I have been a Technical Consultant at SAP Concur for some time and have worked with many clients to help them build interfaces between their systems and SAP Concur. One requirement I regularly see come up is the need to provision user data into Concur.
The Identity Provisioning service automates identity lifecycle processes and helps customers provision identities to various cloud and on-premise business applications.
In this blogpost we are focusing on SAP and SAP Concur customers who can make use of the Identity Provisioning in combination with the Identity Authentication service to manage user identities and to provision those identities into Concur.
Features :
- Pre-configured or semi-automated trust configuration
- Common identity for users
- Unified way for user management
Prerequisites:
- Concur Expense/Request/Travel/Invoice Module
- Identity Provisioning and Identity Authentication tenants
Implementation Considerations:
- Customer’s Identity Provisioning and Identity Authentication tenants must be already deployed
- Users must be created and maintained in Identity Authentication
- The data being sent to Concur for provisioning the profile is determined by the fields supported by the Concur API being used (Identity V4), therefore additional integrations (flat file, APIs) must be used in order to complete the full user profile – see Exclusions section
- Customer must have a Web Services Administrator user in Concur in order to be able to generate the request token required for the authentication between Identity Provisioning and Concur
Exclusions:
The user profile data created is limited to the fields supported by the Concur API being used (
Identity V4). The list of fields not supported includes, but is not limited to:
- Expense/Request/Travel/Invoice roles
- OrgUnits and Custom fields information
- Approver assignment
- User preferences
Detailed Walkthrough:
Step 1. Obtain the
Company UUID and the
Request Token from Concur:
Log into Concur using a user that has the Web Services Administrator permission. Once connected, navigate to
Home – Administration – Authentication Admin and select the
Company Request Token option:
In the
App ID field enter the
Identity Provisioning App ID you will find in the following
setup guide and click
Submit. Make sure to copy the
Company UUID and the
Company Request Token that appear on the screen:
Step 2. Create and configure the
Source System:
Connect to your Identity Authentication / Identity Provisioning tenant and go to
Identity Provisioning – Source Systems:
Click
Add and fill in the
Type as
Identity Authentication, assign
System Name of choice and
Save:
Generate the certificate that will be used as authentication method between Identity Provisioning and Identity Authentication. Go to the newly created
Source System and click Outbound
Certificates – Generate – Download:
Add system as administrator by going to
Users and Authorizations – Administrators – Add – System – assign system admin
Name and
Save:
Once you save the options to configure the authentication are displayed. Choose
Certificate – Browse to search for the previously downloaded certificate and
Save once the certificate is imported:
10
Configure the properties of the source system by going to
Identity Provisioning – Source Systems – select the newly created system – click
Properties – Edit:
Add the properties as described in the
setup guide:
Optional: if required, you can define different parameters for the transformations. Details on the default transformation logic available by default can be found in the
setup guide.
Step 3. Create and configure the
Target System:
Go to
Identity Provisioning – Target Systems:
Click
Add and fill in:
- Type as SAP Concur
- System Name of choice
- In the Source Systems field select the newly created Source System
Click
Save:
In the newly created
Target System click on
Properties – Edit – Add to define the properties as detailed in the
setup guide. Once completed, click
Save:
Important: Please note that there are 2 types of properties you can add - Standard and Credential - and most of the properties you will need add are Standard. However, concur.authorization.code is a Credential property, so please make sure to select the correct property type from the list:
Optional: if required, you can define different parameters for the transformations. Details on the default transformation logic available by default can be found in the
setup guide.
Step 4. Run, schedule and monitor the provisioning jobs:
Once the configuration is completed, provisioning jobs are ready to run to get the users from the source system (Identity Authentication) and provision them to the target system (SAP Concur). The provisioning job be run manually or scheduled via
Identity Provisioning – Source Systems – select the respective source system –
Jobs:
Job logs can then be reviewed via
Identity Provisioning – Provisioning Logs:
Documentation:
Configure an SAP Concur Entity as an IdP Target (Concur guide)
Set up Concur as a target system for Identity Provisioning (SAP guide)
Setting up Identity Authentication as source system for Identity Provisioning