Concur Invoice

Previously, clients with both the AP User and the Processor role could access the Unassigned Invoices page to process invoices. With this release, clients with these roles will be able to access the Unassigned Invoices page, but what they see is based on their supplier group access. This ensures they only see invoices that are relevant for their role.

Business Purpose / Client Benefit: This change enables clients to see only invoices relevant for their user role, streamlining the content they see on the Unassigned Invoices page.

Authentication

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

SAP Concur support for Hash-Based Message Authentication Code (HMAC) is being deprecated. Travel Management Companies (TMCs) and SAP Concur personnel are currently assisting clients who use HMAC to migrate to SAP Concur SAML v2 SSO (SAML v2).

SAP Concur provides a Single Sign-On self-service option that enables client admins to set up their SAML v2 connections without involving an SAP Concur support representative.

For more information about the Single Sign-On self-service option, refer to the Shared: Single Sign-On Overview (English Only) and the Shared: Single Sign-On Setup Guide (English Only).

The HMAC deprecation includes two phases:

PHASE I:

• Clients must have an identity provider (IdP) or a custom SAML 2.0 compliant solution.

• Clients begin testing authentication using SAML v2.

• TMCs prepare to onboard new SAP Concur clients to SAML v2.

• Clients will be notified via release notes about the official deprecation date of HMAC. As of the official deprecation date, no new clients can be onboarded using HMAC; new clients must be onboarded to SAML v2.

• Existing clients using HMAC must migrate to SAML v2.

PHASE II:

• TMCs have migrated all existing SAP Concur clients from the HMAC service to SAML v2.

• The HMAC service is deprecated. Phase II is targeted to end mid-year in 2021.

Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.

On 23 March, the View Previous Changes feature was added to the Administration > Company > Authentication Admin > Manage Single Sign-On page. This feature enables the Authentication Admin to view a table that lists SAP Concur Single Sign-On (SSO) configuration changes, view details of those changes and revert (reinstate) deleted configurations.

The View Previous Changes table can display the last 100 changes. Changes that are listed in the table include:

• Adding a configuration

• Deleting a configuration

• Editing the name in the Custom IdP Name field

• Editing the URL in the Logout URL field

Business Purpose / Client Benefit: This change enables the Authentication Admin to view and track changes made to the SSO configuration over time and to revert (reinstate) configurations that were previously deleted.

File Transfer Updates

This release note is intended for technical staff responsible for file transmissions with SAP Concur products. For SAP Concur customers and suppliers participating in data exchange through various secure file transfer protocols, SAP is making changes that provide greater security for those file transfers.

As of 10 April 2021, non-SFTP (Secure File Transfer Protocol) protocols and SFTP password authentication are not allowed to connect to SAP Concur for file transfers:

• Non-SFTP file transfer accounts must switch to SFTP with SSH Key Authentication.

• SFTP file transfer accounts that use password authentication must switch to SSH key authentication.

• SFTP password reset requests require the client to provide an SSH key for authentication.

On 12 April 2021, SAP started disabling non-compliant file transfer connections. The process of disabling non-compliant accounts will continue throughout 2021. If you have multiple file transfer connections configured, this change applies to all of your file transfer connections.

This announcement pertains to the following file transfer DNS endpoints:

Files transferred to SAP Concur products must be encrypted with the SAP Concur public PGP key, concursolutionsrotate.asc.

concursolutionsrotate.asc

• Key file is available in client’s root folder

• Key ID 40AC5D35

• RSA 4096-bit signing and encryption subkey

• Key expires every 2 years

• Client is responsible for replacing the key before it expires

  • Next expiry date: 4 September 2022

  • SAP Concur plans to replace the current rotating public PGP key in the client’s root folder 90 days before the expiration date

The SAP Concur legacy PGP key (key ID D4D727C0) remains supported for existing clients but will be deprecated in the future.

SAP Concur strongly recommends that clients use the more secure rotating public PGP key for file transfers. To facilitate the use of the more secure rotating public PGP key for file transfers, SAP Concur added the key to existing client’s home folders on Friday 15 January 2021.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

• mft-us.concursolutions.com

• vs.concursolutions.com

• st-eu.concursolutions.com

• mft-eu.concursolutions.com

Business Purpose / Client Benefit: The rotating public PGP key provides greater security for file transfers.

This Release Note is intended for the technical staff responsible for file transmissions with SAP Concur. For our clients and suppliers participating in data exchange, SAP Concur is maintaining our file transfer subsystem to provide greater security for those file transfers.

SAP Concur is in the process of migrating entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.

Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and 31 July 2021. After they are migrated to the more efficient process, clients will see the following improvement:

• With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.

There are currently no planned changes.