Contents

Ongoing: Retirement and Decommission of Existing Concur Request APIs (v1.0, v3.0, v3.1)

Effective July 1, 2020, SAP Concur has retired the Concur Request APIs (v1.0, v3.0, and v3.1). These APIs are replaced by the Concur Request v4 API.

Business Purpose / Client Benefit

The Concur Request APIs v1.0, v3.0, and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 API.

In addition, SAP Concur has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 API (not iso-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 API.

Planned Changes: Travel Profile Notification v1 API Deprecation

SAP Concur is deprecating the Travel Profile Notification v1 APIs due to low usage.

Business Purpose / Client Benefit

The Travel Profile Notification v1 APIs support older, less secure authentication methods.

Configuration / Feature Activation

The Travel Profile v1 APIs is being deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.

Planned Changes: Launch External URL v4 Callout

The Launch External URL v4 callout enables Concur Expense to display a field with an attached button that launches a separate browser window when clicked. The window is controlled by an application connector, created by a third-party developer or the client. The application connector is a web server that presents information in the window.

NOTE: The Launch External URL v4 will be replacing the current Launch External URL v1 callout in a future release.

Business Purpose / Client Benefit

The Launch External URL v4 callout gives clients and third-party developers the ability to extend the functionality of the SAP Concur platform, providing a means to deliver custom user interactions, or access functionality found in an external system.

The Launch External URL v4 callout will be available for Concur Expense within SAP Concur’s mobile app and NextGen UI at the Report Header, Expense Entry, or Allocation levels, which expands the locations of the feature as compared to the previous version. The Launch External URL v4 callout will provide enhanced security benefits, such as leveraging the latest SAP Concur API authentication methods. The Launch External URL v4 will also offer additional parameters and will work in conjunction with SAP Concur’s more advanced v4 APIs.

Configuration / Feature Activation

The Launch External URL callout is activated through the Application Connector Registration process through Web Services.

Planned Changes: List v4 API

A new version of the List API will be coming soon. The Lists v4 API allows you to view your configured lists and create new lists within SAP Concur products.

Business Purpose / Client Benefit

The List v4 API uses more secure and modern, fine-grained methods. This API uses Universal Unique Identifiers (UUIDs) and uses JSON instead of XML. Also, authentication to the List v4 API may be performed with a User or Company access token, providing the opportunity to apply the principle of least privilege.

Configuration / Feature Activation

Once released, users must be an Expense, Invoice, Shared, or Request Configuration Administrator to configure this API.

Planned Changes: List Item v4 API

A new version of the List Item API will be coming soon. The List Item v4 API provides solutions to retrieve and manage list items.

Business Purpose / Client Benefit

The List Item v4 API uses more secure and modern, fine-grained methods. This API use Universal Unique Identifiers (UUIDs) and uses JSON instead of XML. Also, authentication to the List Item v4 API may be performed with a User or Company access token, providing the opportunity to apply the principle of least privilege.

Configuration / Feature Activation

Once released, users must be an Expense, Invoice, Shared, or Request Configuration Administrator to configure this API.

End of Support for Insecure Protocols and Ciphers in F5 Client SSL Profiles for VIPs

On November 12 (US) and November 13 (France), the F5 internal and external client SSL profiles for VIPs will be updated to remove support for the following protocols and ciphers:

  • SSL v2
  • SSL v3
  • TLS v1.0
  • TLS v1.1
  • 3DES cipher suite

Clients, TMCs, and internal SAP Concur employees who use or develop applications that rely on an F5 SSL client profile must test the ability of their applications to connect to SAP Concur entities using the new, more secure profile.

Business Purpose / Client Benefit

This update provides ongoing security for our products and services.

Configuration / Feature Activation

When this change is initially implemented, SAP Concur will make the following profiles available:

  • star_concursolutions.com_secure: A secure client profile that does not support SSL v2, SSL v3, TLS v1.0, TLS v1.1, or the 3DES cipher suite. This profile supports TLS v1.2 only.
  • star_concursolutions.com_weak: A copy of the current (legacy) client profile that supports legacy SSL ciphers and protocols.

Clients, TMCs, and internal SAP Concur employees will be able to temporarily revert to the less secure profile to address any issues they encounter with the more secure profile before the less secure profile is permanently removed.