Concur Invoice Professional Edition Administration Help

September 2019 Request Professional Edition Admin Summary

Initial Post

Release Note Summaries

The items in this section are summaries of the release notes for this month. The Professional Edition release notes are accessible from What's New - Professional Edition.

Request

Authentication: New SAP Concur Sign In Page (End of October)

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

In October 2019, the SAP Concur Sign In page will be updated, providing a new login experience for both direct SAP Concur username/password users and Single Sign-On (SSO) users. SSO users will start the SP-initiated SSO login process at www.concursolutions.com.

The new SAP Concur Sign In page features a two-step login process that provides enhanced security, meets current industry standards and provides a better login success rate. This feature is targeted for late October 2019.

Business Purpose / Client Benefit: This feature provides better security and a faster, convenient experience for users logging in to SAP Concur products and services.

Authentication: Single Sign-On (SSO) Self-Service Option (End of October)

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

Single Sign-On allows users to access multiple applications using one set of login credentials. Currently, SAP Concur has two methods for signing in: with a user name and password or using SSO with Identity Provider (IdP) credentials, such as a user's login credentials for their organisation.

Targeted for the end of October 2019 (not the scheduled monthly release date), SAP Concur is planning to add a Manage Single Sign-On (SSO) feature to SAP Concur products, which provides clients with a self-service option for setting up SSO for their organisation. SSO is currently supported for Concur Expense, Invoice, Request and Travel.

The new Manage Single Sign-On (SSO) feature is a replacement tool for clients using existing SSO configuration and a new tool for clients that now want to implement SSO at their organisation. Existing SSO configuration and the new SSO Self-Service tool will both be available until everyone has migrated to the new SSO Self-Service tool.

  • The new Manage SSO feature includes the following:

  • A free, self-service option for setting up SSO at your organisation; this new feature is automatically available to all clients
  • The new SAML2 service, which complies with SAML 2.0 and is a current industry standard
  • Encrypted SAML assertion to address privacy and security concerns
  • Enforcement of SSO at the company level (the ability to select SSO as optional is also available)
  • The ability to upload multiple Identity Provider (IdP) metadata
  • The ability to download SAP Concur Service Provider metadata

Business Purpose / Client Benefit: This feature provides SAP Concur clients with a self-service option for setting up SSO and for existing SSO clients who must eventually migrate to the new SSO service to manage SSO for their users.

Authentication: Change in IP Restrictions

When a user signs in to SAP Concur, one of the validation processes includes checking for and adhering to any IP Restrictions (IPRs). IPRs are specific IPs or IP ranges that are defined by a company to restrict the IPs from which their users can sign in to SAP Concur. An IPR can be a string that contains a list of acceptable IP addresses and/or IP address patterns, for example: "170.242.6.43;170.243.70.42;170.243.70.43;171.159.*.*".

Currently, IPRs are set for each of a company's travel configurations, which creates maintenance issues for companies with many travel configurations and provides opportunities for errors. In addition, new travel configurations are not automatically included and can easily be forgotten.

With this release, SAP Concur will change this setting from a configuration-level setting to a company-level setting. With the change, one set of IPRs will apply to the entire company.

Be aware that there are very few customers who will be affected by this change. In addition, all of the affected customers will be contacted individually – in advance – by SAP Concur to make any required settings changes.

Business Purpose / Client Benefit: Customers who use IPRs can be assured that the IPRs apply to the entire company.

File Transfer Updates: Source IP Checking (EMEA)

This release note is intended for technical staff responsible for file transmissions with SAP Concur. For our customers and suppliers participating in data exchange through various secure file transfer protocols, SAP Concur is making changes that provide greater security for those file transfers.

SAP Concur will implement source Internet Protocol (IP) checking for all Europe, the Middle East and Africa (EMEA) file transfer accounts on 21st October, 2019.

This announcement pertains to the following file transfer DNS endpoint:

  • st-eu.concursolutions.com

IP addresses from recent successful logins will be added by SAP Concur to the SAP Concur ACL. Please contact SAP Concur support to have any additional, required IP addresses added to the SAP Concur access control list (ACL).

Business Purpose / Client Benefit: These changes provide greater security for file transfers.

File Transfer Updates: Support Ending for Unsecure SSH Protocol Algorithms/Ciphers (14 Oct, 2019)

This release note is intended for technical staff responsible for file transmissions with SAP Concur. For our clients and suppliers participating in data exchange through various secure file transfer protocols, SAP Concur is making changes that provide greater security for those file transfers.

As of 8 AM PDT, 14 October, 2019, SAP Concur will no longer support the following unsecure SSH protocol algorithms/ciphers:

  • (key exchange) diffie-hellman-group-exchange-sha1
  • (encryption) aes128-cbc
  • (encryption) aes192-cbc
  • (encryption) aes256-cbc
  • (message authentication code) hmac-md5
  • (message authentication code) hmac-sha1-96
  • (message authentication code) hmac-md5-96

This announcement pertains to the following file transfer DNS endpoints:

  • st.concursolutions.com
  • st-eu.concursolutions.com
  • st-cge.concursolutions.com
  • st-cge-dr.concursolutions.com
  • vs.concurcdc.cn

If assistance is required, please contact SAP Concur support.

For more information, refer to the Shared: File Transfer for Customers and Vendors User Guide (English Only). This guide is located with the other Expense, Invoice and/or Request setup and user guides.

Business Purpose / Client Benefit: These changes provide greater security for file transfers.

**Ongoing** Authentication: Deprecation of HMAC Initiates Migration to SSO Self-Service

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

SAP Concur will soon begin the deprecation process of removing Hash-Based Message Authentication Code (HMAC) as an SSO option. The replacement service for HMAC is SAML SSO, which will be a self-service method of setup whereby Company Admins will have access within SAP Concur to complete their SAML connections.

Clients currently using HMAC are encouraged to migrate to the SSO self-service tool as soon as it is released. The new SSO self-service tool will be offered as a free feature to all clients. The new SSO self-service tool allows multiple portals (Identity Providers) to be added.

The HMAC deprecation includes two phases:

PHASE I:

  • Clients need to have an Identity Provider (IdP) or a custom SAML 2.0 solution.
  • Clients begin testing the new SSO self-service tool. Testing can begin as soon as July 2019 if preparation steps have been met.
  • Clients prepare for onboarding new clients using the new SSO self-service tool, which is targeted to release in September 2019.
  • As of 1 November 2019, no new clients will be onboarded using HMAC. New clients will be onboarded using the new SSO self-service tool.
  • Existing clients using HMAC need to be migrated using the new SSO self-service tool.

PHASE II:

  • Clients continue migrating existing HMAC clients to the new SSO self-service tool.
  • Shut down the HMAC service after everyone has migrated from HMAC to the new SSO self-service tool. Phase II is targeted to end mid-year 2020.

Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.

Screen Share for Customers with the User Support Desk Service

Recently, SAP Concur support introduced the Co-browse feature for all Authorised Support Contacts (ASCs). With this release, SAP Concur End User Support will provide the same screen-share service for companies that use the User Support Desk (USD) service. USD is an SAP Concur service that provides direct Help Desk services for the company's end users. These end users will now be able to use the co-browse feature.

Business Purpose / Client Benefit: Screen sharing often makes a problem easier to describe, easier to understand and quicker to resolve – saving time for end users and SAP Concur support.

Miscellaneous: Expanding the SAP Concur Quick Help Tool for Administrators

For clients who use the SAP Concur Quick Help, be aware that it will be expanded with this release. Quick Help helps manage diverse client expectations with a wide variety of support resources in the form of multi-step tutorials, help videos and documents that are easily available when they log into their SAP Concur resources.

In addition to self-service content, the Quick Help tool makes it easier for the client's SAP Concur admin to contact SAP Concur for assistance via chat and phone.

Quick Help has been available on limited admin pages to the client's SAP Concur admin and – with the September release – we are expanding it to all pages. That is, if a user has an admin role/permission, then that user will see the Quick Help on all pages.

This tool is free of charge to all clients who have Expense, Invoice, Request or Travel.

For more information about this tool, refer to this video: SAP Concur Professional Edition Quick Help (English Only)

Business Purpose / Client Benefit: SAP Concur Quick Help tool is used to accelerate client onboarding and to create a quick and efficient way for clients to find easy-to-access help on their own while they’re logged into their SAP Concur site.

Planned Change Summaries

The items in this section are summaries of the changes targeted for future releases. SAP Concur reserves the right to postpone implementation of – or completely remove – any enhancement/change mentioned here.

SAP Concur Platform

**Planned Changes** Concur Request APIs v4

SAP Concur will soon be releasing Concur Request v4 APIs for clients and partners. We are targeting to release v4 in December 2019.

With v4, Concur has made great enhancements to the existing Request endpoints, and now provides the ability for a client and/or a partner to interact with Concur Request to do the following:

  • Get the list of existing requests
  • Get detailed information of an existing request
  • Create, read, update or delete an existing request
  • Move an existing request through the approval flow with one of the following available actions: Submit, Approve, Recall, Cancel, Close or Reopen
  • Get the list of expected expenses (including trip segments) attached to a request
  • Create, Read, Update or Delete an expected expense for a request
  • Get information of a travel agency office
  • Get the list of active Request policies for a given user

BACKGROUND

SAP is continuing to invest heavily in APIs and tools to simplify end-to-end integration.

At SAP Concur, we strongly believe that an open ecosystem expands your view. An open ecosystem dynamically connects your internal systems, spend and partner data to reveal powerful insights that empower you to run your business better.

Explore the capabilities listed in the Overview section and consider how the APIs could help you simplify some of your existing processes, such as:

  • Automatically creating a Concur Travel Request for any off-site training approved through your Human Resources system
  • Exposing authorisation requests pending approvals onto your internal corporate portal “Manager” widget

PERMISSIONS

In addition to the existing user-level permissions, the Concur Request v4 APIs are based on the most recent secured Authentication service and SAP Concur’s new Oauth2 framework, which manages the authorisation for company-level permissions. Clients and/or partners can now use a single token/permission to interact with Request on behalf of all company users.

Business Purpose / Client Benefit: These enhancements will provide more options and abilities for developers using SAP Concur's platform with Request.

**Planned Changes** Deprecation of Existing Concur Request APIs (v1.0, v3.0, v3.1)

SAP Concur will be deprecating the existing Concur Request APIs (v1.0, v3.0 and v3.1) in a future release. Those APIs will be replaced by the Concur Request v4 APIs.

Business Purpose / Client Benefit: The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.

In addition, SAP Concur has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not ISO-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.

Client Notifications

The items in this section provide reference material for all clients.

SAP Concur Non-Affiliated Subprocessors

The list of non-affiliated subprocessors is available here: SAP Concur list of Subprocessors (English Only)

Monthly Browser Certifications

Monthly browser certifications, both current and planned, are available with the other SAP Concur monthly release notes, accessible from What's New - Professional Edition