cancel
Showing results for 
Search instead for 
Did you mean: 
kolasolution
Occasional Member - Level 2

Support Request – SSO Authentication Expiry Notification

Dear Concur Support,

I recently logged into SAP Concur and saw the following message:

“SSO authentication to SAP Concur solutions will expire on April 22, 2025.”

Learn more

Could you confirm whether this relates to a certificate expiring on our side, or if it is an issue on Concur’s end? If any action is required from our side, please provide guidance on the next steps.

Looking forward to your response.

Best regards,
Kola Oguntade

8 REPLIES 8
KevinD
Community Manager
Community Manager

@kolasolution hello there. I feel I must let you know that this Community is not SAP Concur Support. Can you find answers to questions here? Yes, but myself and the team I'm on are not part of our Support Organization. 🙂 I just want to make sure anyone reading this thread knows the Community does not fall under SAP Concur Support. 

 

Now, having said that...I found an internal article about this topic. 

"

Before the current certificate expires on Apr 22, 2025, we would recommend the Authentication Admin to update the SAP Concur IDP configuration to reference the updated certificate. If users attempt to sign in to SAP Concur Solutions via SSO with an expired SAMLv2 security certificate, your Identity Provider (IdP) might reject the authentication, and those users might be denied access to SAP Concur Solutions.

You can retrieve the SAP Concur Metadata on the following links:

US2: https://us2.api.concursolutions.com/sso/saml2/V1/sp/metadata/dd71301e-dd79-4db5-bd29-55093a75755d

 

You can also download the metadata from within SAP Concur this way:

The other option is to download it from SAP Concur. You would need to have either the Company Administrator or the SSO Manager role to download the new certificate from SAP Concur. If you do not have the SSO Manager role but have the Role Administrator, you may follow the steps in the article What Is SSO Manager Role (Expense)? to add this to your profile. Once added, you may follow the below steps to download the new certificate.

  1. Go to Administration> Authentication Admin 
  2. Click Manage Single Sign-on
  3. In Get SAP Concur Metadata, click Download under Download SAP Concur Metadata
 

The other option is to download it from SAP Concur. You would need to have either the Company Administrator or the SSO Manager role to download the new certificate from SAP Concur. If you do not have the SSO Manager role but have the Role Administrator, you may follow the steps in the article What Is SSO Manager Role (Expense)? to add this to your profile. Once added, you may follow the below steps to download the new certificate.

  1. Go to Administration> Authentication Admin 
  2. Click Manage Single Sign-on
  3. In Get SAP Concur Metadata, click Download under Download SAP Concur Metadata
 

The other option is to download it from SAP Concur. You would need to have either the Company Administrator or the SSO Manager role to download the new certificate from SAP Concur. If you do not have the SSO Manager role but have the Role Administrator, you may follow the steps in the article What Is SSO Manager Role (Expense)? to add this to your profile. Once added, you may follow the below steps to download the new certificate.

  1. Go to Administration> Authentication Admin 
  2. Click Manage Single Sign-on
  3. In Get SAP Concur Metadata, click Download under Download SAP Concur Metadata
 

KevinD_3-1743188744829.png

 

 

 


Thank you,
Kevin
SAP Concur Community Manager
Did this response answer your question? Be sure to select “Accept as Solution” so your fellow community members can be helped by it as well.
onorio-neto
Occasional Member - Level 2

Hi Kevin, thanks for the valuable information, but I have a question. In the above article where you've said: "Before the current certificate expires on 22 April 2025, we recommend that the Authentication Admin updates the SAP Concur IDP configuration..." Was this a public communication to customers? Because I have not received anything about it, but another client has sent us an "email" informing them of this?

If so, if it is a public notification, could you share the original article and next question is: Are all clients affected by this SSO certificate update?

I'll be wating for your inputs,

Sincerely
Neto

@onorio-neto the communication is sent to Authorized Support Contacts (ASC). Since you are a certified partner, you wouldn't receive the notice unless one of your customers has a profile for you in their site and marks you as an ASC. 


Thank you,
Kevin
SAP Concur Community Manager
Did this response answer your question? Be sure to select “Accept as Solution” so your fellow community members can be helped by it as well.
onorio-neto
Occasional Member - Level 2

Ok, gotcha! but in relation to the shared communication - will this metadata update afect all customers or is this for some sort of specific SSO communication because it is weird that despite having several customers that have SSO enabled - we only received it from one customer!

I'll be waiting for your further comments,

 

sincerely

Neto

@onorio-neto from what I was told, all of our SSO customers should have received the communication. As for the update affecting all SSO customers, I don't believe that is the case. Just those using the SAMLv2 certificate. 


Thank you,
Kevin
SAP Concur Community Manager
Did this response answer your question? Be sure to select “Accept as Solution” so your fellow community members can be helped by it as well.
sbrannigan
Occasional Member - Level 1

You have to love SAP's verbiage ("...some clients might need to update..."), so helpful, and as others have stated SAP support is less than helpful.

KevinD
Community Manager
Community Manager

@sbrannigan Fair point, but we have thousands of customers using SSO and many of those use some other sort of authentication. We don't keep track, that I know of, all the different authentications our customers use so we send out a general email to all our customers using SSO. I think the idea is that IT departments would know whether it affects their company or not. 


Thank you,
Kevin
SAP Concur Community Manager
Did this response answer your question? Be sure to select “Accept as Solution” so your fellow community members can be helped by it as well.
sbrannigan
Occasional Member - Level 1

OK, but from what I have read when a customer signs into their instance there is a notification that the SSO certificate needs to be renewed, if applicable. In our case we received the email but not the notification when logging in. This aligns with our own review that we are not impacted. This behavior suggests that SAP does know which customers are impacted and a more targeted communication could have been sent. This make sense or am I missing something? Thanks.