API Release Notes, February 2020
Contents
- Planned Changes: Budget v4 API Soon Available
- Planned Changes: Deprecation of Existing Concur Request APIs (v1.0, v3.0, v3.1)
- Ongoing: Quick Expense v1 and Quick Expense v3 Retirement and Decommission
- Concur Request APIs v4
- TLS v1.1 SSL Protocol Not Allowed for File Transfers
- HTTPS Protocol No Longer Allowed for File Transfer (Feb 24, 2020)
- Support Ending for TLS v 1.1 Encryption Protocol
Planned Changes: Budget v4 API Soon Available
SAP Concur will release the Budget v4 API for partner and client use in a future release. Budget v4 provides the following features:
- Fiscal Calendar: This API can GET, POST, and DELETE fiscal years and periods similar to the Fiscal Calendar UI in Budget Configuration.
- Budget Category: This API can GET, POST, and DELETE budget categories, and GET all expense types of a budget category.
- Budget Items: This API can GET, POST, and DELETE budget items including details such as period amounts, budget item tracking fields (cost objects), budget viewers, managers, and approvers.
- Budget Tracking Field: This API can GET all budget tracking fields.
- Budget Adjustment: This API can POST budget adjustments.
- Global Availability: Budget v4 API is supported in all SAP Concur data centers.
Business Purpose / Client Benefit
This new Budget API enables clients and partners to integrate Budget with their ERP and HR systems to automate budget configuration and maintenance as well as importing external transactions not captured via SAP Concur through budget adjustments.
Configuration / Feature Activation
The Budget v4 API will be available to SAP Concur clients who have purchased Web Services, or partners who have contracted with SAP Concur.
Planned Changes: Deprecation of Existing Concur Request APIs (v1.0, v3.0, v3.1)
SAP Concur will be deprecating the existing Concur Request APIs (v1.0, v3.0, and v3.1) in a future release. Those APIs will be replaced by the Concur Request v4 APIs.
Business Purpose / Client Benefit
The Concur Request APIs v1.0, v3.0 and v3.1 only support the previous authentication method, which is not best security practice and does not meet the Oauth2 standards. In addition, the previous versions of the Concur Request APIs provided limited possibilities for moving a Request through the approval workflow, as well as managing custom simple & connected list fields. These issues are resolved with the new Concur Request v4 APIs.
In addition, SAP Concur has run a backward compatibility project between the current Concur Request APIs and the new Concur Request v4 APIs (not iso-compatibility) in order to have the vast majority of use cases managed in the previous versions also be managed in the Concur Request v4 APIs.
Ongoing: Quick Expense v1 and Quick Expense v3 Retirement and Decommission
Effective March 31, 2020, the Quick Expense v1 and Quick Expense v3 APIs will be retired and decommissioned. We encourage all current users to migrate to Quick Expense v4 as soon as possible.
Please refer to the deprecation policy for definitions and additional information.
Business Purpose / Client Benefit
This update removes two outdated APIs.
Concur Request APIs v4
SAP Concur is releasing Concur Request v4 APIs for clients and partners.
With v4, SAP Concur has made great enhancements to the existing Request endpoints, and is now offering the ability for a client and/or a partner to interact with Concur Request to do the following:
- Get the list of existing Requests.
- Get detailed information of an existing Request.
- Create, Read, Update, or Delete an existing Request.
- Move an existing Request through the approval flow with one of the following available actions: Submit, Approve, Recall, Cancel, Close, or Reopen.
- Get the list of expected expenses (including trip segments) attached to a Request.
- Create, Read, Update or Delete an expected expense for a Request.
- Get information of a travel agency office.
- Get the list of active Request policies for a given user.
Background
SAP is continuing to invest heavily in APIs and tools to simplify end-to-end integration.
At SAP Concur, we strongly believe that an open ecosystem expands your view. An open ecosystem dynamically connects your internal systems, spend, and partner data to reveal powerful insights that empower you to run your business better.
Explore the capabilities listed in the Overview section and consider how the APIs could help you simplify some of your existing processes, such as:
- Automatically creating a Concur Travel Request for any off-site training approved via your Human Resources system.
- Exposing authorization requests pending approvals onto your internal corporate portal “Manager” widget.
Permissions
In addition to the existing user-level permissions, the Concur Request v4 APIs are based on the most recent secured Authentication service and SAP Concur’s new Oauth2 framework, which manages the authorization for company-level permissions. Clients and/or partners can now use a single token/permission to interact with Request on behalf of all company users.
Business Purpose / Client Benefit
These enhancements provide more options and abilities for developers using the SAP Concur platform with Request.
Configuration / Feature Activation
Depending on your product, some APIs may not be available to your company.
Clients should contact the group responsible for their web services, which may be inside their company, or a third-party developer, to inform them of the upcoming changes.
TLS v1.1 SSL Protocol Not Allowed for File Transfers
This release note is intended for technical staff responsible for file transmissions with SAP Concur. For our customers and vendors participating in data exchange through various secure file transfer protocols, SAP Concur has made changes that provide greater security for those file transfers.
The TLS 1.1 (Transport Layer Security) SSL protocol has been removed from our SAP Concur file transfer system allowed list.
- This relates to the FTPS and HTTPS file transfer protocols.
- The HTTPS file transfer protocol will not be allowed beginning on February 24, 2020. If you are currently using HTTPS, we suggest migrating to SFTP with key authentication.
This announcement pertains to the following file transfer DNS endpoints:
- st.concursolutions.com
- st-eu.concursolutions.com
- st-cge.concursolutions.com
- st-cge-dr.concursolutions.com
- vs.concursolutions.com
- vs.concurcdc.cn
Business Purpose / Client Benefit
These changes provide greater security for file transfers.
Configuration / Feature Activation
If assistance is required, please contact SAP Concur support.
HTTPS Protocol No Longer Allowed for File Transfer (Feb 24, 2020)
This release note is intended for the technical staff responsible for file transmissions with SAP Concur. For our customers and vendors participating in data exchange through various secure file transfer protocols, SAP Concur is making changes that provide greater security for those file transfers.
Beginning February 24, 2020 at 2 PM PST, connections via the HTTPS protocol will no longer be allowed when connecting to the SAP Concur file transfer system.
- Existing HTTPS file transfer accounts must switch to SFTP with SSH Key Authentication before February 24, 2020.
This announcement pertains to the following file transfer DNS endpoints:
- st.concursolutions.com
- st-eu.concursolutions.com
- st-cge.concursolutions.com
- st-cge-dr.concursolutions.com
- vs.concursolutions.com
- vs.concurcdc.cn
Business Purpose / Client Benefit
These changes provide greater security for file transfers.
Configuration / Feature Activation
If assistance is required, please contact SAP Concur support.
Support Ending for TLS v 1.1 Encryption Protocol
SAP Concur is announcing an end-of-support cycle for version 1.1 of the Transport Layer Security (TLS) encryption protocol, while continuing support for the more secure version 1.2 of TLS. As background, the TLS protocol allows secure back and forth communications between a phone or computer and a cloud-based service.
Refusal of TLS v.1.1 connections will commence on February 20, 2020.
Business Purpose / Client Benefit
SAP Concur is taking this step after careful consideration of our customers’ security and ease of upgrade to the newer, more secure version 1.2 of TLS. This end-of-support plan for TLS v1.1 ensures our clients are communicating with SAP Concur solutions in a safer and more secure manner using TLS v1.2.
What the Customer Sees
If the customer or user ensures they are using a TLS v 1.2-compliant browser, there will be no change in the way users interact with SAP Concur. If the browser is not compliant, users will not be able to sign in to SAP Concur.
In general, the use of less-secure TLS connections can lead to exposed data, resulting in compromised sessions across any TLS channel of communication (for example, SAP Concur services). For this reason, SAP Concur is alerting clients now to ensure they may anticipate this change and begin assessment in order to comply with this change at their companies.
Affected Devices
In general, browsers using TLS to establish inbound / outbound communication channels with SAP Concur services are affected, for example connections across:
- Users attempting to log in to SAP Concur solutions
- APIs
- Bulk upload via SFTP
- Connectors
- FTP / PGP
- SAP Integrations
- Other
The ability of a browser to comply by upgrade to TLS v1.2 will depend on the company’s support for the specific browser, for example Microsoft (Edge), Google (Chrome), and others.
Informational Banner To Display
An informational banner will display when a user attempts to log in using a browser that does not support TLS v 1.2 and later and thus cannot negotiate a connection. The intent is to alert the user to this upcoming change using an informational-only message with a link to additional useful information.
Configuration / Feature Activation
Transitioning to support for TLS v1.2 and later may simply require updating security settings of your browser. In most instances, the company already has the support in place and need only identify non-compliant browsers and upgrade these user’s browsers to newer versions.
Please check with the department in your company that is responsible for browser compliance and ensure they are aware of this upcoming change.