SCIM user provisioning with SAP Concur

Question

SCIM user provisioning with SAP Concur

Tim Nied 1

SAP Concur released a new UPS v4 (SCIM capable) API. Details can be found here: https://developer.concur.com/api-reference/user-provisioning/v4.user-provisioning.html. The goal is to simplify authentication and user provisioning for Azure AD customers with SAP Concur. It appears that the type of access token (JWT) created from Concur's side may cause some issues with creating the connection. Is there a workaround if the access token is in the JWT format? Thank you in advance for your help.

Authentication is outlined here:
https://developer.concur.com/api-reference/authentication/apidoc.html

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-12-05T09:14:43.577+00:00

Hi @Tim Nied ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta
Tim Nied 1 Reputation point

2022-12-06T14:56:54.023+00:00

I've asked the customer to join this thread to help work through the issues. I'll circle back once I learn more about his testing/development. I appreciate your help.

1 answer

Your answer

Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2022-12-05T09:14:43.577+00:00

Hi @Tim Nied ,

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta
Tim Nied 1 Reputation point

2022-12-06T14:56:54.023+00:00

I've asked the customer to join this thread to help work through the issues. I'll circle back once I learn more about his testing/development. I appreciate your help.

Answer 1

Danny Zollner 10,801 Microsoft Employee Moderator

Could you elaborate on why you think the JWT type of token causes issues with provisioning, and what those issues are? AAD Provisioning can utilize JWT bearer tokens. Looking at the authentication/authorization documentation you provided, it confirms that they expect the access token to be provided in the Authorization header as bearer XYZ, which should work fine with AAD Provisioning.

Tim Nied 1 Reputation point

2022-11-30T16:06:13.523+00:00

The main issue our customer is using the built-in Provisioning menu in a standard enterprise app in Azure AD.

Since he can’t get a token from a web interface, if he retrieves a token manually from Concur's auth provider, does he only need to plug the bearer token into the Secret Token field in the enterprise apps interface screenshot below? Can he use that token/secret permanently, or does he need to retrieve a new token regularly?
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2022-11-30T16:36:46.227+00:00

Knowledge of the mechanics of the token issued by Concur will have to be obtained from SAP. Our provisioning service will place that token in the Authorization header, but can't manage renewal or anything like that as right now only long-lived bearer tokens are supported and more complex mechanics require some form of OAuth 2.0 for non-gallery apps (We're working on it - coming soon!)

It's worth noting that if you are using the SAP Concur gallery application, that uses a non-SCIM API and has become irreparably broken. We're in the process of removing the broken provisioning integration - I'm not sure if we'll be immediately replacing it with a new connector to go to their SCIM APIs or just disabling provisioning temporarily on it to stop folks from banging their heads on it. If they do in fact have a functioning SCIM API, I'd suggest using the custom non-gallery application option for now as that will provide access to our generic SCIM connector and you can plug in the URL and a bearer token there.

(The above is mentioned here: https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/concur-provisioning-tutorial)
JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2022-12-02T18:39:22.2+00:00

@Tim Nied
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Tim Nied 1 Reputation point

2022-12-05T14:03:35.197+00:00

I've asked our client to chime in to this conversation to update if the recommendations have helped. I'll keep you posted once I hear more. Thank you for your help.

Share via

SCIM user provisioning with SAP Concur

1 answer

Your answer