Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
Showing results for 
Search instead for 
Did you mean: 
I have been a Technical Consultant at SAP Concur for some time and have worked with many clients to help them build interfaces between their systems and SAP Concur. One requirement I regularly see come up is the need to provision user data into Concur.

The Identity Provisioning service automates identity lifecycle processes and helps customers provision identities to various cloud and on-premise business applications.

In this blogpost we are focusing on SAP and SAP Concur customers who can make use of the Identity Provisioning in combination with the Identity Authentication service to manage user identities and to provision those identities into Concur.

Features :

  • Pre-configured or semi-automated trust configuration

  • Common identity for users

  • Unified way for user management


  • Concur Expense/Request/Travel/Invoice Module

  • Identity Provisioning and Identity Authentication tenants

Implementation Considerations:

  • Customer’s Identity Provisioning and Identity Authentication tenants must be already deployed

  • Users must be created and maintained in Identity Authentication

  • The data being sent to Concur for provisioning the profile is determined by the fields supported by the Concur API being used (Identity V4), therefore additional integrations (flat file, APIs) must be used in order to complete the full user profile – see Exclusions section

  • Customer must have a Web Services Administrator user in Concur in order to be able to generate the request token required for the authentication between Identity Provisioning and Concur


The user profile data created is limited to the fields supported by the Concur API being used (Identity V4). The list of fields not supported includes, but is not limited to:

  • Expense/Request/Travel/Invoice roles

  • OrgUnits and Custom fields information

  • Approver assignment

  • User preferences

Detailed Walkthrough:

Step 1. Obtain the Company UUID and the Request Token from Concur:

Log into Concur using a user that has the Web Services Administrator permission. Once connected, navigate to Home – Administration – Authentication Admin and select the Company Request Token option:

In the App ID field enter the Identity Provisioning App ID you will find in the following setup guide and click Submit. Make sure to copy the Company UUID and the Company Request Token that appear on the screen:

Step 2. Create and configure the Source System:

Connect to your Identity Authentication / Identity Provisioning tenant and go to Identity Provisioning – Source Systems:

Click Add and fill in the Type as Identity Authentication, assign System Name of choice and Save:

Generate the certificate that will be used as authentication method between Identity Provisioning and Identity Authentication. Go to the newly created Source System and click Outbound Certificates – Generate – Download:

Add system as administrator by going to Users and Authorizations – Administrators – Add – System – assign system admin Name and Save:

Once you save the options to configure the authentication are displayed. Choose Certificate – Browse to search for the previously downloaded certificate and Save once the certificate is imported:


Configure the properties of the source system by going to Identity Provisioning – Source Systems – select the newly created system – click Properties – Edit:

Add the properties as described in the setup guide:

Optional: if required, you can define different parameters for the transformations. Details on the default transformation logic available by default can be found in the setup guide.

Step 3. Create and configure the Target System:

Go to Identity Provisioning – Target Systems:

Click Add and fill in:

  • Type as SAP Concur

  • System Name of choice

  • In the Source Systems field select the newly created Source System

Click Save:

In the newly created Target System click on Properties – Edit – Add to define the properties as detailed in the setup guide. Once completed, click Save:

Important: Please note that there are 2 types of properties you can add - Standard and Credential - and most of the properties you will need add are Standard. However, concur.authorization.code is a Credential property, so please make sure to select the correct property type from the list:

Optional: if required, you can define different parameters for the transformations. Details on the default transformation logic available by default can be found in the setup guide.

Step 4. Run, schedule and monitor the provisioning jobs:

Once the configuration is completed, provisioning jobs are ready to run to get the users from the source system (Identity Authentication) and provision them to the target system (SAP Concur). The provisioning job be run manually or scheduled via Identity Provisioning – Source Systems – select the respective source system – Jobs:

Job logs can then be reviewed via Identity Provisioning – Provisioning Logs:



Configure an SAP Concur Entity as an IdP Target (Concur guide)

Set up Concur as a target system for Identity Provisioning (SAP guide)

Setting up Identity Authentication as source system for Identity Provisioning
1 Comment
0 Kudos

Hello Iulia,

thank you for this very good walkthrough! 

The user provisioning works fine so far,
but one question regarding the write transformation remains. 

Can you tell how to specify the targetpath for concur targetsystem
if I want to create a User with the "EXP_APPROVER" Role already assigned?

According to the API Documentation of Concur
i tried 

"constant": "EXP_APPROVER",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:spend:2.0:Role']['roleName']"


"constant": "EXP_APPROVER",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:spend:2.0:Role']['roles']['roleName']"

However this does not do the trick and I get a schema error
Error":{"messages":[{"code":"BAD_INPUT","type":"error","schemaPath":"/urn:ietf:params:scim:schemas:extension:spend:2.0:Role","message":"Unsupported attribute"}

Can you tell how to define the target write transofrmation for assigning roles?

thank you very much,
best regards