shared planned changes€¦ · planned changes android / iphone / ipad – redesign of the sign...

SAP Concur Release Notes Page i Shared Planned Changes Release Date: October 17, 2020 SAP Concur Client PREVIEW

Initial Post: Friday, October 2, 8:00 AM PT

SAP Concur Release Notes

Shared Planned Changes

Applies to Professional Edition, Standard Edition, and Small Business Edition

Month Audience

Release Date: October 17, 2020 Initial Post: Friday, October 2, 8:00 AM PT

SAP Concur Client PREVIEW

The Planned Changes in this document apply to multiple SAP Concur solutions and/or services and are

targeted for future releases. For Planned Changes that apply to single products and/or services:

• For Professional Edition, refer to the Professional Edition release notes.

• For Standard Edition, refer to the Standard Edition release notes.

• For Small Business Edition, refer to the Small Business Edition release notes.

SAP Concur reserves the right to postpone implementation of – or completely remove – any

enhancement/change mentioned in this document.

Contents

Planned Changes............................................................................................. 1

Authentication.........................................................................................................1

**Planned Changes** Single Sign-On (SSO) Self-Service Option ................................ 1

**Planned Changes** Android / iPhone / iPad – Retirement of Mobile PIN.................... 4

**Planned Changes** Android / iPhone / iPad – Retirement of Auto Sign-In Setting ...... 7

File Transfer Updates ..............................................................................................9

**Planned Changes** Mandatory SFTP with SSH Key Authentication ........................... 9

Miscellaneous ........................................................................................................ 10

**Planned Changes** Updated Naming Convention for Sub-URLs ............................. 10

Product Settings.................................................................................................... 12

RELEASE: Option to Switch Back to Legacy Users Page Removed .............................. 12

Security ................................................................................................................. 12

**Planned Changes** End of Support for Insecure Protocols and Ciphers in F5 Client

SSL Profiles for VIPs ............................................................................................ 12

Client Notifications.........................................................................................14

Browser Certifications and Supported Configurations ........................................... 14

Monthly Browser Certifications and Supported Configurations ................................... 14

Subprocessors ....................................................................................................... 14

SAP Concur Non-Affiliated Subprocessors ............................................................... 14

http://www.concurtraining.com/customers/tech_pubs/_RN_CCC.htm

http://www.concurtraining.com/customers/tech_pubs/_RN_CCC_CPS.htm

http://www.concurtraining.com/customers/tech_pubs/Docs/Breeze/RN/WhatsNew.htm

SAP Concur Release Notes Page ii Shared Planned Changes Release Date: October 17, 2020 SAP Concur Client PREVIEW


SAP Concur Release Notes Page iii Shared Planned Changes Release Date: October 17, 2020 SAP Concur Client PREVIEW


Legal Disclaimer

The information in this presentation is confidential and proprietary to SAP SE or an SAP affiliate company and may not be disclosed without the permission of SAP SE or

the respective SAP affiliate company. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP SE or its affiliated companies. SAP SE and its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation,

or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP SE or an SAP affiliate company’s strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP SE and its affiliated companies at any

time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of

merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP SE and its affiliated companies assume no responsibility for errors or omissions in this document, except if such damages were caused by SAP SE or an SAP affiliate company’s willful misconduct or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which

speak only as of their dates, and they should not be relied upon in making purchasing decisions.

SAP Concur Release Notes Page 1 Shared Planned Changes Release Date: October 17, 2020 SAP Concur Client PREVIEW


Planned Changes

These features and changes are targeted for future releases. SAP Concur solutions

reserves the right to postpone implementation of – or completely remove – any enhancement/change mentioned here.

Authentication

These changes are part of the SAP Concur solutions continued commitment to maintaining secure authentication.

**Planned Changes** Single Sign-On (SSO) Self-Service Option

Applies to: Expense Invoice Request Travel Other

Edition(s) Professional,

Standard

Professional,

Standard

Professional,

Standard

Professional,

Standard N/A

Information First Published Information Last Modified Feature Target Release Date

June 2018 August 14, 2020 November 2020

Any changes since the previous monthly release are highlighted in yellow in this release note.

Overview

SAP Concur is planning to add a Single Sign-On (SSO) self-service tool to SAP Concur products. This new tool will enable clients to set up SSO for their organization without assistance from SAP Concur support. SSO is currently supported for Concur Expense, Invoice, Request, and Travel.

SSO enables users to access multiple applications using one set of login credentials. Currently, SAP Concur has two methods for signing in:

• Username and password

• SSO with Identity Provider (IdP) credentials, such as a user's login credentials for their organization

The new SSO self-service tool will eventually replace the existing SSO configuration process, enabling clients to implement SSO at their organization. The existing SSO configuration process and the new SSO Self-Service tool will both be available until everyone has migrated to the new SSO Self-Service tool.

NOTE: Currently, SSO can be configured using the Security Keys page.

The new SSO self-service tool will include the following features:

• A self-service option for setting up SSO at your organization; this new feature is automatically available to all clients

• The new SAP Concur SAML v2 SSO (SAML v2) service which complies with

SAML 2.0 and is a current industry standard

• Encrypted SAML assertion to address privacy and security concerns



• Enforcement of SSO at the company level (the ability to select SSO as

optional is also available)

• The ability to upload multiple Identity Provider (IdP) metadata

• The ability to download SAP Concur Service Provider metadata

NOTE: Supported IdPs include any IdP that can send SAP Concur standard SAML 2.0 SAML assertions, such as: ADFS, Azure AD, Okta, Ping, G Suite, Sitemaster,

Centrify, OneLogin, and VMWare Workplace One.

BUSINESS PURPOSE / CLIENT BENEFIT

This feature will provide new SAP Concur clients with a self-service option for setting up SSO. It will also provide an option for existing SSO clients who must eventually migrate to the new SAML v2 service to manage SSO for their users.

Important – Migration for Legacy SSO Customers

When it becomes available, legacy SSO clients will be able to use the SSO self-service tool to migrate to the new SAML v2 service. Client admins will configure the

feature and connect to the new SSO service on the Manage Single Sign-On page.

NOTE: The new SAML v2 service is independent of existing SSO services. Setting up a new SSO connection on SAML v2 does not interrupt existing SSO connections. Existing clients can remain legacy SSO clients while migrating to the new SAML v2 service.

What the Admin Sees

A user with the required permissions will see a new Authentication Admin menu option on the Administration > Company list.

The items in the Administration and Company lists vary depending on which SAP Concur products your company uses and which edition your company uses.



Professional Edition Example

Standard Edition Example

Travel Only Example

After clicking Authentication Admin, the Authentication Administration page appears.



The new SSO self-service tool is accessed by clicking the Manage Single Sign-On link on the Authentication Admin page.

Configuration / Feature Activation

This feature is automatically available to users with the required permissions.

For more information about migrating to SAML v2, refer to the SSO Service:

Overview Guide and the Shared: SSO Management Setup Guide.

**Planned Changes** Android / iPhone / iPad – Retirement of

Mobile PIN

These changes are part of the SAP Concur solutions continued commitment to maintaining secure authentication.



Standard

Professional,

Standard

Professional,

Standard

Professional,

Standard Mobile


May 2020 September 18, 2020 November 2020


Overview

Targeted for the November (9.86) Mobile release, SAP Concur solutions plans to retire the Mobile PIN sign-in option in the SAP Concur mobile app.

This change coincides with the redesign of the mobile sign-in page which will also be implemented with the November release.

Beginning with the November release, users will be able to switch back to the old sign-in page design and will be able to use the Mobile PIN sign-in option on that page. The option to switch between the old and new page designs will no longer be available beginning with the March (9.89) release.

! IMPORANT: Between the November and March releases, admins should confirm that users are aware of this change and ensure that users can sign in using one of the supported methods listed in this release note.

With the retirement of the mobile PIN sign-in option, users will continue to be able to sign into the mobile app through the following methods:

• Single Sign-On (SSO)

Mobile SSO

SAP Concur SAML v2 (SAML v2)

• Username and password

• E-mail address and password

https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/SG_Shr/Shr_SSO_Service_Overview.pdf


https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/SG_Shr/Shr_SG_SSO_Mgmt.pdf



For companies that have Single Sign-On (SSO) enabled for the web version of SAP Concur solutions, it is recommended that they also enable SSO on the SAP Concur mobile app, ideally migrating to SAML v2.

For information about migrating to SAML v2, refer to the SSO Service: Overview

Guide and the Shared: SSO Management Setup Guide.

BUSINESS PURPOSE / CUSTOMER BENEFIT

The retirement of this feature better supports secure authentication by removing the less secure PIN option, simplifies the way users sign into the SAP Concur mobile app, and makes the mobile sign-in experience more consistent with the web sign-in experience.

What the User Sees

The following screenshots were taken from an iPhone. The experience is similar on other devices but might have a slightly different appearance.

Before



https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/SG_Shr/Shr_SG_SSO_Mgmt.pdf



After

NOTE: The following screenshots reflect an in-progress design change and might not reflect the final design of the sign-in screens.

Forgotten Passwords

If a user installs or upgrades to version 9.86 (or later) of the mobile app and they enter their retired mobile PIN in the Password field on the redesigned sign-in page, they will receive a message that the password is invalid and will be prompted to

reenter their password.

NOTE: Between the November (9.86) and March (9.89) releases, users can switch

back to the old page design, and can use their PIN to sign in on that page. Users must have an alternate, supported sign-in method before installing the March (9.89) release.

If a user has forgotten their password, there are several ways they can reset it:

• Users can reset their password by tapping Forgot Password on the sign-in screen.

• Users can reset their password by going to Profile > Profile Settings > Change Password within the web version of SAP Concur solutions.



NOTE: In some SAP Concur configurations, the ability for users to reset their passwords is disabled. If password reset is disabled and you need to reset your password, contact your company’s designated resource (for example, a Company Administrator) to address this issue.

More information on the retirement of the Mobile PIN sign-in option will appear in future release notes.

For more information on the new mobile sign-in experience, refer to the **Planned Changes** Android / iPhone / iPad – Redesign of the Sign In Page release note in the SAP Concur mobile app release notes.


The change occurs automatically; there are no additional configuration or activation steps.

For more information, refer to the Mobile Authentication Update FAQ.

**Planned Changes** Android / iPhone / iPad – Retirement of

Auto Sign-In Setting

These changes are part of the SAP Concur solutions continued commitment to

maintaining secure authentication.



Standard

Professional,

Standard

Professional,

Standard

Professional,

Standard Mobile


September 2020 September 18, 2020 November 2020 (9.86)


Overview

Targeted for the November (9.86) Mobile release, SAP Concur solutions plans to retire the automatic sign-in setting in the SAP Concur mobile app. This change coincides with the redesign of the mobile sign-in page which will also be implemented with the November release.

! IMPORTANT: Between the November and March releases, admins should confirm that users are aware of this change.

BUSINESS PURPOSE / CUSTOMER BENEFIT

The retirement of this feature better supports secure authentication by removing the less secure automatic sign-in setting.

https://www.concurtraining.com/customers/tech_pubs/MobileDocs/ReleaseNotes/_CCC_RN.htm

http://assets.concur.com/concurtraining/cte/en-us/FAQ_Mobile_Authentication_Update.pdf



What the User Sees

Beginning with the November release, users will see the redesigned sign-in page. The redesigned sign-in page does not support the automatic sign-in setting.

Between the November release (9.86) and the March release (9.89), users will be able to switch back to the old sign-in page design and, if the autologin property is enabled for their company, the user will be able to use the automatic sign-in setting in Concur mobile app Settings.

NOTE: The following screenshots were taken from an iPhone. The experience is similar on other devices but might have a slightly different appearance.

Auto Sign-In Settings

The option to switch between the old and new page designs will no longer be available beginning with the March (9.89) release and the auto sign-in setting will no longer be available.

The user will no longer see the Auto Sign In setting on the Security page in Concur

mobile app Settings.



For more information on the new mobile sign-in experience, refer to the **Planned Changes** Android / iPhone / iPad – Redesign of the Sign In Page release note in the SAP Concur mobile app release notes.


The change occurs automatically; there are no additional configuration or activation steps.

For more information, refer to the Mobile Authentication Update FAQ.

File Transfer Updates

**Planned Changes** Mandatory SFTP with SSH Key

Authentication



Standard

Professional,

Standard

Professional,

Standard

Professional,

Standard Intelligence


June 2019 September 2019 December 7, 2020


Overview

This release note is intended for technical staff responsible for file transmissions with

SAP Concur solutions. For our customers and vendors participating in data exchange through various secure file transfer protocols, SAP Concur is making changes that provide greater security for those file transfers.

Non-SFTP (Secure File Transfer Protocol) protocols and SFTP password authentication will no longer be allowed to connect to SAP Concur products as of December 7, 2020:

• Existing non-SFTP file transfer accounts need to switch to SFTP with SSH Key

Authentication before December 7, 2020.

• Existing SFTP file transfer accounts that use password authentication must switch to use SSH key authentication before December 7, 2020.

• SFTP password reset requests require the client to provide an SSH key for authentication.

This announcement pertains to the following file transfer DNS endpoints:

• st.concursolutions.com

• st-eu.concursolutions.com

• st-cge.concursolutions.com

• st-cge-dr.concursolutions.com

https://www.concurtraining.com/customers/tech_pubs/MobileDocs/ReleaseNotes/_CCC_RN.htm

http://assets.concur.com/concurtraining/cte/en-us/FAQ_Mobile_Authentication_Update.pdf



• vs.concursolutions.com

• vs.concurcdc.cn


These changes provide greater security for file transfers.


If assistance is required, please contact SAP Concur support.

For more information, refer to the Shared: File Transfer for Customers and

Vendors User Guide. (This guide is located with the other Expense, Invoice, and/or Request setup and user guides.)

Miscellaneous

**Planned Changes** Updated Naming Convention for Sub-URLs



Standard

Professional,

Standard

Professional,

Standard

Professional,

Standard --


July 2020 October 2, 2020 Fourth Quarter of 2020


Overview

As part of our overall cloud platform strategy, SAP is planning to implement a more consistent naming convention for the URLs used to connect to SAP Concur solutions,

based on data center. Users will continue to be able to access www.concursolution.com and will be routed automatically to the correct URL or single sign-on (SSO) as part of their sign-in process.

The update to the naming convention is being implemented to provide central sign-in and API URLs and to provide consistency for future data centers.

For more information about our overall cloud platform strategy, refer to the

SAP Concur Cloud Platform Strategy FAQ.

No customer data is planned to leave the North America or EMEA regional data center to which it is assigned at any time before, during or after this change.

TARGETED FOR Q4 2020

• SAP is planning to deploy us.concursolutions.com. It will be functionally identical to the existing www.concursolutions.com.

• SAP is planning to deploy eu.concursolutions.com. It will be functionally identical to the existing eu1.concursolutions.com.

http://assets.concur.com/concurtraining/cte/en-us/FAQ_Cloud_Hosting_Strategy.pdf



NOTE: SAP is planning to remove eu1.concursolutions.com. There is currently no target date for that removal. Most clients will not be impacted by the removal of this URL. They will be able to sign in using the same method they use today. Future communications will provide more

information on the removal of this URL.

TARGETED FOR Q4 2020

• SAP is planning to deploy us2.concursolutions.com and eu2.concursolutions.com and plans to use these URLs for future customer migration to the AWS cloud platform.

For more information, refer to the SAP Concur Cloud Platform Strategy FAQ.

• SAP is planning to update www.concursolutions.com to automatically

redirect users to the appropriate URL or SSO. Users will be directed to their established home data center (for example, eu.concursolutions.com, eu2.concursolutions.com, us.concursolutions.com, or us2.concursolutions.com). No customer data is planned to leave the North America or EMEA regional data center to which it is assigned at any time before, during or after this change.

RESTRICTED ACCESS / ALLOW LISTS

In rare cases, clients who restrict or filter access from their corporate network to specific URLs, might need to update their configuration to enable users to connect to the new URLs. For example, clients who have an allow list configured, might need to add the new URLs to their list. The information in this release note should be provided to your technical resource so that they can take appropriate action to allow access to these new URLs.

NOTE: It is not a best practice to only allow specific URLs. If restricted access is a

requirement, SAP recommends allowing *.concursolutions.com to avoid having to make these adjustments in the future.


This change supports future URL consistency across all global regions, and a central URL that redirects users to the appropriate data center.

What the User Sees

Targeted for Q4 2020, users who connect to an SAP Concur entity by navigating to www.concursolutions.com will be redirected to the appropriate URL or single sign-on (SSO) as part of their sign-in process.






These changes occur automatically; there are no configuration or activation steps. However, in rare cases, clients who restrict or filter access from their corporate network to specific URLs, might need to update their configuration to enable users to connect to the new URLs.

Product Settings

RELEASE: Option to Switch Back to Legacy Users Page Removed


Edition(s) Standard Standard Standard Standard Budget

Standard


July 31, 2020 September 4, 2020 September 24, 2020


This feature/change has been targeted for release. For information about this feature/change, refer to the applicable product release notes as indicated in the table above.

Security

**Planned Changes** End of Support for Insecure Protocols and

Ciphers in F5 Client SSL Profiles for VIPs


Edition(s) Professional

Standard

Professional

Standard

Professional

Standard

Professional

Standard --


September 4, 2020 -- November 12 - 13, 2020


These changes are part of the SAP Concur continued commitment to maintaining secure authentication.

Overview

On November 12 (US) and November 13 (France), the F5 internal and external client SSL profiles for VIPs will be updated to remove support for the following protocols

and ciphers:

• SSL v2

• SSL v3

• TLS v1.0

• TLS v1.1



• 3DES cipher suite

Clients, TMCs, and internal SAP Concur employees who use or develop applications that rely on an F5 SSL client profile must test the ability of their applications to connect to SAP Concur entities using the new, more secure profile.


This update provides ongoing security for our products and services.


When this change is initially implemented, SAP Concur will make the following profiles available:

• star_concursolutions.com_secure: A secure client profile that does not support SSL v2, SSL v3, TLS v1.0, TLS v1.1, or the 3DES cipher suite. This

profile supports TLS v1.2 only.

• star_concursolutions.com_weak: A copy of the current (legacy) client profile that supports legacy SSL ciphers and protocols.

Clients, TMCs, and internal SAP Concur employees will be able to temporarily revert to the less secure profile to address any issues they encounter with the more secure profile before the less secure profile is permanently removed.



Client Notifications

Browser Certifications and Supported Configurations

Monthly Browser Certifications and Supported Configurations

The SAP Concur Release Notes – Monthly Browser Certifications document lists current and planned browser certifications. The document is available with the other SAP Concur monthly release notes.

The Concur Travel & Expense Supported Configurations – Client Version guide is available with the setup guides, user guides, and other technical documentation.

Subprocessors

SAP Concur Non-Affiliated Subprocessors

The list of non-affiliated subprocessors is available here: SAP Concur list of Subprocessors

If you have questions or comments, please reach out to: [email protected]

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-04-0011.pdf

https://support.sap.com/content/dam/support/en_us/library/ssp/my-support/trust-center/sap-tc-04-0011.pdf

mailto:[email protected]

mailto:[email protected]

shared planned changes€¦ · **planned changes** android / iphone / ipad – redesign of the sign...

Documents

shared planned changes€¦ · planned changes android / iphone / ipad – redesign of the sign...