June 2021 Request Professional Edition Admin Summary
Initial Post
Release Note Summaries
Administration
Auto-Create Claim Setting for All Request PoliciesThese changes are part of the NextGen UI experience.
The Auto-Create Claim setting is now available on the New Request Policy and Modify Request Policy pages (Administration > Request > Request Policies) for all Concur Request policies. When the Auto-Create Claim setting is enabled, expense claims are automatically created from requests on a request's start date if the request has been approved, and no other expense claims are associated with the request.
The following options are available for the Auto-Create Claim setting:
On Request Start Date – Enables the Auto-Create Claim setting.
None – None is selected by default. When None is selected, the Auto-Create Claim setting is disabled.
When expense claims are created automatically from requests, the expense claims are created with the same information as expense claims created manually from requests.
When an expense claim is created from a request, the request header information is copied to the expense claim, and the Create Claim from Request with Expected Expenses setting in Request Policies determines whether the expected expenses, travel allowance itineraries and mileage information for the request are copied to the expense claim.
When the Auto-Create Claim setting is enabled, users can still manually create expense claims from requests.
These changes are part of the NextGen UI experience.
The Create Claim from Request with Expected Expenses setting is now available on the New Request Policy and Modify Request Policy pages (Administration > Request > Request Policies) for all Concur Request policies.
This setting applies to all expense claims created from a request, regardless of whether the expense claim was created automatically or manually by clicking the Create Expense Claim button on the request header.
The Create Claim from Request with Expected Expenses setting determines what data is copied from a request to an expense claim. You can choose to copy all expected expenses from a request, or you can choose to only copy travel allowance and mileage information from the request to the expense claim.
If you choose to copy expected expenses, when expense claims are created from a request, the system will create expense entries based on the expected expenses in the request.
There are three options available for the setting:
Travel Allowance and Mileage Only
Travel Allowance and Mileage Only is selected by default. When an expense claim is created from a request, the expense claim is automatically populated with the request header information, the travel allowance itinerary, the system-generated expenses associated with the travel allowance itinerary and the field information for the mileage journey, excluding custom fields.
All Expected Expenses
When an expense claim is created from a request, the expense claim is automatically populated with the request header, travel allowance itinerary, field information for the mileage journey and the expected expenses from the request, but none of the custom field values for any custom fields in the expected expenses are copied from the request to the expense claim.
All Expected Expenses (includes 1:1 custom fields)
When an expense claim is created from a request, the expense claim is automatically populated with the request header, travel allowance itinerary, field information for the mileage journey and the expected expenses from the request. When this option is selected, custom field values for any custom fields at the expected expense level are also copied from the request to the expense claim.
Business Purpose / Client Benefit: This update simplifies the expense claim creation process for users.
Authentication
**Ongoing** Deprecation of HMAC and Migration to SAML v2 and the SSO Self-Service ToolThese changes are part of the SAP Concur continued commitment to maintaining secure authentication.
SAP Concur support for Hash-Based Message Authentication Code (HMAC) is being deprecated. Travel Management Companies (TMCs) and SAP Concur personnel are currently assisting customers who use HMAC to migrate to SAP Concur SAML v2 SSO (SAML v2).
SAP Concur provides a Single Sign-On self-service option that enables client admins to setup their SAML v2 connections without involving an SAP Concur support representative.
For more information about the Single Sign-On self-service option, refer to the Shared: Single Sign-On Overview (English Only) and the Shared: Single Sign-On Setup Guide (English Only).
The HMAC deprecation includes two phases:
PHASE I:
Clients must have an identity provider (IdP) or a custom SAML 2.0 compliant solution.
Clients begin testing authentication using SAML v2.
TMCs prepare to onboard new SAP Concur clients to SAML v2.
Customers will be notified via release notes about the official deprecation date of HMAC. As of the official deprecation date, no new clients can be onboarded using HMAC; new clients must be onboarded to SAML v2.
Existing clients using HMAC must migrate to SAML v2.
PHASE II:
TMCs have migrated all existing SAP Concur clients from the HMAC service to SAML v2.
The HMAC service is deprecated. Phase II is targeted to end mid-year in 2021.
Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.
File Transfer Updates
**Ongoing** Mandatory SFTP with SSH Key AuthenticationThis release note is intended for technical staff responsible for file transmissions with SAP Concur products. For SAP Concur customers and suppliers participating in data exchange through various secure file transfer protocols, SAP is making changes that provide greater security for those file transfers.
As of 10 April 2021, non-SFTP (Secure File Transfer Protocol) protocols and SFTP password authentication are not allowed to connect to SAP Concur for file transfers:
Non-SFTP file transfer accounts must switch to SFTP with SSH Key Authentication.
SFTP file transfer accounts that use password authentication must switch to SSH key authentication.
SFTP password reset requests require the client to provide an SSH key for authentication.
On 12 April 2021, SAP started disabling non-compliant file transfer connections. The process of disabling non-compliant accounts will continue throughout 2021. If you have multiple file transfer connections configured, this change applies to all of your file transfer connections.
This announcement pertains to the following file transfer DNS endpoints:
st.concursolutions.com
st-eu.concursolutions.com
vs.concursolutions.com
vs.concurcdc.cn
Business Purpose / Client Benefit: These changes provide greater security for file transfers.
**Ongoing** SAP Concur Legacy File Move MigrationThis Release Note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and suppliers participating in data exchange, SAP Concur is maintaining our file transfer subsystem to provide greater security for those file transfers.
SAP Concur is in the process of migrating entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.
Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and 31 July 2021. After they are migrated to the more efficient process, clients will see the following improvement:
With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.
This announcement pertains to the following file transfer DNS endpoints:
st.concursolutions.com
Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.
Rotating PGP Key Available for File TransfersFiles transferred to SAP Concur products must be encrypted with the SAP Concur public PGP key, concursolutionsrotate.asc.
concursolutionsrotate.asc
Key file is available in client’s root folder
Key ID 40AC5D35
RSA 4096-bit signing and encryption subkey
Key expires every 2 years
Client is responsible for replacing the key before it expires
Next expiry date: 4 September 2022
SAP Concur plans to replace the current rotating public PGP key in the client’s root folder 90 days before the expiration date
The SAP Concur legacy PGP key (key ID D4D727C0) remains supported for existing clients but will be deprecated in the future.
SAP Concur strongly recommends that clients use the more secure rotating public PGP key for file transfers. To facilitate the use of the more secure rotating public PGP key for file transfers, SAP Concur added the key to existing client’s home folders on Friday 15 January 2021.
This announcement pertains to the following file transfer DNS endpoints:
st.concursolutions.com
mft-us.concursolutions.com
vs.concursolutions.com
st-eu.concursolutions.com
mft-eu.concursolutions.com
Business Purpose / Client Benefit: The rotating public PGP key provides greater security for file transfers.
Localisation
Translations for Cash Advance TermWith the June release, SAP Concur is changing the following terms in the Brazilian Portuguese version of the SAP Concur user interface to bring consistency in translation of the term “Cash Advance”:
English Term | Current BR Portuguese Term | Updated BR Portuguese Term |
---|---|---|
Cash Advances | Adiantamentos de viagem | Adiantamentos |
Cash Advance | Adiantamento em espécie | Adiantamento |
Business Purpose / Client Benefit: These revisions provide a more accurate translation and improved user experience in Brazilian Portuguese.
Miscellaneous
Updated Naming Convention for Sub-URLsAs part of our overall cloud platform strategy, SAP is implementing a more consistent naming convention for the URLs used to connect to SAP Concur solutions, based on data centre. Users will continue to be able to access www.concursolutions.com and will be routed automatically to the correct URL or single sign-on (SSO) as part of their sign-in process.
For more information about our overall cloud platform strategy, refer to the SAP Concur Cloud Platform Strategy FAQ (English only).
No customer data is planned to leave the North America or EMEA regional data centre to which it is assigned at any time before, during or after this change.
TARGETED FOR MID-JUNE 2021
SAP will deploy us.concursolutions.com. It is functionally identical to the existing www.concursolutions.com.
SAP will deploy eu.concursolutions.com. It is functionally identical to the existing eu1.concursolutions.com.
TARGETED FOR MID-JUNE 2021
SAP will deploy us2.concursolutions.com and eu2.concursolutions.com, and plans to use these URLs for future customer migration to the AWS cloud platform.
For more information, refer to the SAP Concur Cloud Platform Strategy FAQ (English only).
SAP will update www.concursolutions.com to automatically redirect users to the appropriate URL or SSO. Users will be directed to their established home data centre (for example, eu.concursolutions.com, eu2.concursolutions.com, us.concursolutions.com or us2.concursolutions.com). No customer data is planned to leave the North America or EMEA regional data centre to which it is assigned at any time before, during or after this change.
RESTRICTED ACCESS / ALLOW LISTS
In rare cases, clients who restrict or filter access from their corporate network to specific URLs might need to update their configuration to enable users to connect to the new URLs. For example, clients who have an allow list configured, might need to add the new URLs to their list. The information in this release note should be made available to your technical resource so that they can take appropriate action to allow access to these new URLs.
Business Purpose / Client Benefit: This change supports future URL consistency across all global regions, and a central URL that redirects users to the appropriate data centre.
NextGen UI for Concur Request
**Ongoing** Updated User Interface (UI) for Concur Request End UsersThe continued evolution of the Concur Request solution user interface experience is the result of thoughtful design and research that provides a modern, intuitive and streamlined experience for the request process.
Concur Request customers will have the ability to preview and then opt in to the NextGen UI before the mandatory move.
Business Purpose / Client Benefit: The result is the next generation of the Concur Request user interface designed to provide a modern, consistent and streamlined user experience. This technology not only provides an enhanced user interface, but also allows us to react more quickly to customer requests to meet changing needs as they happen.
SAP Concur Platform
**Ongoing** Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1) (1 June, 2021)As of 31 May 2021, the existing Concur Request APIs (v1.0, v3.0 and v3.1) are deprecated. On 1 June 2021, SAP began retiring these APIs in accordance with the SAP Concur API Lifecycle & Deprecation Policy. These APIs are replaced by the Concur Request v4 APIs. SAP will no longer support these APIs after retirement.
Decommissioning of the v1.0, v3.0 and v3.1 APIs will start three months after retiring the APIs. The specific dates for decommissioning are dependent on the individual client's API migration.
API Timeline for v1.0, v3.0, v3.1:
Deprecation – 1 March, 2020 – 31 May, 2021
Retirement – 1 June, 2021 – 30 November, 2021
Decommission – starts after 3 months of inactivity at the retired state
Business Purpose / Client Benefit: The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.
In addition, SAP has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not ISO-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.
Security
**Ongoing** Changes to Some Email SubdomainsSAP is adopting the Domain-based Message Authentication (DMARC) email security protocol for all email sent from SAP. As a result, the email addresses for some email sent from SAP Concur organisations will no longer be sent from the @sap.com root domain, but will instead be sent from a subdomain of sap.com, such as @example.sap.com where “example” is the subdomain.
If your organisation maintains an allow list for email addresses, you can update your allow list to include email from the following domains to ensure that you receive emails sent from the sap.com root domain and subdomains of the sap.com root domain:
@info.sap.com
@mail.sap.com
@*sap.com
If your internal configuration allows it, adding @*sap.com can minimise the need for future updates by allowing all emails from the sap.com domain and from subdomains of the sap.com domain. For example, if your allow list includes @*sap.com, you do not need to add @info.sap.com or @mail.sap.com because @*sap.com encompasses those subdomains.
The following types of email communications from SAP Concur solutions are not impacted by this change:
1:1 email communication that you have with your SAP Concur account team or other SAP representatives. These emails will continue to come from @sap.com.
System emails (for example, expense claim approvals and travel bookings) that come from concursolutions.com, tripit.com or other SAP Concur products and solutions
SAP Concur support updates (such as case notifications)
Business Purpose / Client Benefit: DMARC compliance provides better security for emails sent from SAP to its customers.
Web Services Administration
**Ongoing** Application Connector Username and Password Length Requirements UpdatedStarting 31 August 2021, the length of the username and password associated with an application connector must be at least 10 characters long and not more than 50 characters long. To avoid disruption of callouts through application connections, usernames and passwords that do not meet these requirements must be updated before 31 August 2021.
Application connection usernames and passwords can be updated by an administrator with the Company Admin or Web Services Admin role.
Business Purpose / Client Benefit: Enforcing password and username length restrictions improves the security standards for callouts made through the application connector.
Planned Change Summaries
The items in this section are summaries of the changes targeted for future releases. SAP reserves the right to postpone implementation of – or completely remove – any enhancement/change mentioned here.
There are no planned changes this month.
Client Notifications
Accessibility Updates
SAP implements changes to better meet current Web Content Accessibility Guidelines (WCAG). Information about accessibility-related changes made to SAP Concur solutions is published on a quarterly basis. You can review the quarterly updates on the Accessibility Updates (English only) page.
SAP Concur Non-Affiliated Subprocessors
The list of non-affiliated subprocessors is available here: SAP Concur list of Subprocessors (English Only)
Monthly Browser Certifications
Monthly browser certifications, both current and planned, are available with the other SAP Concur monthly release notes, accessible from What's New - Professional Edition