August 2021 Request Professional Edition Admin Summary
Initial Post
Release Note Summaries
API
Changes to API Deprecation PolicyOur API deprecation policy has changed to further align with SAP. For more information, please see the SAP Concur Developer Centre release notes.
Authentication
Support for HMAC Now DeprecatedThese changes are part of the SAP Concur continued commitment to maintaining secure authentication.
SAP Concur support for Hash-Based Message Authentication Code (HMAC) has been deprecated.
SAP Concur provides a Single Sign-On self-service option that enables client admins to set up their SAML v2 connections without involving an SAP Concur support representative.
For more information about the Single Sign-On self-service option, refer to the Shared: Single Sign-On Overview (English Only) and the Shared: Single Sign-On Setup Guide (English Only).
Business Purpose/Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.
Authentication Administration
New Company Request Token Self-Service ToolIn late August, a new Company Request Token self-service tool will be available to SAP Concur admins who have been assigned the Company Admin or Web Services Admin role.
The Company Request Token self-service tool enables clients to generate the Company Request Token that is required to request a JSON web token (JWT) when connecting to APIs on the SAP Concur platform.
Business Purpose/Client Benefit: The Company Request Token self-service tool enables clients to generate Company Request Tokens without contacting SAP Concur support. This tool also enables clients to generate a replacement Company Request Token without assistance from SAP Concur support if their Company Request Token expires or is lost.
Client Web Services
Register Partner Application Page No Longer ActiveOn 21 August, the Register Partner Application page will no longer be active and all new authentication applications must use the new application management self-service tool.
The new application management self-service tool replaces the Register Partner Application page.
For more information, refer to the Self-Service Tool for Application Management (English only) release note in this document.
Business Purpose/Client Benefit: The new application management tool enables clients who have SAP Concur Client Web Services to generate Client IDs (App IDs) and Client Secrets without contacting SAP Concur support.
The new self-service tool for application management also enables clients to create OAuth 2.0 compliant applications.
OAuth 1.0 was deprecated on 4 February 2017. Refer to the SAP Concur Developer Portal for more information.
Self-Service Tool for Application ManagementBeginning in late August, clients who have SAP Concur Client Web Services can request access to a new application management self-service tool. The application management self-service tool can be enabled by the Client Web Services team for SAP Concur Web Services clients who request it.
When enabled, the tool will be available in the SAP Concur web UI to admin users who have been assigned the Web Services Admin role.
Business Purpose/Client Benefit: The application management tool enables clients to generate Client IDs (App IDs) and Client Secrets without contacting SAP Concur support.
File Transfer Updates
**Ongoing** Mandatory SFTP with SSH Key AuthenticationThis release note is intended for technical staff responsible for file transmissions with SAP Concur products. For SAP Concur customers and suppliers participating in data exchange through various secure file transfer protocols, SAP is making changes that provide greater security for those file transfers.
As of 10 April, 2021, non-SFTP (Secure File Transfer Protocol) protocols and SFTP password authentication are not allowed to connect to SAP Concur for file transfers:
Non-SFTP file transfer accounts must switch to SFTP with SSH Key Authentication.
SFTP file transfer accounts that use password authentication must switch to SSH key authentication.
SFTP password reset requests require the client to provide an SSH key for authentication.
On 12 April 2021, SAP started disabling non-compliant file transfer connections. The process of disabling non-compliant accounts will continue throughout 2021. If you have multiple file transfer connections configured, this change applies to all of your file transfer connections.
This announcement pertains to the following file transfer DNS endpoints:
st.concursolutions.com
st-eu.concursolutions.com
vs.concursolutions.com
vs.concurcdc.cn
Business Purpose / Client Benefit: These changes provide greater security for file transfers.
**Ongoing** SAP Concur Legacy File Move MigrationThis Release Note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and suppliers participating in data exchange, SAP Concur is maintaining our file transfer subsystem to provide greater security for those file transfers.
SAP Concur is in the process of migrating entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.
Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and 24 January 2022. After they are migrated to the more efficient process, clients will see the following improvement:
With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.
This announcement pertains to the following file transfer DNS endpoints:
st.concursolutions.com
Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.
Rotating PGP Key Available for File TransfersFiles transferred to SAP Concur products must be encrypted with the SAP Concur public PGP key, concursolutionsrotate.asc.
concursolutionsrotate.asc
Key file is available in client’s root folder
Key ID 40AC5D35
RSA 4096-bit signing and encryption subkey
Key expires every 2 years
Client is responsible for replacing the key before it expires
Next expiry date: 4 September 2022
SAP Concur plans to replace the current rotating public PGP key in the client’s root folder 90 days before the expiration date
The SAP Concur legacy PGP key (key ID D4D727C0) remains supported for existing clients but will be deprecated in the future.
SAP Concur strongly recommends that clients use the more secure rotating public PGP key for file transfers. To facilitate the use of the more secure rotating public PGP key for file transfers, SAP Concur added the key to existing client’s home folders on Friday 15 January 2021.
This announcement pertains to the following file transfer DNS endpoints:
st.concursolutions.com
mft-us.concursolutions.com
vs.concursolutions.com
st-eu.concursolutions.com
mft-eu.concursolutions.com
Business Purpose / Client Benefit: The rotating public PGP key provides greater security for file transfers.
Miscellaneous
Customer Privacy Statement Link AvailableBeginning with the August release, clients can configure a link to their company’s privacy statement. The link will appear in the footer of their SAP Concur site with the text “Customer Privacy Statement”.
Business Purpose/Client Benefit: This change enables clients to meet GDPR and other legal requirements to provide their privacy statement to their customers.
NextGen UI for Concur Request
**Ongoing** Updated User Interface (UI) for Concur Request End UsersThe continued evolution of the Concur Request solution user interface experience is the result of thoughtful design and research that provides a modern, intuitive and streamlined experience for the request process.
Concur Request customers will have the ability to preview and then opt in to the NextGen UI before the mandatory move.
Business Purpose / Client Benefit: The result is the next generation of the Concur Request user interface designed to provide a modern, consistent and streamlined user experience. This technology not only provides an enhanced user interface, but also allows us to react more quickly to customer requests to meet changing needs as they happen.
Profile
Mobile Number Validation on UI and in Employee Import FileSAP Concur has updated the Mobile Phone field in the Profile > Personal Information user interface to contain only digits, dashes, spaces and brackets (released July 2021). Previously, brackets were not allowed and resulted in an error. No other phone number fields, such as Work Phone and Home Phone, have been modified in this manner.
The same modification has been made in the Cell Phone field in the 350 Travel Addendum import file. Specifically, when saving information to the database, SAP Concur will strip out any unallowed characters (i.e. anything that is not a digit, space, dash or bracket).
Clients do NOT need to make any changes to their import files. Everything that is currently in the import file itself will continue to be allowed. However, the information saved on import in the SAP Concur database, which is returned in subsequent API calls and displayed to the user, will only include allowed characters in the Cell Phone field.
Business Purpose/Client Benefit: SAP Concur is taking steps to standardise customer data to help reduce errors.
SAP Concur Platform
**Ongoing** Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1) (1 June, 2021)As of 31 May 2021, the existing Concur Request APIs (v1.0, v3.0 and v3.1) are deprecated. On 1 June 2021, SAP began retiring these APIs in accordance with the SAP Concur API Lifecycle & Deprecation Policy. These APIs are replaced by the Concur Request v4 APIs. SAP will no longer support these APIs after retirement.
Decommissioning of the v1.0, v3.0 and v3.1 APIs will start three months after retiring the APIs. The specific dates for decommissioning are dependent on the individual client's API migration.
API Timeline for v1.0, v3.0, v3.1:
Deprecation – 1 March, 2020 – 31 May, 2021
Retirement – 1 June, 2021 – 30 November, 2021
Decommission – starts after 3 months of inactivity at the retired state
Business Purpose / Client Benefit: The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.
In addition, SAP has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not ISO-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.
SAP Concur User Assistance
Online Help Now Available on SAP Help PortalSAP is now publishing the SAP Concur solutions’ online help information on SAP Help Portal (http://help.sap.com). SAP Help Portal has a new look and feel for the help, and additional functionality. The content remains the same.
New functionality:
Search with advanced options
Provide feedback on each page
Change the font size
Create a custom PDF by selecting a subset of pages in the help
Share a page via link, email or social media
Mark pages as favourites, and limit search to only those pages (if logged in to SAP Help Portal, available for free)
Customers can view SAP Concur online help and links to all documentation by accessing the product pages for the relevant product.
Concur Expense:
https://help.sap.com/viewer/product/CONCUR_EXPENSE/LATEST/en-USConcur Invoice:
https://help.sap.com/viewer/product/CONCUR_INVOICE/LATEST/en-USConcur Request:
https://help.sap.com/viewer/product/CONCUR_REQUEST/LATEST/en-USConcur Travel:
https://help.sap.com/viewer/product/CONCUR_TRAVEL/LATEST/en-USBusiness Purpose/Client Benefit: This update increases the functionality available in the online help, and consolidates the SAP Concur solutions documentation with other SAP products on the central SAP Help Portal.
Supported Configurations
Supported BrowsersBecause web browsers are frequently updated, for ease of maintenance and to ensure that our documented supported browser information does not become out of date, we no longer publish the specific version data for supported browsers in the Concur Travel & Expense Supported Configurations Guide (English only). In addition, the Monthly Browser Certifications (English only) document is now retired and will no longer be updated with supported browser version information each month.
For the most responsive, reliable and secure user experience with our products, SAP Concur recommends that users implement the most recent technology that is compliant with manufacturer's distribution and your company’s support and security policies.
For more supported browser information, refer to the Concur Travel & Expense Supported Configurations Guide (English only).
Business Purpose/Client Benefit: This change helps to ensure that the supported browser information in the Concur Travel & Expense Supported Configurations Guide (English only) remains up to date.
Providing up-to-date supported browser information to users ensures that they have a better user experience while accessing the web version of SAP Concur.
Test Entities
UI Frame ChangeWhen end users, approvers, processors and admins logged in to an SAP Concur test entity, they noticed the global banner across the top of the page changed and that the UI web frame had a unique, identifying colour.
Prior to implementing this change, logged-in users saw only a blue global banner across the top of the page. Users might have had issues distinguishing between the test environment and production environment.
Business Purpose/Client Benefit: As of 20 July, all SAP Concur users saw a more distinct difference between a test entity and production entity. These changes helped users to clearly distinguish between test and production entities. These changes might also reduce the likelihood of logging in to the wrong entity and performing critical tasks such as configuration updates and data changes.
Web Services Administration
**Ongoing** Application Connector Username and Password Length Requirements UpdatedStarting 04 October 2021, the length of the username and password associated with an application connector must be at least 10 characters long and not more than 50 characters long. To avoid disruption of callouts through application connections, usernames and passwords that do not meet these requirements must be updated before 04 October 2021.
Application connection usernames and passwords can be updated by an administrator with the Company Admin or Web Services Admin role.
Business Purpose / Client Benefit: Enforcing password and username length restrictions improves the security standards for callouts made through the application connector.
Planned Change Summaries
The items in this section are summaries of the changes targeted for future releases. SAP reserves the right to postpone implementation of – or completely remove – any enhancement/change mentioned here.
Workflow
**Planned Changes** External Validations and Workflow Event NotificationsFor the October 2021 release, Concur Request will introduce the ability for SAP Concur administrators to configure event notifications at the workflow step level. When a request reaches a specific step in a workflow that is configured for external notifications, a third-party application will be prompted to complete the required action on the corresponding request.
Business Purpose/Client Benefit: SAP Concur administrators will have more flexibility, as they will be able to create notifications for multiple steps across the workflow for third-party applications.
Customers have use cases and business processes that need to occur in parallel as requests move through the workflow in Concur Request. These event notifications will be an efficient way to start those processes so that requests are approved on time.
Client Notifications
Accessibility Updates
SAP implements changes to better meet current Web Content Accessibility Guidelines (WCAG). Information about accessibility-related changes made to SAP Concur solutions is published on a quarterly basis. You can review the quarterly updates on the Accessibility Updates (English only) page.
SAP Concur Non-Affiliated Subprocessors
The list of non-affiliated subprocessors is available here: SAP Concur list of Subprocessors (English Only)
Supported Browsers
Supported browsers are available with the other SAP Concur monthly release notes, accessible from What's New - Professional Edition