November 2020 Request Professional Edition Admin Summary
Initial Post
Release Note Summaries
NextGen UI for Concur Request
**Ongoing** Updated User Interface (UI) for Concur Request End UsersThe continued evolution of the Concur Request solution user interface experience is the result of thoughtful design and research that provides a modern, intuitive and streamlined experience for the request process.
Concur Request customers will have the ability to preview and then opt in to the NextGen UI before the mandatory move.
Business Purpose / Client Benefit: The result is the next generation of the Concur Request user interface designed to provide a modern, consistent and streamlined user experience. This technology not only provides an enhanced user interface, but also allows us to react more quickly to customer requests to meet changing needs as they happen.
Administration
Auto-Create Claim Setting Now Available for All Request PoliciesThe Auto-Create Claim setting is now available on the New Request Policy and Modify Request Policy pages (Administration > Request > Request Policies) for all Concur Request policies. When the Auto-Create Claim setting is enabled, expense claims are automatically created from requests on a request's start date if the request has been approved, and no other expense claims are associated with the request.
The following options are available for the Auto-Create Claim setting:
- On Request Start Date – Enables the Auto-Create Claim setting.
- None – None is selected by default. When None is selected, the Auto-Create Claim setting is disabled.
When expense claims are created automatically from requests, the expense claims are created with the same information as expense claims created manually from requests.
In the existing UI, when an expense claim is created from a request, only the request header information is copied to the expense claim.
In the NextGen UI, when an expense claim is created from a request, only the request header, travel allowance and mileage information are copied to the expense claim.
Currently, if the Auto-Create Claim setting is enabled, users will not be able to create expense claims from requests manually.
Business Purpose / Client Benefit: This update simplifies the expense claim creation process for users.
Authentication
**Ongoing** Deprecation of Director SAML Service and Migration to SAML v2These changes are part of the SAP Concur continued commitment to maintaining secure authentication.
Support for the Director SAML service is being deprecated. Travel Management Companies (TMCs) and SAP Concur personnel will soon begin assisting customers who currently use Director SAML to migrate to SAP Concur SAML v2 SSO (SAML v2).
Clients currently using Director SAML are encouraged to migrate to SAML V2 as soon as possible.
Deprecation of support for the Director SAML service is dependent on the following requirements:
- SAP Concur technicians and TMCs assist existing SAP Concur clients to migrate from the Director SAML service to SAML V2.
- All clients that currently rely on the Director SAML service have migrated from Director SAML to SAML V2.
Migration from Director SAML to SAML V2 requires the following general steps:
- The client identifies an admin to act as the SSO admin and assigns the proper permission/role.
- The SSO admin coordinates with their SAP Concur technician to obtain the SAP Concur SP metadata.
- The SSO admin configures the SSO settings at the IdP based on information from SP metadata.
- The SSO admin retrieves IdP metadata from the IdP and delivers the metadata to the SAP Concur technician.
- The SSO admin adds a few testing users and tests the new SSO connection.
- With successful testing, the company rolls out SSO to their SAP Concur users.
For more detailed information about migrating to SAML v2, refer to the SSO Service: Overview Guide (English Only) and the Shared: SSO Management Setup Guide (English Only).
Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.
**Ongoing** Deprecation of HMAC and Migration to SAML v2 and the SSO Self-Service ToolThese changes are part of the SAP Concur continued commitment to maintaining secure authentication.
SAP Concur support for Hash-Based Message Authentication Code (HMAC) is being deprecated. Travel Management Companies (TMCs) and SAP Concur personnel are currently assisting customers who use HMAC to migrate to SAP Concur SAML v2 SSO (SAML v2).
With the November release, targeted for 14 November, SAP Concur will provide a Single Sign-On self-service option that enables client admins to set up their SAML v2 connections without involving an SAP Concur support representative.
The HMAC deprecation includes two phases:
PHASE I:
- Clients must have an identity provider (IdP) or a custom SAML 2.0 compliant solution.
- Clients begin testing authentication using SAML v2.
- TMCs prepare to onboard new SAP Concur clients to SAML v2.
- Once the Single Sign-On self-service option is available, customers will be notified of the official deprecation date of HMAC via release notes. As of the official deprecation date, no new clients can be onboarded using HMAC; new clients must be onboarded to SAML v2.
- Existing clients using HMAC must migrate to SAML v2.
PHASE II:
- TMCs have migrated all existing SAP Concur clients from the HMAC service to SAML v2.
- The HMAC service is deprecated. Phase II is targeted to end mid-year in 2021.
Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.
Single Sign-On (SSO) Self-Service OptionThese changes are part of the SAP Concur continued commitment to maintaining secure authentication.
With the November release, SAP Concur is adding a Single Sign-On (SSO) self-service tool to SAP Concur products. This new tool enables clients to set up SSO for their organisation without assistance from SAP Concur support. SSO is currently supported for Concur Expense, Concur Invoice, Concur Request and Concur Travel.
SSO enables users to access multiple applications using one set of login credentials. Currently, SAP Concur has two methods for signing in:
- Username and password
- SSO with Identity Provider (IdP) credentials, such as a user's login credentials for their organisation
The new SSO self-service tool will eventually replace the existing SSO configuration process, enabling clients to implement SSO at their organisation. The existing SSO configuration process and the new SSO self-service tool will both be available until everyone has migrated to the new SSO self-service tool.
The new SSO self-service tool will include the following features:
- A self-service option for setting up SSO at your organisation; this new feature is automatically available to all clients
- The new SAP Concur SAML v2 SSO (SAML v2) service, which complies with SAML 2.0 and is a current industry standard
- Encrypted SAML assertion to address privacy and security concerns
- Enforcement of SSO at the company level (the ability to select SSO as optional is also available)
- The ability to upload multiple Identity Provider (IdP) metadata
- The ability to download SAP Concur Service Provider metadata
Business Purpose / Client Benefit: This feature will provide new SAP Concur clients with a self-service option for setting up SSO. It will also provide an option for existing SSO clients who must eventually migrate to the new SAML v2 service to manage SSO for their users.
Authorised Support Contacts
Online Scheduling for SAP Concur SupportSAP Concur Support has implemented an online scheduling feature that allows Authorised Support Contacts (ASCs) to schedule a meeting with a Support Engineer.
Business Purpose / Client Benefit: Online scheduling makes it easier for Authorised Support Contacts (ASCs) to schedule a meeting with an SAP Concur Support Engineer.
File Transfer Updates
**Ongoing** SAP Concur Legacy File Move MigrationThis Release Note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and suppliers participating in data exchange, SAP is maintaining our SAP Concur file transfer subsystem to provide greater security for those file transfers.
SAP will begin migrating SAP Concur entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.
Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and the end of 2020. After they are migrated to the more efficient process, clients will see the following improvement:
- With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.
This announcement pertains to the following file transfer DNS endpoints:
- st.concursolutions.com
Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.
Support for Two SSH Transfer Ciphers Removed from File Transfer for Customers and Suppliers (13 October)This release note is intended for technical staff responsible for file transmissions with SAP Concur solutions. For our customers and suppliers participating in data exchange through various secure file transfer protocols, we are making changes that provide greater security for those file transfers.
On 13 October, 2020, support for the following SSH transfer ciphers was removed for file transfers:
- 3des-cbc
- blowfish-cbc
This announcement pertains to the following file transfer DNS endpoints:
- st.concursolutions.com
- st-eu.concursolutions.com
Business Purpose / Client Benefit: These changes provide greater security for file transfers.
SAP Concur Platform
**Ongoing** Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1) (1 June, 2021)SAP will be retiring the existing Concur Request APIs (v1.0, v3.0 and v3.1) in a future release (targeted to begin 01 June 2021), in accordance with the SAP Concur API Lifecycle & Deprecation Policy. These APIs are replaced by the Concur Request v4 APIs. SAP will no longer support these APIs after retirement.
Decommissioning of the v1.0, v3.0 and v3.1 APIs will start three months after retiring the APIs. The specific dates for decommissioning are dependent on the individual client's API migration.
API Timeline for v1.0, v3.0, v3.1:
- Deprecation – 1 March, 2020 – 31 May, 2021
- Retirement – 1 June, 2021 – 30 November, 2021
- Decommission – starts after 3 months of inactivity at the retired state
Business Purpose / Client Benefit: The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.
In addition, SAP has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not ISO-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.
Security
Malicious Domains AlertPlease refer to the following table for a list of potential malicious domains. This list is not exhaustive and is meant as an initial warning of the existence of possible fraudulent sites that use some false derivative of the SAP Concur solutions brand within the domain name.
Malicious Domains | |||
---|---|---|---|
concursupport.com | conchur.com | congur.com | concus.com |
concurhr.com | conbur.com | conur.com | concur.red |
concurlogin.com | soncur.com | concur.one | cconcur.com |
concur.vip | concue.com | confur.com | concur.social |
conchr.com | concut.com | boncur.com | concur.nz |
concurr.com | concur.ae | concor.com | oncur.com |
concure.com | conciur.com | concur.me | concuur.com |
concura.com | concur.is | concur.digital | cioncur.com |
cooncur.com | concur.consulting | concar.com | concur.solutions |
concurl.com | concur.tech | concur.pro | concurf.com |
concurb.com | concur.biz | concur.gr | cponcur.com |
concurn.com | concur.design | concir.com | concup.com |
concuri.com | cuncur.com | cancur.com | concru.com |
concurs.com | concur.cm | voncur.com | cpncur.com |
concurz.com | concur.cc | concwr.com | connectconcur.com |
concuir.com | concr.com | comncur.com | concur.jp |
doncur.com | concur.sk | concur.ch | colcur.com |
conccur.com | condur.com | concur.so | concer.com |
concur.store | concur.bz | concur.be | conaur.com |
concur.az | concur.by | cencur.com | coincur.com |
cocur.com | consur.com | corcur.com | cocnur.com |
WHAT SHOULD CUSTOMERS DO?
Customers should avoid these domains in the context of working with SAP Concur solutions. While some domains may be registered, it is recommended to err on the side of caution.
Business Purpose / Client Benefit: This alert provides ongoing security for our products and services.
Updated: End of Support for Insecure Protocols and Ciphers in F5 Client SSL Profiles for VIPs (7 October)These changes are part of the SAP Concur continued commitment to maintaining secure authentication.
In early October, the SAP Concur networking team noted that their configuration of the Content Delivery System had been blocking the protocols in the list that follows for some time.
As such, the notice to customers that we would be making a change to our F5 Client SSL profile was superfluous, as those aspects of the existing profile were not actually available. SAP Concur made changes to the F5 Client SSL profile on 7 October as well, in the interest of maintaining a strong security profile
This means that there was no new effect for customers, as the following protocols had already been blocked previously:
- SSL v2
- SSL v3
- TLS v1.0
- TLS v1.1
- 3DES cipher suite
Business Purpose / Client Benefit: This update provides ongoing security for our products and services.
Site Settings
Enable Mobile Request Creation Setting RemovedThe Enable Mobile Request Creation setting has been removed from the Site Settings page (Administration > Request > Site Settings). Now that Concur Request is automatically enabled in the SAP Concur mobile app, the Enable Mobile Request Creation setting is no longer needed in Site Settings.
Business Purpose / Client Benefit: This update supports the simplification of the Concur Request enablement process for the SAP Concur mobile app.
User Interface
Updating Country and Countries LabelsInstances of Country or Countries on the user interface are being updated to Country/Region and Countries/Regions, respectively.
Business Purpose / Client Benefit: This change provides a better global user experience.
Planned Change Summaries
The items in this section are summaries of the changes targeted for future releases. SAP reserves the right to postpone implementation of – or completely remove – any enhancement/change mentioned here.
There are no planned changes this month.
Client Notifications
SAP Concur Non-Affiliated Subprocessors
The list of non-affiliated subprocessors is available here: SAP Concur list of Subprocessors (English Only)
Monthly Browser Certifications
Monthly browser certifications, both current and planned, are available with the other SAP Concur monthly release notes, accessible from What's New - Professional Edition