API Release Notes, November 2021
New This Month
Self-Service Tool for Application Management
Clients who have SAP Concur Client Web Services can request access to a new application management self-service tool, OAuth 2.0 Application Management. This self-service tool is enabled by the Client Web Services team for SAP Concur Web Services clients who request it.
The OAuth 2.0 Application Management self-service tool can be used to create OAuth 2.0 compliant applications. Legacy authentication was deprecated in 2017 and is not supported by this tool.
When enabled, the tool is available from the Authentication Administration page to admin users who have been assigned the Web Services Admin role.
New Company Request Token Self-Service Tool
A new Company Request Token self-service tool is now available to SAP Concur admins who have been assigned the Company Admin or Web Services Admin role.
The Company Request Token self-service tool enables clients to generate the Company Request Token that is required to request a JSON web token (JWT) when connecting to APIs in the SAP Concur platform.
The Company Request Token self-service tool enables clients to generate Company Request Tokens without contacting SAP Concur support. This tool also enables clients to generate a replacement Company Request Token without assistance from SAP Concur support if their Company Request Token expires or is lost.
Travel Profile v2 API Returns User Profile by UUID
With this update, Travel Profile v2 will accept the UUID as a Request parameter to retrieve a user’s profile.
GET {InstanceURI}/api/travelprofile/v2.0/summary? profile?userid_type=uuid&userid_value= aa11xxx-aa-xx-xxxx-xxxxxxxxxxx
Authorization: OAuth 2.0 {access token}
This will allow callers to use UUID, which is the preferred and more secure identifier for users.
Planned Change: Travel Profile v2 API Will No Longer Return Latitude and Longitude of the Work Address in User Profiles
Beginning on December 15, 2021, the Travel Profile v2 API will no longer return the Work Address Latitude and Longitude fields in User profiles. With the retirement of Concur Locate in September of this year, these values are no longer being populated or updated.
Planned Change: Travel Profile v2 API Will No Longer Provide MobileName, MobileDevice, and PrimaryMobile Attribute in User Profiles
Beginning on December 15,2021, Travel Profile v2 API will no longer return MobileName, MobileDevice, and PrimaryMobile attribute in User profiles. With the retirement of Concur Locate in September of this year, mobile device information is no longer visible to users and is therefore, not being updated.
Planned Change: Some TLSv1.2 Ciphers No Longer Supported
Beginning on February 1, 2022, SAP Concur solutions will no longer support connections to *.concursolutions.com and * api.concursolutions.com that use the following TLSv1.2 ciphers:
- AES256-GCM-SHA384
- AES128-GCM-SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
To ensure that connections to *.concursolutions.com and * api.concursolutions.com are not disrupted, clients and partners who connect to *.concursolutions.com and * api.concursolutions.com through an application that uses an unsupported cipher must update the application to a supported cipher before February 1, 2022.
The following ciphers are supported:
- ak-akamai-2020q1
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
- TLS-AES-128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-CHACHA20-POLY1305
To ensure that connections to *.concursolutions.com and * api.concursolutions.com are not disrupted, any applications that use an unsupported cipher must be updated to use a supported cipher before February 1, 2022.
Ongoing
OAuth 2.0 Migration
We will be converting from the legacy authentication (deprecated 2017) method to the new OAuth 2.0 authentication method. This effort will be taking place starting in the third quarter of 2021 and will conclude by the end of the second quarter of 2022.
Any existing partners, Client Web Service (CWS) clients, and clients with a Hosted Customer Connector using the legacy authentication (deprecated 2017) will need to be converted to the new OAuth 2.0 authentication. If you are a partner or a client using the legacy authentication (deprecated 2017) method, we will be reaching out and will provide communication on how to convert to the new OAuth 2.0 authentication. Clients with a Hosted Custom Connector will be handled by the SAP Concur Development team.
For more information, please refer to Authentication.
With the ongoing effort of the authentication conversion project, we will be placing the Register Partner Application UI into a read-only state. Existing customers who still access or use this UI would now only be able to view their legacy authentication applications. Clients will be unable to create net-new or modify their existing legacy authentication applications.
With the launch of the Company Request Token Self-Service Tool and the Self-Service Tool for Application Management in July 2021, Clients should begin utilizing these tools and UI to create Oauth 2.0 applications. If you feel that your company has a proper business case to create a net-new legacy authentication application, please submit an SAP Concur Support case. The support case will be reviewed and either approved or denied. We will only allowing exceptions for the creation of net new legacy authentication applications until September 20th, 2021.
Application Connector Username and Password Length Requirements Updated
Changes are being made to the length of usernames and passwords associated with application connectors. For more information please see the Expense release notes.
Updated Naming Convention for Sub-URLs
Changes are being made to the naming conventions of sub-urls. For more information please see the Expense release notes.
Deprecations
APIs are being deprecated in accordance with the SAP Concur API Lifecycle & Deprecation Policy.
| Date | API | Details |
|---|---|---|
| 09/2021 | Deprecation of User v1 | User v1 service will be deprecated. User v1 service can be replaced with either the upcoming User Provisioning service and/or the Identity v4 service. Both of these services enable callers to CRUD user’s core/identity profile information like UUID, name, address, email, etc. |
| 09/2021 | Decommission of Hotel Service v1 | Following the deprecation of Hotel Service v1 APIs in March 2019, we will be decommissioning the Hotel Service v1 APIs on December 31, 2021. Any configuration that uses hotel content connectors that rely on HSv1 will be affected. Please reference the Hotel Service Travel Service Guide for a list of connectors. If you are a client of one of these connectors, please work with your TMC or administrator to switch to an HSv2 connection and/or GDS for your hotel content needs. |
| 07/2021 | User v3 API | We will be deprecating the User v3 API in a future release due to less secure authentication methods. |
| 04/2021 | Bulk User v3.1 API | We have deprecated the Bulk User v3.1 API for the US and EMEA data centers. This API is replaced by Identity v4. Decommission will follow. Bulk User v3.1 will remain available for China data centers. |
| 01/2021 | List v3 API | Effective April 16, 2021, we have deprecated the List v3 API. This API is replaced by the List v4 API. List v3 is planned to be retired in a future release. |
| 01/2021 | List Item v3 API | Effective April 16, 2021, we have deprecated the List Item v3 API. This API is replaced by the List Item v4 API. List Item v3 is planned to be retired in a future release. Please migrate to the List Item v4 API as soon as possible. |
| 06/2020 | Travel Profile Notification v1 API | We are deprecating the Travel Profile Notification v1 APIs due to low usage. |
| 04/2020 | Existing Concur Request APIs (v1.0, v3.0, v3.1) | Effective July 1, 2020, these APIs are replaced by the Concur Request v4 API. We have run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 API (not iso-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 API. |
| 01/2020 | List v1 API | We will be retiring the List v1 API in a future release. This API is replaced by the List v4 API. |
Planned Changes
| Date | API | Planned Change |
|---|---|---|
| 10/2021 | Report Details v2 API Vulnerability Patch | We will be adding additional security to the Report Details v2 API. Current callers may receive a 401 - Unauthorized response if using an unauthorized admin OAuth token to access reports. |
| 09/2021 | Request v4 - Link to List Item Endpoint | In October 2021, we will be introducing a new link toward the List Item endpoint for Request custom fields related to a List. The List Item API will enable Request consumers to have a better interaction with custom fields related to a List (create/update custom fields related to a List). To enable a better interaction between Concur APIs, a new link will be provided within the Request customField schema to redirect to the corresponding List Item endpoint of the List API. |
| 09/2021 | Request v4 - Deprecation of the Request Cash Advance Endpoint | Effective October, 1st 2021, Concur Request will deprecate the Request Cash Advance detail endpoint. Effective beginning of November 2021, the Request Cash Advance List endpoint will redirect consumers to the Retrieve a Cash Advance endpoint, part of the Cash Advance v4 API. |
| 09/2021 | Request v4 - Agency Proposal Endpoint | In Q4 2021, we will release an additional Request v4 API endpoint that will offer the ability for travel agencies to interact with Concur Request to submit travel itineraries directly into a request, via the agency proposal feature with Request v4 API. |
| 04/2021 | Invoice Pay v4 GET Call Parameter | GET calls will have the option to use the new invoiceId parameter to retrieve payment information and the ERP Document ID associated to the invoice. The feature will be automatically available; there will be no additional configuration or activation steps. |
| 04/2021 | Invoice Pay v4 PATCH Endpoint | With the new PATCH, the invoice will be updated with the erpDocumentNumber value in the body whenever an invoiceId is passed as part of the API URL. The feature will be automatically available; there will be no additional configuration or activation steps. |