only) and the Shared: SSO Management Setup Guide (English Only).

Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

SAP Concur support for Hash-Based Message Authentication Code (HMAC) is being deprecated. Travel Management Companies (TMCs) and SAP Concur personnel are currently assisting customers who use HMAC to migrate to SAP Concur SAML v2 SSO (SAML v2).

With the November release, targeted for 14 November, SAP Concur will provide a Single Sign-On self-service option that enables client admins to set up their SAML v2 connections without involving an SAP Concur support representative.

The HMAC deprecation includes two phases:

PHASE I:

• Clients must have an identity provider (IdP) or a custom SAML 2.0 compliant solution.

• Clients begin testing authentication using SAML v2.

• TMCs prepare to onboard new SAP Concur clients to SAML v2.

• Once the SSO self-service tool is available, customers will be notified via release notes about the official deprecation date of HMAC. As of the official deprecation date, no new clients can be onboarded using HMAC; new clients must be onboarded to SAML v2.

• Existing clients using HMAC must migrate to SAML v2.

PHASE II:

• TMCs have migrated all existing SAP Concur clients from the HMAC service to SAML v2.

• The HMAC service is deprecated. Phase II is targeted to end mid-year in 2021.

Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

With the November release, SAP Concur is adding a Single Sign-On (SSO) self-service tool to SAP Concur products. This new tool enables clients to set up SSO for their organisation without assistance from SAP Concur support. SSO is currently supported for Concur Expense, Concur Invoice, Concur Request and Concur Travel.

SSO enables users to access multiple applications using one set of login credentials. Currently, SAP Concur has two methods for signing in:

• Username and password

• SSO with Identity Provider (IdP) credentials, such as a user's login credentials for their organisation

The new SSO self-service tool will eventually replace the existing SSO configuration process, enabling clients to implement SSO at their organisation. The existing SSO configuration process and the new SSO self-service tool will both be available until everyone has migrated to the new SSO self-service tool.

The new SSO self-service tool will include the following features:

• A self-service option for setting up SSO at your organisation; this new feature is automatically available to all clients

• The new SAP Concur SAML v2 SSO (SAML v2) service, which complies with SAML 2.0 and is a current industry standard

• Encrypted SAML assertion to address privacy and security concerns

• Enforcement of SSO at the company level (the ability to select SSO as optional is also available)

• The ability to upload multiple Identity Provider (IdP) metadata

• The ability to download SAP Concur Service Provider metadata

Business Purpose / Client Benefit: This feature will provide new SAP Concur clients with a self-service option for setting up SSO. It will also provide an option for existing SSO clients who must eventually migrate to the new SAML v2 service to manage SSO for their users.

Authorised Support Contacts

SAP Concur Support has implemented an online scheduling feature that allows Authorised Support Contacts (ASCs) to schedule a meeting with a Support Engineer.

Business Purpose / Client Benefit: Online scheduling makes it easier for Authorised Support Contacts (ASCs) to schedule a meeting with an SAP Concur Support Engineer.

Expense Assistant

On 16 November, 2020, if claims are auto-created using Expense Assistant, delegates who have the appropriate permissions will be copied into the weekly Claim Summary emails.

Business Purpose / Client Benefit: This update enhances the delegate functionality by allowing delegates to receive the weekly Claim Summary email.

Expense Pay

To accommodate changes to the Egyptian banking system, Concur Expense modified the Bank Account Number field in one way:

• The character limit of the field increased from 20 characters to 29 characters.

Business Purpose / Client Benefit: This change provides end users with the ability to enter an IBAN number into their profile to ensure that payments are not rejected by Egypt's banking system.

File Transfer Updates

This Release Note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and suppliers participating in data exchange, SAP Concur is maintaining our file transfer subsystem to provide greater security for those file transfers.

SAP Concur will begin migrating entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.

Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and the end of 2020. After they are migrated to the more efficient process, clients will see the following improvement:

• With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.

This release note is intended for technical staff responsible for file transmissions with SAP Concur solutions. For our customers and suppliers participating in data exchange through various secure file transfer protocols, we are making changes that provide greater security for those file transfers.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

• st-eu.concursolutions.com

Business Purpose / Client Benefit: These changes provide greater security for file transfers.

NextGen UI

The continued evolution of the Concur Expense solution user interface experience is the result of thoughtful design and research that provides a modern, intuitive and streamlined experience for creating and submitting expense claims.

Concur Expense customers have the ability to preview and then opt in to the NextGen UI before the mandatory move.

Business Purpose / Client Benefit: The result is the next generation of the Concur Expense user interface designed to provide a modern, consistent and streamlined user experience. This technology not only provides an enhanced user interface, but also allows us to react more quickly to customer requests to meet changing needs as they happen.

Receipts

On 9 December, 2020, the ability to capture and upload electronic fapiao into Concur Expense will be available. The Fapiao Receipt Integration feature enables customers to attach an electronic fapiao to an expense according to Chinese regulatory or government authorities.

A fapiao is a legal receipt required for business transactions, employee reimbursement and VAT deduction. A fapiao is issued by the State Taxation Administration of the People's Republic of China, but provided by the merchant.

The feature is available to new and existing customers based in China and deployed to the China data centre. Other data centres are not included at this time.

This feature includes:

• Offering an electronic fapiao solution in compliance with State Taxation Administration of the People's Republic of China and as provided by the merchant

• Providing reimbursement and VAT reporting process efficiency, reducing time to perform these tasks

• Offering capture of non-VAT fapiao and other documents, such as rail tickets, taxi fapiao and official aviation itinerary tickets

• Improving efficiency when capturing and merging multiple documents into one e-receipt transaction

• Displaying fapiao information in custom fields in Concur Expense with assistance from an SAP implementation coach

For more information, refer to the State Taxation Administration of the People's Republic of China website.

Capturing Fapiao

To capture legal copies of original paper receipts, customers must use an SAP Concur mini programme embedded in the WeChat™ mobile app. Customers can also upload fapiao information from the WeChat wallet. The user takes a picture of the paper receipt within the mobile app. Once the picture is taken, the mobile app uploads the image to an approved third-party supplier for validation. A message is returned to the user in the mobile app indicating success or failure.

Once the image capture is verified, a Validated stamp displays on the electronic fapiao in the SAP Concur min app in the WeChat programme, indicating the electronic fapiao is validated.

Concur Expense will post a Standard Accounting Extract (SAE) together with fapiao details to various SAP VAT management systems for monthly VAT processing and reporting to China's e-tax filing system.

The captured electronic fapiao displays for users in Concur Expense in Available Expenses, Available Receipts and in the expense list, like any other receipt.

Business Purpose / Client Benefit: This feature provides a paperless receipt option that adheres to requirements and regulations for China for paper into electronic tax receipt processing and compliance.

Security

Please refer to the following table for a list of potential malicious domains. This list is not exhaustive and is meant as an initial warning of the existence of possible fraudulent sites that use some false derivative of the SAP Concur solutions brand within the domain name.

What Should Customers Do?

Customers should avoid these domains in the context of working with SAP Concur solutions. While some domains may be registered, it is recommended to err on the side of caution.

Business Purpose / Client Benefit: This alert provides ongoing security for our products and services.

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

In early October, the SAP Concur networking team noted that their configuration of the Content Delivery System had been blocking the protocols in the list that follows for some time.

As such, the notice to customers that we would be making a change to our F5 Client SSL profile was superfluous, as those aspects of the existing profile were not actually available. SAP Concur made changes to the F5 Client SSL profile on 7 October as well, in the interest of maintaining a strong security profile.

This means that there was no new effect for customers, as the following protocols had already been blocked previously:

• SSL v2

• SSL v3

• TLS v1.0

• TLS v1.1

• 3DES cipher suite

Business Purpose / Client Benefit: This update provides ongoing security for our products and services.

User Interface

Instances of Country or Countries on the user interface are being updated to Country/Region and Countries/Regions, respectively.

Business Purpose / Client Benefit: This change provides a better global user experience.

API

The Launch External URL v4 callout enables Concur Expense to display a field with an attached button that launches a separate browser window when clicked. The window is controlled by an application connector, created by a third-party developer or the client. The application connector is a web server that presents information in the window.

Business Purpose / Client Benefit: The Launch External URL v4 callout gives clients and third-party developers the ability to extend the functionality of the SAP Concur platform, providing a means to deliver custom user interactions, or access functionality found in an external system.

The Launch External URL v4 callout will be available for Concur Expense within SAP Concur’s mobile app and NextGen UI at the Claim Header, Expense Entry or Allocation levels, which expands the locations of the feature as compared to the previous version. The Launch External URL v4 callout will provide enhanced security benefits, such as leveraging the latest SAP Concur API authentication methods. The Launch External URL v4 will also offer additional parameters and will work in conjunction with SAP Concur’s more advanced v4 APIs.

Attendees

These changes are also part of the NextGen UI experience.

Users searching for employees to add as attendees to an expense will soon have additional filter options that can be used to narrow search results, helping make the identification of employees accurate and efficient.

Currently, searching for employee attendees can prove difficult as there may be no fields available to search by other than first name and last name.

With this update, the default advanced search view for employee attendees will automatically include the addition of email addresses and country filters.

This feature update includes the following benefits:

• Accurate identification of employees, particularly for those with the same first and last name

• Improved efficiency for employee searches by providing filters that help narrow relevant search results

• Simplified employee attendee management, eliminating the need to use an attendee import to update attendee data for the SYSEMP attendee type

• Optional inclusion of inactive employees in attendee searches

Business Purpose / Client Benefit: This update makes searching for employee attendees more efficient and also simplifies the management of employee attendees by eliminating the need to use an attendee import to update the attendee data of the SYSEMP attendee type.