Hi Community!
I’ve been investigating SAP Concur authentication and want to confirm my understanding.
I am developing a service that provides SAP Concur customers with access to their expense data. Ideally, users would be able to authenticate using a standard OAuth flow with their SAP Concur credentials and automatically connect to their account, without requiring additional configuration on the customer’s Concur tenant. The developed service should fetch expense reports not only of the author, the user who was authenticated, but reports of other users - to be reviewed by the authenticated user ("approver"/"processor").
However, first of all, based on my current understanding, some level of tenant-side configuration or administrative approval may still be required. In the standard setup, OAuth applications are typically created within each customer’s tenant, which means each customer needs to configure the integration separately. This does not align well with a single global integration model on our side.
There seem to be two main approaches:
-
Partner application model — where a single OAuth client can be used across multiple customers, but this requires being registered as a Concur partner.
-
Company-level authentication — which allows backend/system-level access to company data and works better with a single integration architecture, but still requires per-customer setup.
Additionally, API access to data across multiple users appears to require elevated roles (such as administrative or web services roles). Regular users, even with roles like expense processor or reviewer, typically cannot retrieve other users’ data via API.
So overall:
-
Per-customer configuration seems unavoidable
-
Cross-user data access requires elevated privileges
-
There is a trade-off between scalability (partner model) and simplicity (company-level auth)
Could you confirm whether this understanding is correct, and whether there are recommended best practices for multi-tenant SaaS integrations?
Thanks,
Vitalii
