APIs

Clients that use or plan to use SAP Concur callouts (for example, Send Notification, Launch External URL, Fetch List and Fetch Attendee) need to ensure they meet the SAP Concur security standards. To reduce security risk for our clients and SAP Concur, we are giving companies until the end of 2019 to make the required update for callouts. If clients have security protocols below our standard after 31 December, 2019, their callouts will stop working in January 2020.

To use callouts, clients need to ensure that the TLS version 1.1 or greater is used for the encryption protocols of the client’s endpoint. Also, clients using callouts need to ensure their callout host endpoint uses and prioritises one or more ECDHE cipher suites with an equivalent key length greater than or equal to 2,048 bits, such as one of the ciphers listed below.

EXAMPLES OF CIPHERS TO USE

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

Business Purpose / Client Benefit: Reduce security risk for the clients that use callouts and SAP Concur.

Authentication

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

SAP Concur will soon begin the deprecation process of removing Hash-Based Message Authentication Code (HMAC) as an SSO option. The replacement service for HMAC is SAML SSO, a self-service method of setup whereby client admins have access within SAP Concur to complete their SAML connections.

Clients currently using HMAC are encouraged to migrate to the SSO self-service tool as soon as it is released (targeted for Q1 2020). The new SSO self-service tool allows multiple portals (Identity Providers) to be added.

The HMAC deprecation includes two phases:

PHASE I:

• Clients need to have an Identity Provider (IdP) or a custom SAML 2.0 solution.

• Clients begin testing the new SSO self-service tool.

• Clients prepare for onboarding new clients using the new SSO self-service tool, which is targeted for release in Q1 2020.

• Once the SSO tool is available, customers will be notified via release notes about the official deprecation date of HMAC. As of the official deprecation date, no new clients can be onboarded using HMAC; new clients must be onboarded using the new SSO self-service tool.

• Existing clients using HMAC need to be migrated using the new SSO self-service tool.

PHASE II:

• Clients continue migrating existing HMAC clients to the new SSO self-service tool.

• Shut down the HMAC service after everyone has migrated from HMAC to the new SSO self-service tool. Phase II is targeted to end mid-year 2020.

Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.

Budget Insight

Budget Insight is a budget management tool that is being retired on 31 December 2019. Clients who want to use budget functionality are recommended to implement the new Budget product that SAP Concur released last year. The new Budget feature offers greater functionality, an improved UI and additional integrations with SAP Concur products. Most notably is the inclusion of additional spend data from Concur Invoice and Purchase Request, in addition to Concur Expense and Concur Request (previously only data from Concur Expense and Concur Request was available).

Business Purpose / Client Benefit: The retirement of Budget Insight will provide clients with the opportunity to implement the new Budget product, which gives greater value to clients by making budgets visible, actionable and near real-time.

Central Reconciliation

As part of the December release, SAP Concur deprecated the following policy setting:

• Show Central Reconciliation Invoices in Expense

The checkbox has been removed from the Concur Expense policy configuration options and the corresponding feature is no longer supported.

The feature will not be implemented in the NextGen Expense UI.

Business Purpose / Client Benefit: The deprecation of this functionality allows SAP Concur to focus on features that are used by a greater number of clients.

Concur Open

Targeted for 19 December, several changes will be made to Concur Open and Personalised Concur Open.

• Subscription Services: Email and RSS subscriptions for service status notifications will be available only through Personalised Concur Open, which displays the service issues specific to a customer's organisation. Current Concur Open subscriptions for SAP Concur customers will be migrated to Personalised Concur Open.

• Notification Email "From" Address: The notification email address will be updated from openupdates@concur.com to ConcurOpenUpdates@sap.com. Customers should ensure that they have added the @sap.com domain to their Safe Sender List and that users have updated any personal email inbox rules.

• Root Cause Analysis (RCA) Reports: After each incident, a preliminary RCA report will be published, followed by a final RCA report that contains a more complete analysis with corrective actions. Both reports will be published only in Personalised Concur Open.

• Service Availability Status: To better reflect customer impact, the Performance Issue icon and Partial Performance Issue icon will be removed from Concur Open and Personalised Concur Open.

Business Purpose / Client Benefit: These changes provide better information for customers while also removing some of the information that is currently available to non-customers.

Expense Pay – Classic

SAP Concur will contact each client for whom this release note is applicable.

For clients who currently have bank accounts in Mexico that SAP Concur opened per a client request for the sole reason of processing reimbursement of Expense Pay MXN transactions, please note that if no transactions have occurred on the account in the past 12 months, SAP Concur has been notified by our partner bank that such inactive accounts will be closed on 31 December 2019.

Going forward our partner bank will monitor and close inactive accounts on a regular basis.

Business Purpose / Client Benefit: This change allows SAP Concur to remain compliant with local rules and regulations as well as internal guidelines with our bank.

For all clients with a current and unused Mexico Peso account and/or a request to set up a new account, an initial deposit of MXN 10,000 per account is required. This deposit is not required to remain in the account but is required for the activation of the account.

Business Purpose / Client Benefit: This change allows SAP Concur to remain compliant with the requirements of our bank.

Expense Pay – Global

SAP Concur has improved the time it takes to see feedback from payment-processing partners. Concur Expense clients no longer need to rely on batch job schedules to see payment successes and rejects.

Business Purpose / Client Benefit: This change provides faster feedback from payment-processing partners to Concur Expense clients.

File Transfer Updates

This release note is intended for technical staff responsible for file transmissions with SAP Concur. For our customers and suppliers participating in data exchange through various secure file transfer protocols, SAP Concur is making changes that provide greater security for those file transfers.

SAP Concur changed the IP address for st-eu.concursolutions.com from 84.14.175.233 to 46.243.56.11 on 23 November 2019.

Clients whose file transfers protocols use the SAP Concur DNS endpoint (st-eu.concursolutions.com) to connect are not impacted by this change.

Clients who connect via IP address need to connect to the SAP Concur DNS endpoint (st-eu.concursolutions.com) or the new IP address.

SAP Concur recommends connecting to DNS endpoint st-eu.concursolutions.com to avoid connection issues if the SAP Concur IP address changes again in the future.

This announcement pertains to the following file transfer DNS endpoint:

• st-eu.concursolutions.com

Business Purpose / Client Benefit: This change provides greater security for file transfers.

Miscellaneous

With this release, Concur Expense will no longer send workflow emails to inactive users.

Business Purpose / Client Benefit: Inactive users cannot access Concur Expense so it is likely that receiving Expense workflow emails is not necessary.

After a user selects a different language from the Change language list and then signs in with their credentials to SAP Concur, a page appears prompting them to confirm which language to use as it applies to the current session (for example, their latest selection or what is specified as default in their profile), or whether they want to use the latest selected language for the current session and also update the default language in their profile to that selection.

Targeted for this December release, this page will no longer appear. Instead, any language that the user selects from the Change language list will be used for the current session. To update their default language, the user can make the change under their Profile settings.

Business Purpose / Client Benefit: Removal of this page removes the recurrence of preferred language issues and simplifies the user experience.

Currently, delegates/proxies/assistants/arrangers who act on behalf of others and who also have any of several administrative roles/permissions can pause their act-as session while they complete admin tasks. This feature is a benefit for the admin who might be testing configuration changes or simply has to multi-task.

Due to internal security changes, we are deprecating this feature.

Business Purpose / Client Benefit: Retiring this feature closes a potential security gap.

Next Generation (NextGen) Expense

Update: In order to respond to and take advantage of feedback from customers, and to align with SAP Concur’s commitment to ensure a smooth and successful transition, we are working on a revised deployment strategy for Next Generation Expense.

SAP Concur is dedicated to the consistent improvement of our products, not only the features they provide, but also the experience of using those features. How users interact with technology changes over time, along with needs and expectations. We are constantly listening to our customers and soliciting feedback on how we can improve the user experience.

NextGen Expense is the continued evolution of the SAP Concur user experience. It was built from extensive user research and data analytics that include 680 1:1 conversations, 58 usability studies, 3,000+ survey responses and 1.3B monthly user actions.

Customers will have the ability to preview and then opt in to NextGen Expense before the mandatory cutover.

Business Purpose / Client Benefit: The result is the next generation of the Expense user interface designed to provide a modern, consistent and streamlined user experience. This technology not only provides an enhanced UI, but also allows SAP Concur to react more quickly to customer requests to meet changing needs as they happen.

Quick Expense

Effective 31 March 2020, the Quick Expense v1 and Quick Expense v3 APIs will be retired and decommissioned. We encourage all current users to migrate to Quick Expense v4 as soon as possible.

Please refer to the deprecation policy for definitions and additional information.

Business Purpose / Client Benefit: This update removes two outdated APIs.