Request

As of 31 January, 2020 – in order to meet security requirements – SAP Concur no longer supports the Riskline/DFAT option for the Risk Referential setting in Risk Management. The Riskline/DFAT option has been deprecated.

DFAT stands for the Australian government's Department of Foreign Affairs and Trade.

Customers who have been using the Riskline/DFAT option may continue to use the data, but that data might be outdated. It is strongly recommended that customers switch to using the Riskline option.

To update your company's Risk Referential setting from Riskline/DFAT to Riskline, contact SAP Concur support.

Business Purpose / Client Benefit: This change provides greater security for SAP Concur customers.

Authentication

On 31 October, 2019, SAP Concur introduced a new experience for users signing into SAP Concur.

Since introducing the new sign in experience, users have been able to choose between signing in through the new Sign In page and reverting to the old sign-in experience. Beginning with the May release, the old sign-in experience is no longer available.

Business Purpose / Client Benefit: The new sign-in experience provides better security and is faster and more convenient for users logging in to SAP Concur products and services. This change makes the sign-in experience uniform for all users.

These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

SAP Concur will soon begin the deprecation process of removing Hash-Based Message Authentication Code (HMAC) as an SSO option. The replacement service for HMAC is SAML SSO, a self-service method of setup whereby client admins have access within SAP Concur to complete their SAML connections.

Clients currently using HMAC are encouraged to migrate to the SSO self-service tool as soon as it is released (targeted for Q2 2020). The new SSO self-service tool allows multiple portals (Identity Providers) to be added.

The HMAC deprecation includes two phases:

PHASE I:

• Clients must have an Identity Provider (IdP) or a custom SAML 2.0 solution.
• Clients begin testing the new SSO self-service tool.
• Travel Management Companies (TMCs) prepare for onboarding new SAP Concur clients using the new SSO self-service tool, which is targeted for release in Q2 2020.
• Once the SSO tool is available, customers will be notified via release notes about the official deprecation date of HMAC. As of the official deprecation date, no new clients can be onboarded using HMAC; new clients must be onboarded using the new SSO self-service tool.
• Existing clients using HMAC need to be migrated using the new SSO self-service tool.

PHASE II:

• Travel Management Companies (TMCs) continue migrating existing SAP Concur clients from the HMAC service to the new SSO self-service tool.
• Shut down the HMAC service after everyone has migrated from HMAC to the new SSO self-service tool. Phase II is targeted to end mid-year 2020.

Business Purpose / Client Benefit: This change provides better security and improved support for users logging in to SAP Concur products and services.

Data Retention

The description of the Manage Holds & Purge Users data retention feature that appears on the Administration > Company > Data Retention page has been updated.

Business Purpose / Client Benefit: This update provides more accurate information about where a user with the Data Retention Administrator role can find the Hold User, Remove Hold and Purge User buttons.

File Transfer Updates

This Release Note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and suppliers participating in data exchange, SAP Concur is maintaining our file transfer subsystem to provide greater security for those file transfers.

SAP Concur will begin migrating entities that currently use a legacy process for moving files to a more efficient and secure file routing process that relies on APIs.

Clients whose entities are currently configured to use the legacy process will be migrated to the more efficient process sometime between now and the end of 2020. After they are migrated to the more efficient process, clients will see the following improvement:

• With the legacy process, clients had to wait for the file move schedule to run at a specified time. With the more efficient and secure API-based process, extracts and other outbound files from SAP Concur will be available within the existing overnight processing period shortly after the files are created.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

Business Purpose / Client Benefit: These changes provide greater security and efficiency for file transfers.

Languages

With this release, SAP Concur solutions now supports the following language:

• Thai

Business Purpose / Client Benefit: This change enables users to configure the SAP Concur solutions UI text to display in Thai.

Miscellaneous

When a user signs into SAP Concur, if some products or services are unavailable while other products and services are up and running, a modified version of the user’s Home page appears, providing access to the products and services that are up and running.

Prior to implementing this improvement, if a user attempted to sign in to SAP Concur when one or more products or services was not available, a 503 (service unavailable) message appeared, the user’s Home page could not be accessed, and the user had to wait until all services and products were available before signing in to SAP Concur.

Business Purpose / Client Benefit: This enhancement enables users to complete tasks that rely on the products and services that are up and running even when other products and services might be unavailable.

Beginning in May, users who connect to the US Data Centre through www.concursolutions.com will be redirected to us1.concursolutions.com.

Business Purpose / Client Benefit: This change makes the format of the URL for SAP Concur data centres consistent from one data centre to another. For example, users connecting to the EMEA data centre are redirected to eu1.concursolutions.com.

Security Enhancements

In an effort to ensure the ongoing security of our products and services, SAP Concur has issued a new concursolutions.com SSL certificate. The current certificate expired on 14 April, 2020.

Any customer who pinned the expired certificate needed to update to the new certificate prior to 14 April, 2020. If the pinned certificate was not updated prior to 14 April 2020, your organisation and users will experience disruption to SAP Concur products and services.

Customers who have not pinned the certificate do not need to take any action as the new certificate was updated automatically. Most customers do not pin the certificate.

Please be aware: As an enhancement to our Security and Compliance programme, this certificate will be updated on an annual basis.

Business Purpose / Client Benefit: This update provides ongoing security for our products and services.

Next Generation (NextGen) Request

SAP Concur is dedicated to the consistent improvement of our products, not only the features they provide, but also the experience of using those features. How users interact with technology changes over time, along with needs and expectations. We are constantly listening to our customers and soliciting feedback on how we can improve the user experience.

NextGen Request is the continued evolution of the SAP Concur user experience. It was built and will continue to be informed by what we learn from both user research and behavioural data.

Customers will have the ability to preview and then opt in to NextGen Request before the mandatory cutover.

Business Purpose / Client Benefit: The result is the next generation of the Concur Request user interface designed to provide a modern, consistent and streamlined user experience. This technology not only provides an enhanced UI, but also allows SAP Concur to react more quickly to customer requests to meet changing needs as they happen.

SAP Concur Platform

SAP Concur will be deprecating the existing Concur Request APIs (v1.0, v3.0 and v3.1) in a future release (targeted for 1 December, 2020). Those APIs will be replaced by the Concur Request v4 APIs.

Business Purpose / Client Benefit: The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.

In addition, SAP Concur has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not ISO-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.