API Release Notes, January 2020

Contents

Planned Changes: Budget v4 API Soon Available

SAP Concur will release the Budget v4 API for partner and client use in a future release. Budget v4 provides the following features:

  • Fiscal Calendar: This API can GET, POST, and DELETE fiscal years and periods similar to the Fiscal Calendar UI in Budget Configuration.
  • Budget Category: This API can GET, POST, and DELETE budget categories, and GET all expense types of a budget category.
  • Budget Items: This API can GET, POST, and DELETE budget items including details such as period amounts, budget item tracking fields (cost objects), budget viewers, managers, and approvers.
  • Budget Tracking Field: This API can GET all budget tracking fields.
  • Budget Adjustment: This API can POST budget adjustments.
  • Global Availability: Budget v4 API is supported in all SAP Concur data centers.

Business Purpose / Client Benefit

This new Budget API enables clients and partners to integrate Budget with their ERP and HR systems to automate budget configuration and maintenance as well as importing external transactions not captured via SAP Concur through budget adjustments.

Configuration / Feature Activation

The Budget v4 API will be available to SAP Concur clients who have purchased Web Services, or partners who have contracted with SAP Concur.

Planned Changes: Concur Request APIs v4

SAP Concur will soon be releasing Concur Request v4 APIs for clients and partners. We are targeting to release v4 in February 2020.

With v4, SAP Concur has made great enhancements to the existing Request endpoints, and is now offering the ability for a client and/or a partner to interact with Concur Request to do the following:

  • Get the list of existing Requests.
  • Get detailed information of an existing Request.
  • Create, Read, Update or Delete an existing Request.
  • Move an existing Request through the approval flow with one of the following available actions: Submit, Approve, Recall, Cancel, Close, or Reopen.
  • Get the list of expected expenses (including trip segments) attached to a Request.
  • Create, Read, Update or Delete an expected expense for a Request.
  • Get information of a travel agency office.
  • Get the list of active Request policies for a given user.

Background

SAP is continuing to invest heavily in APIs and tools to simplify end-to-end integration.

At SAP Concur, we strongly believe that an open ecosystem expands your view. An open ecosystem dynamically connects your internal systems, spend, and partner data to reveal powerful insights that empower you to run your business better.

Explore the capabilities listed in the Overview section and consider how the APIs could help you simplify some of your existing processes, such as:

  • Automatically creating a Concur Travel Request for any off-site training approved via your Human Resources system.
  • Exposing authorization requests pending approvals onto your internal corporate portal “Manager” widget.

Permissions

In addition to the existing user-level permissions, the Concur Request v4 APIs are based on the most recent secured Authentication service and the new Oauth2 framework, which manages the authorization for company-level permissions. Clients and/or partners can now use a single token/permission to interact with Request on behalf of all company users.

Business Purpose / Client Benefit

These enhancements will provide more options and abilities for developers using the SAP Concur platform with Request.

Configuration / Feature Activation

Depending on your product, some APIs may not be available to your company.

Clients should contact the group responsible for their web services, which may be inside their company, or a third-party developer, to inform them of the upcoming changes.

Planned Changes: Deprecation of Existing Concur Request APIs (v1.0, v3.0, v3.1)

SAP Concur will be deprecating the existing Concur Request APIs (v1.0, v3.0, and v3.1) in a future release. Those APIs will be replaced by the Concur Request v4 APIs.

Business Purpose / Client Benefit

The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.

In addition, SAP Concur has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not iso-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.

Ongoing: Quick Expense v1 and Quick Expense v3 Retirement and Decommission

Effective March 31, 2020, the Quick Expense v1 and Quick Expense v3 APIs will be retired and decommissioned. We encourage all current users to migrate to Quick Expense v4 as soon as possible.

Please refer to the deprecation policy for definitions and additional information.

Business Purpose / Client Benefit

This update removes two outdated APIs.

Support for TLS v1.1 Encryption Protocol to End in First Quarter of 2020

SAP Concur is announcing an end-of-support cycle for version 1.1 of the Transport Layer Security (TLS) encryption protocol, while continuing support for the more secure version 1.2 of TLS. As background, the TLS protocol allows secure back and forth communications between a phone or computer and a cloud-based service.

This change will happen on January 30, 2020.

Business Purpose / Client Benefit

SAP Concur is taking this step after careful consideration of our customers’ security and ease of upgrade to the newer, more secure version 1.2 of TLS. This end-of-support plan for TLS v1.1 ensures our clients are communicating with SAP Concur solutions in a safer and more secure manner using TLS v1.2.

What the Customer Sees

If the customer or user ensures they are using a TLS v 1.2-compliant browser, there will be no change in the way users interact with SAP Concur. If the browser is not compliant, users will not be able to sign in to SAP Concur.

In general, the use of less-secure TLS connections can lead to exposed data, resulting in compromised sessions across any TLS channel of communication (for example, SAP Concur services). For this reason, SAP Concur is alerting clients now to ensure they may anticipate this change and begin assessment in order to comply with this change at their companies.

Affected Devices

In general, browsers using TLS to establish inbound / outbound communication channels with SAP Concur services are affected, for example connections across:

  • Users attempting to log in to SAP Concur solutions
  • APIs
  • Bulk upload via SFTP
  • Connectors
  • FTP / PGP
  • SAP Integrations
  • Other

The ability of a browser to comply by upgrade to TLS v1.2 will depend on the company’s support for the specific browser, for example Microsoft (Edge), Google (Chrome), and others.

Error Message Will Display

If the user attempts to connect to SAP Concur using a non-compliant browser, they will receive an error message detailing a secure connection failure.

Configuration / Feature Activation

Transitioning to support for TLS v1.2 and later may simply require updating security settings of your browser. In most instances, the company already has the support in place and need only identify non-compliant browsers and upgrade these user’s browsers to newer versions.

Please check with the department in your company that is responsible for browser compliance and ensure they are aware of this upcoming change.

Security Communication Protocols for Callouts

Clients that use or plan to use SAP Concur callouts (for example, Send Notification, Launch External URL, Fetch List, and Fetch Attendee) need to ensure they meet the SAP Concur security standards. To reduce security risk for our clients and SAP Concur, we are giving companies until the end of 2019 to make the required update for callouts. If clients have security protocols below our standard after December 31, 2019, their callouts will stop working in January 2020. To use callouts, clients need to ensure that the TLS version 1.1 or greater is used for the encryption protocols of the client’s endpoint. Also, clients using callouts need to ensure their callout host endpoint uses and prioritizes one or more ECDHE cipher suites with an equivalent key length greater than or equal to 2,048 bits, such as one of the ciphers listed below.

EXAMPLES OF CIPHERS TO USE:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

Business Purpose / Client Benefit

Reduce security risk for the clients that use callouts and SAP Concur.

Configuration / Feature Activation

Existing customers will need to update their protocols if they are not compliant with the stated security standards. New companies configuring callouts will need to ensure they use security protocols and authentication methods that meet these standards. For more information about SAP Concur callouts, refer to Callouts and Application Connectors.

On this page