Contents

Ongoing: Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1)

Effective December 1, 2020, SAP Concur will be retiring the existing Concur Request APIs (v1.0, v3.0, and v3.1). These APIs are replaced by the Concur Request v4 APIs.

Business Purpose / Client Benefit

The Concur Request APIs v1.0, v3.0, and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.

In addition, SAP Concur has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not iso-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.

Planned Changes: Travel Profile Notification v1 API Deprecation

SAP Concur is deprecating the Travel Profile Notification v1 APIs due to low usage.

Business Purpose / Client Benefit

The Travel Profile Notification v1 APIs support older, less secure authentication methods.

Configuration / Feature Activation

The Travel Profile v1 APIs will be deprecated automatically in a future release, in accordance with the SAP Concur API Lifecycle & Deprecation Policy.

Planned Changes: Some TLSv1.2 Ciphers No Longer Supported (Jun 22)

To ensure the ongoing security of our products and services, beginning on June 22, 2020, SAP Concur solutions will no longer support connections to * .concursolutions.com and * api.concursolutions.com that use the following TLSv1.2 ciphers:

  • AES256-GCM-SHA384
  • AES128-GCM-SHA256

Business Purpose / Client Benefit

This update provides ongoing security for our products and services.

Configuration / Feature Activation

In order to ensure that connections to * .concursolutions.com and * api.concursolutions.com are not disrupted, clients and partners who currently connect to * .concursolutions.com or * api.concursolutions.com through an application that uses an unsupported cipher must upgrade the application to a supported cipher before June 22, 2020.

The following ciphers are supported:

  • TLS-AES-256-GCM-SHA384
  • TLS-CHACHA20-POLY1305-SHA256
  • TLS-AES-128-GCM-SHA256
  • TLS-AES-128-CCM-8-SHA256
  • TLS-AES-128-CCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA
  • ECDHE-RSA-AES128-SHA

Users Connecting to the US Data Center Are Redirected to us1.concursolutions.com

Beginning in May, users who connect to the US Data Center through www.concursolutions.com will be redirected to us1.concursolutions.com.

Note: This change does not impact the Base URI (Instance URL) used in API calls to the SAP Concur solutions US Data Center.

Business Purpose / Client Benefit

This change makes the format of the URL for SAP Concur data centers consistent from one data center to another. For example, users connecting to the EMEA data center are redirected to eu1.concursolutions.com.

Configuration / Feature Activation

Users are automatically redirected. There are no configuration or activation steps.