Strong identity and enhanced security are essential in today’s advanced and interconnected world. SAP offers a comprehensive Identity Access Management (IAM) solution to its customers. IAM is a core part of SAP’s efforts to deliver integrated solutions for Intelligent Enterprise which includes the SAP Cloud Identity Services.   

Many SAP cloud solutions come preconfigured with Identity Authentication and Identity Provisioning such as SAP SuccessFactors, SAP BTP – Business Technology Platform, SAP Build Work Zone, SAP IBP – Integrated Business Planning to name a few (more information on bundles). You can reap the benefits of the SAP Cloud Identity Services with your SAP Concur solution.   

Benefits of using SAP Cloud Identity Services: Identity Authentication and Identity Provisioning        

SAP Cloud Identity Services currently consists of two main components: Identity Authentication and Identity Provisioning.  

Identity Authentication:    

In cross-application business scenarios, users often face the hassle of logging in multiple times which is tedious and frustrating. Identity Authentication allows users to log in once and use single sign-on across SAP cloud business applications. This offers centralized security for authentication, protecting system-to-system communication and simplifying the user experience. Identity Authentication supports third-party corporate identity providers by acting as a proxy for delegated authentication.   

For ease of cross application communication, Identity Authentication creates and assigns a unique identifier (Global User ID) to each user, allowing every SAP solution to use the same identifier.   

Identity Provisioning:        

Identity Provisioning streamlines user management and identity lifecycle processes, eliminating the need for multiple systems by ensuring seamless integration across the Intelligent Enterprise landscape, making user information available in all systems. Customers can provision user profiles from source to target systems like the SAP Concur solutions, benefiting from simplified configuration and centralized user management. 

For more information, https://help.sap.com/docs/cloud-identity/what-are-sap-cloud-identity-services/what-are-sap-cloud-identity-services 

Please visit the SAP community page for a wealth of information on SAP Cloud Identity Services from the active SAP community,

https://community.sap.com/topics/cloud-identity-services

To learn more about licensing and usage with third party applications, please visit the Licensing and Usage.  

We currently support the following configurations for SAP Concur:    

• Concur Expense, Concur Request, Concur Invoice, and/or Concur Travel & Expense (Concur Travel only is not supported)
• Customers who use their own identity provider (third-party IdP)    
• Customers who do not have their own identity provider (third-party IdP)   
• Customers that have at least one existing tenant of SAP Cloud Identity Services   
• Customers who have at least one SAP cloud solution in addition to their SAP Concur solution.   

Since Identity Authentication and Identity Provisioning are existing tenant, the tenant will be reused.    

Steps to receive Identity Authentication and Identity Provisioning tenant for SAP Concur  

Step 1: Check with your SAP Concur account team to determine if you are eligible for provisioning of a tenant with Identity Authentication and Identity Provisioning services.   

Step 2: When eligible, create a support case to initiate the provisioning of an SAP Cloud Identity Services tenant with Identity Authentication and Identity Provisioning services.    

NOTE: Customers must create a case to set up Identity Authentication and Identity Provisioning tenant provisioning for your SAP Concur entity even if they already have existing Identity Authentication and Identity Provisioning tenant from other SAP solutions.    

Step 3: When the above two steps are complete, you can now configure Identity Authentication as single sign-on (SSO) for SAP Concur and Identity Provisioning having SAP Concur as a target system from within the SAP Cloud Identity Services administration console.    

 For more details, please check out, System Integration Guide for SAP Cloud Identity Services – SAP Concur integration scenario  

Detailed Walkthrough  

Here are the Identity Authentication and Identity Provisioning configuration settings with SAP Concur, please refer to the below published blogs,    

https://blogs.sap.com/2023/12/05/sap-identity-authentication-service-ias-and-sap-concur/   and

https://blogs.sap.com/2024/01/04/how-to-provision-user-identities-into-concur-using-identity-provisioning/  

NOTE: Identity Provisioning will provision core identity information into the SAP Concur solutions. SAP Concur offers two APIs – Identity v4 and User Provisioning Service to support the provisioning core identity information to SAP Concur. Based on your long-term goals, it is recommended using User Provisioning Service API to allow for the adoption of expansion of features without the need to reintegrate. The Spend profile information for the user must be updated using these SAP Concur APIs, or the SAP Concur user import. 

Identity Provisioning may have identity attributes that SAP Concur does not support. Please reference Concur API documentation for supported attributes prior to transformation file creation.  

User Experience using Identity Authentication as Single Sign On (SSO) for SAP Concur    

The user experience for customers logging into SAP Concur using Identity Authentication as SSO is seamless, quick and user friendly.    

 Prerequisites:   

• You already have Identity Authentication and Identity Provisioning tenant provisioned.    
• Trust configuration is built between the SAP Concur solution and Identity Authentication    
• Identity Authentication is configured as the Source system in Identity Provisioning    
• The SAP Concur solution is configured as a Target system in Identity Provisioning    
• Users are created manually or via file import to Identity Authentication user management.    
• Users are provisioned from Identity Authentication/Source system into the SAP Concur solution successfully as active users.   

Step 1: User to go to www.concursolutions.com     

Step 2: User to add their username/email address and Click Next.     

Step 3: Select the Sign in option for single sign on with Identity Authentication. Here, I selected “Sign in with IAS“ option (This field name is set up while configuring Identity Authentication for SAP Concur).   

Step 4: Since this is the first time logging in SAP Concur using Identity Authentication the user will get redirected to the Identity Authentication login page. Here the user needs to add IAS user credentials and click on “Continue”.    

Step 5: User is logged into Concur using IAS as single sign on.    

Step 6: Now the next time this user tries to login to an SAP Concur solution using Identity Authentication as single sign on, the user does not get the Identity Authentication page and does not need to put in the credentials. The user is directly signed into SAP Concur solution.    

Conclusion 

The integration of SAP Cloud Identity Services with SAP Concur solutions offers a more streamlined and secure system landscape. By leveraging SAP Cloud Identity Services, you can benefit from a centralized security for authentication and access to all SAP business applications with a single click. Overall, this enhances the Identity Access Management solution capabilities for SAP Concur solutions.