API Release Notes, January 2023

New This Month

Planned Change: New SSL Certificate for *.concursolutions.com and *.api.concursolutions.com

As part of our weak cipher removal project, we have issued new *.concursolutions.com and *.api.concursolutions.com certificates. We will change the certificate by Feb 16, 2023 5PM PST. Know that most customers do not pin the certificate, and we are reaching out proactively only as a precaution.

Any customer who has pinned the current certificate will need to update to the new certificate prior to Feb 16, 2023 5PM PST. If you have pinned the certificate and it is not updated, your organization and users would experience disruption to SAP Concur solutions.

Clients who have not pinned the certificate do not need to take any action as the new certificate will automatically be updated when it becomes available.

Clients who pin their security certificates can obtain the new certificates from the following locations:

New Intermediate certificate and Root certificate for both (*.concursolutions.com and *.api.concursolutions.com) are

NOTE: Certificate pinning is not recommended. However, if there is a need to pin the certificate, please pin the Root certificate instead of End certificate as End certificate expires every year.

If you need the whole chain (End, Intermediate, Root) you can access it at:.

Note: If you are pinning the End certificate you need to pin both ECDSA and RSA certificates.

For more information please see Release notes - Addition of ECDSA Encryption and Cipher Retirement.

Vendor v3.1 API Available

Vendor 3.1 has the same functionality as the previous Vendors v3 API, with the exception of now aligning with Export Control and Sanctions Compliance regulations. The API was changed to ensure the following 3 fields are mandatory: Currency Code, Country Code, State/Province please review the schema documentation for further clarification. Vendor v3 is being deprecated and decommissioned, users will have until November 30, 2023 to migrate to the latest version of the API.

Move from the Travel Request External Validation Callout v1 to the Event Subscription Service (ESS)

With the decommission of the Concur Request v1 API on May 31st, 2023, calling the Travel Request External Validation Callout v1 will no longer be possible. Please use the Event Subscription Services (ESS) to subscribe to the Request events.

Planned Change: New Client SSL Certificate for ESS webhook.api.concursolutions.com

In an effort to ensure the ongoing security of our products and services, ESS will be issuing a new webhook.api.concursolutions.com SSL certificate.

Any customer who has pinned this expiring certificate will need to update to the new certificate prior to the expiration date. If the pinned certificate is not updated prior, your organization and users will experience disruption to SAP Concur products and services. Customers who have not pinned the certificate do not need to take any action as the new certificate is updated automatically. Most customers do not pin the certificate.

NOTE: As an enhancement to our Security and Compliance program, this certificate will be updated on an annual basis.

Itemizations v4 API Moved

Information regarding the Itemizations v4 API has been moved into the Expenses v4 API to align the material for ease of use.

Migration of Test Entities & Production Sandbox Environment Completed

Some SAP Concur users use Production Sandbox Environment (PSE) entities to set up, test, and train on new configurations prior to deploying them to their live production entity. We have migrated PSEs as part of our move to Amazon Web Services (AWS). For more information, please see the Test Entities: Production Sandbox Environment release note in the August Shared Release Notes.

Deprecations

APIs are being deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.

Date API Details
12/2022 Deprecation of Request APIs (v1.0, v3.0 and v3.1) Effective March 1st, 2020, the Request APIs (v1.0, v3.0 and v3.1) have been deprecated. They have been replaced by Request v4. Decommission will follow on May 31st, 2023.
12/2022 Deprecation and Decommission of Vendor v3 Once Vendors v3.1 is released, users will have until November 30, 2023 to migrate to the latest version of the API.
11/2022 Deprecation of User v1 Effective November 10th, 2022, the User v1 API has been deprecated. This has been replaced by User Provisioning Service v4. Decommission will follow on November 10th, 2023.
11/2022 Deprecation of User v3 Effective November 10th, 2022, the User v1 API has been deprecated. This has been replaced by User Provisioning Service v4. Decommission will follow on November 10th, 2023.
10/2022 Deprecation of Cash Advance v4 Effective October 1st, 2022, the Cash Advance v4 API is deprecated. This has been replaced by the release of Cash Advance v4.1. Decommission will follow on October 2, 2023.
10/2022 Deprecation of Hotel Service v2 Effective October 14th, 2022, the Hotel Service v2 API is deprecated. This has been replaced by the release of Hotel Service v4. Decommission will follow on October 16, 2023.
04/2021 Bulk User v3.1 API We have deprecated the Bulk User v3.1 API for the US and EMEA data centers. This API is replaced by Identity v4. Decommission will follow. Bulk User v3.1 will remain available for China data centers.
01/2021 List v3 API Effective April 16, 2021, we have deprecated the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in a future release.
01/2021 List Item v3 API Effective April 16, 2021, we have deprecated the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in a future release. Please migrate to the List Item v4 API as soon as possible.
06/2020 Travel Profile Notification v1 API We are deprecating the Travel Profile Notification v1 APIs due to low usage.
01/2020 List v1 API We will be retiring the List v1 API in a future release. This API is replaced by the List v4 API.

Planned Changes

Date API Planned Change
10/2022 Addition of ECDSA Encryption and Cipher Retirement To provide ongoing security for our products, we plan to remove support for select ciphers on February 16, 2023, at 5 PM PST. For more information, please see the Planned Changes: Addition of ECDSA Encryption and Cipher Retirement in the October release notes.
05/2022 Filters for Identity v4 API We will be releasing SCIM formatted search filters for the Identity v4 API based on user attributes to help refine search results. This functionality will allow users to use attributes, logical operators, and grouping operators to improve search results to their specific requirements.
10/2021 Report Details v2 API Vulnerability Patch We will be adding additional security to the Report Details v2 API. Current callers may receive a 401 - Unauthorized response if using an unauthorized admin OAuth token to access reports.
09/2021 Request v4 - Deprecation of the Request Cash Advance Endpoint Initially planned for October 2021, Concur Request will soon deprecate the Request Cash Advance detail endpoint. Date will be communicated in future communications.

On this page