June 2020 Request Professional Edition Admin Summary
Initial Post
Release Note Summaries
NextGen UI for Concur Request
**Ongoing** Updated User Interface (UI) for Concur Request End UsersThe continued evolution of the Concur Request solution user interface experience is the result of thoughtful design and research that provides a modern, intuitive and streamlined experience for the request process.
Concur Request customers will have the ability to preview and then opt in to the NextGen UI before the mandatory move.
Business Purpose / Client Benefit: The result is the next generation of the Concur Request user interface designed to provide a modern, consistent and streamlined user experience. This technology not only provides an enhanced user interface, but also allows us to react more quickly to customer requests to meet changing needs as they happen.
Authentication
**Ongoing** Deprecation of HMAC Initiates Migration to SSO Self-ServiceThese changes are part of our continued commitment to maintaining secure authentication for SAP Concur solutions.
SAP will soon begin the deprecation process of removing Hash-Based Message Authentication Code (HMAC) as an SSO option for SAP Concur solutions. The replacement service for HMAC is SAML SSO, a self-service method of setup whereby client admins have access within SAP Concur to complete their SAML connections.
Clients currently using HMAC are encouraged to migrate to the SSO self-service tool as soon as it is released (targeted for Q2 2020). The new SSO self-service tool allows multiple portals (Identity Providers) to be added.
The HMAC deprecation includes two phases:
PHASE I:
- Clients must have an Identity Provider (IdP) or a custom SAML 2.0 solution.
- Clients begin testing the new SSO self-service tool.
- Travel Management Companies (TMCs) prepare for onboarding new SAP Concur clients using the new SSO self-service tool, which is targeted for release in Q2 2020.
- Once the SSO tool is available, customers will be notified via release notes about the official deprecation date of HMAC. As of the official deprecation date, no new clients can be onboarded using HMAC; new clients must be onboarded using the new SSO self-service tool.
- Existing clients using HMAC need to be migrated using the new SSO self-service tool.
PHASE II:
- Travel Management Companies (TMCs) continue migrating existing SAP Concur clients from the HMAC service to the new SSO self-service tool.
- Shut down the HMAC service after everyone has migrated from HMAC to the new SSO self-service tool. Phase II is targeted to end mid-year 2020.
Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.
Data Retention
Country Code Now Obfuscated When User Data Is RemovedAs of 2 June 2020, when user data is removed in accordance with a data retention policy, the country code associated with removed users is obfuscated by setting the country code to XX (Inactive).
Previously, the country code for removed users was set to US by default.
Business Purpose / Client Benefit: This improves reporting by consistently setting the country code data for removed users to a code designated for that purpose.
File Transfer Updates
**Ongoing** SAP Concur Legacy File Move MigrationThis Release Note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and suppliers participating in data exchange, SAP is maintaining our SAP Concur file transfer subsystem to provide greater security for those file transfers.
SAP will begin migrating SAP Concur entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.
Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and the end of 2020. After they are migrated to the more efficient process, clients will see the following improvement:
- With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.
This announcement pertains to the following file transfer DNS endpoints:
- st.concursolutions.com
Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.
Languages
Updated: Support for New Language (Thai)With the May release (16 May), SAP added support for the following language to SAP Concur solutions:
- Thai
Business Purpose / Client Benefit: This change enables users to configure Thai as the default language for the UI text in SAP Concur solutions. Selecting Thai as the default language might also change some regional settings.
Miscellaneous
**Ongoing** New URL for US Data Centre us1.concursolutions.comBeginning in May, users can connect to the US Data Centre through www.concursolutions.com or through a new URL, us1.concursolutions.com. In addition, targeted for Q3, users connecting to the US Data Centre through www.concursolutions.com will be redirected to us1.concursolutions.com.
Business Purpose / Client Benefit: The us1.concursolutions.com URL is consistent with the URL for other data centres. For example, users connecting to the EMEA data centre are redirected to eu1.concursolutions.com.
SAMLv2 SSO Certificate Expiring (25 June)The certificate provided by the SAP Concur SAMLv2 service, which is used to establish a Single-Sign On (SSO) connection with an IdP, will expire on 25 June 2020. Unless the certificate is renewed before the 25 June 2020 expiration date, the certificate expiration might prevent users from being able to successfully sign in to SAP Concur products.
SAP Concur solutions offer SSO to help make the user sign-in process easier and more secure. SSO requires that trust be established between the Identity Provider (IdP) and the Service Provider (SP). This trust is established in part by cryptographic use of certificates provided by the service provider, in this case, SAP Concur solutions.
Business Purpose / Client Benefit: To ensure that the SSO certificate adheres to the latest security standards and processes, the certificate is configured to expire and be renewed annually.
Updated: Some TLSv1.2 Ciphers No Longer Supported (22 June)On 22 June 2020, SAP Concur solutions removed support for connections to *.concursolutions.com and *api.concursolutions.com that use the following TLSv1.2 ciphers:
- AES256-GCM-SHA384
- AES128-GCM-SHA256
In response to the needs of our clients, support for these ciphers was restored on 25 June.
SAP Concur Platform
Deprecation of Existing Concur Request APIs (v1.0, v3.0, v3.1)As of March 2020, the existing Concur Request APIs (v1.0, v3.0 and v3.1) are deprecated. These APIs are replaced by the Concur Request v4 APIs.
Business Purpose / Client Benefit: The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.
In addition, SAP has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not ISO-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.
**Ongoing** Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1) (1 December)SAP will be retiring the existing Concur Request APIs (v1.0, v3.0 and v3.1) in a future release (targeted to begin 1 December 2020), in accordance with the SAP Concur API Lifecycle & Deprecation Policy. These APIs are replaced by the Concur Request v4 APIs. SAP will no longer support these APIs after retirement.
Decommissioning of the v1.0, v3.0 and v3.1 APIs will start three months after retiring the APIs. The specific dates for decommissioning are dependent on the individual client's API migration.
API Timeline for v1.0, v3.0, v3.1:
- Deprecation – 1 March 2020 - 30 November 2020
- Retirement – 1 December 2020 - 31 May 2021
- Decommission – starts after 3 months of inactivity at the retired state
Business Purpose / Client Benefit: The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.
In addition, SAP has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not ISO-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.
Planned Change Summaries
The items in this section are summaries of the changes targeted for future releases. SAP reserves the right to postpone implementation of – or completely remove – any enhancement/change mentioned here.
There are no planned changes this month.
Client Notifications
SAP Concur Non-Affiliated Subprocessors
The list of non-affiliated subprocessors is available here: SAP Concur list of Subprocessors (English Only)
Monthly Browser Certifications
Monthly browser certifications, both current and planned, are available with the other SAP Concur monthly release notes, accessible from What's New - Professional Edition