SAP Concur will send the user-name and password in both the HTTP header and the SOAP header. If the username and password generates an authentication error, then SAP Concur expects an HTTP 403 response.

HTTP Headers

SAP Concur will send the following HTTP headers in every request. The contents of the Authentication header will be repeated in the SOAP payload. Please note that some libraries used to handle the requests may be case sensitive.

Name Type Description
Authorization string A Base64 encoded string in the form of Basic <username:password>.
Soapaction string The message type. The action will always be sent in lowercase. Example: search
Content-Type string All communication with the HS2 API is by way of a application/xml content type.
Accept string SAP Concur will always set the Accept header to application/xml.
Accept-Charset string SAP Concur will always set the Accept-Charset header to utf-8.

Supported Soapactions:

Soapaction Functionality
search Used to perform Search
availability Used to perform Availability
detail Used to perform Hotel Description
book Used to perform Reservation
read Used to perform Read Itinerary
cancel Used to perform Cancel

Example HTTP Header from network capture:

Header: (http.Header) (len=4) {
  (string) (len=13) "Authorization": ([]string) (len=1 cap=1) {
  (string) (len=38) "*************************
	},
  (string) (len=12) "Content-Type": ([]string) (len=1 cap=1) {
  (string) (len=32) "application/xml; charset=\"utf-8\""
	},
  (string) (len=10) "Soapaction": ([]string) (len=1 cap=1) {
  (string) (len=6) "search"
	},
  (string) (len=6) "Accept": ([]string) (len=1 cap=1) {
  (string) (len=15) "application/xml"
	},
  (string) (len=14) "Accept-Charset": ([]string) (len=1 cap=1) {
  (string) (len=5) "utf-8"
	}
}

Soap Header

The Soap header nested in the Envelope will contain an authentication element.

authentication

Name Type Description
userid string Required Contains the authentication details.
password string Required Contains the authentication details.

Sample:

    <Header xmlns="http://schemas.xmlsoap.org/soap/envelope/">
        <authentication xmlns="http://www.concur.com/webservice/auth">
            <userid>testLogin123</userid>
            <password>xxxxxxxxxxxx</password>
        </authentication>
    </Header>

Login and password are provided by the Hotel supplier for SAP Concur as API consumer, not per customer.

OTA Message Headers

Every message must contain the following required attributes and elements. On top of these each message may specify extra attributes and elements. Refer to a specific messages’ page for details.

Request Message Headers

Name Type Description
EchoToken stringLength1to128 Required A reference for additional message identification, assigned by the requesting host system.
Version double Required The OpenTravel message version indicated by a decimal value.
PrimaryLangID string Required The primary language preference for the message encoded as ISO 639-1.
AltLangID string Required The alternate language for a customer or message encoded as ISO 639-1.
POS complex Required Point of Sale (POS) identifies the party or connection channel making the request.

POS

Name Type Description
Sources complex Required This holds the details about the requestor. Max Occurrence: 10

Source

SAP Concur will always send the ISO Currency.

Name Type Description
ISOCurrency alphaLength3 Required Currency code.
RequestorID complex An identifier of the entity making the request Examples: ATA/IATA/ID number, Electronic Reservation Service Provider (ERSP), Association of British Travel Agents (ABTA)

RequestorID

Name Type Description
Type stringLength1to32 Required Supported value: 1
ID stringLength1to32 Required The requestor ID.

Response Message Headers

The supplier is required to respond with the following attributes and elements in the root of any message. Each message may specify extra attributes and elements. Refer to a specific messages’ page for details.

Name Type Description
EchoToken stringLength1to128 Required A reference for additional message identification, assigned by the requesting host system. When a request message includes an echo token the corresponding response message MUST include an echo token with an identical value.
Timestamp datetime Required Timestamp of the response operation.
Version double Required The OpenTravel message version indicated by a decimal value.
PrimaryLangID string Required The primary language preference for the message encoded as ISO 639-1.
AltLangID string Required The alternate language for a customer or message encoded as ISO 639-1.
Success / Error complex Required Indicates Success Or Error. Refer to the Error Handling page for more details.