PI REST Adapter – Connect to Concur
This blog is part of a collection of blog entries that shows architectural concepts and configuration of the SAP PI REST Adapter. We also added some sample scenarios to make it easier for you to understand how your scenario can be implemented using the PI REST Adapter.
If you haven’t done so far, best is to start with the very first blog PI Rest Adapter – Don’t be afraid within the blog series covering the concepts of the REST adapter. A complete list of all blog entries can be accessed from here PI REST Adapter – Blog Overview.
The current blog describes how to connect to Concur – SAP’s cloud solution for travel and expense management – via its REST API. I primarily focus here on how to authenticate to Concur’s applications. Basically, you need an access token which needs to be passed to the API in the request header. Here, Concur supports different OAuth 2.0 Authorization flows. For message exchange, the so called Native Flow is best suited. As of release 7.31 SP17 / 7.4 SP12, the REST adapter supports the configuration of the OAuth 2.0 Native Flow for Concur. Alternatively, if you are not on the latest SP, you can pass the access token in the http header by defining custom http header. This however needs at least 7.31 SP15 / 7.4 SP10, see also PI REST Adapter – Define custom http header elements. In this blog I will describe all options.
If you like to get familiar with Concur’s REST API, you can create your own developer sandbox at Concur Developer Center. There, you also find the API reference guide. If you sign up for a new sandbox, in the welcome page you get the consumer key, the consumer secret, and the access token of your account displayed. You need them to authenticate to your sandbox when calling the APIs. If you aren’t able to recall them, or you need to refresh them, you can navigate to Administration –> Company –> Web Services, and select Register Partner Application.
Here, you can either create a new Application Registration or modify the existing one. If you have chosen Modify, you can display the consumer key, and the consumer secret or create a new secret.
If you cannot recall the access token, you can request a new one using the Advanced Rest Client application in your Chrome browser by calling the token service of Concur, i.e., https://www.concursolutions.com/net2/oauth2/accesstoken.ashx. In the header, specify the consumer key (header element X-ConsumerKey), when prompted maintain user and password. In the response of the call, a new access token is provided as well as its expiration date. Usually, the access token is valid for one year.
In the following, let’s focus on the configuration of the receiver channel.
Configuring the REST receiver channel
You would like to access travel expenses from Concur. Create a new Integration Flow with receiver channel of type REST. Select the receiver channel, and switch to tab REST URL below tab Adapter-Specific. Maintain the URL Pattern, here https://www.concursolutions.com/api/v3.0/expense/quickexpenses.
As mentioned above, we do support different options for handling the access token in order to authenticate and authorize at Concur’s APIs:
Option 1: Provide access token via custom header
If you are not yet on release 7.31 SP17 / 7.4 SP12 but at least on 7.31 SP15 / 7.4 SP10, you only have one option which is maintaining the access token using the custom http header capability of the REST adapter. Once you request a new access token from Concur’s token service, it is usually valid for one year. This means, you need to ensure that you replace the access token before it expires. This is a manual process: Get a new access token by calling the token service via the Advanced Rest Client application in the Chrome browser as shown above for instance; Then, maintain the channel, and re-activate the same.
Maintain the receiver channel as follows. Switch to tab General below tab Adapter-Specific. Here, you don’t need to choose any authentication nor OAuth settings.
Switch to tab HTTP Headers, and add a new entry into the table with Header Name Authorization and Value Pattern OAuth <your access token>.
Option 2: Provide access token directly
If you are already on release 7.31 SP17 / 7.4 SP12 or above, you have the option to maintain the access token as part of the OAuth authorization settings. This more or less corresponds to option 1 in the sense that you need to maintain a valid access token. The same applies here with respect to the lifecycle of the access token and channel: you need to ensure to exchange the access token before it expires.
Maintain the receiver channel as follows. Switch to tab General below tab Adapter-Specific. Check flag Authorize with OAuth. From the drop down menus select the Flow OAuth 2.0 Native Flow for Concur and the Access Token Source Provide Access Token directly. As Access Token parameter maintain your valid access token.
Switch to tab HTTP Headers. As you can see, there is no need to maintain any custom http header, at least not for the authentication towards Concur.
Option 3: Get access token from Concur token service
If you are already on release 7.31 SP17 / 7.4 SP12 or above, the preferred option would be to get the access token from Concur’s token service. If you choose this option, the access token is automatically requested from the token service and stored on PI. As long as the access token is valid, it is used for authentication during the message exchange. Otherwise, a new access token is automatically requested replacing the expired one. Here, no manual activity is required for refreshing the access token.
Maintain the receiver channel as follows. Switch to tab General below tab Adapter-Specific. Check flag Authorize with OAuth. From the drop down menus select the Flow OAuth 2.0 Native Flow for Concur and the Access Token Source Get Access Token from Concur URL. The Access Token URL https://www.concursolutions.com/net2/oauth2/accesstoken.ashx is automatically pre-set. Maintain your Login ID and Password, and your Consumer Key. Like in option 2, no need to maintain any custom http header.
I hope this blog was helpful to understand how to authenticate to Concur’s REST API. If you like to learn more, check out the other blogs in the series, accessible from the main blog PI REST Adapter – Blog Overview.
Thank you for the detailed document.
we are on NW75SP03 . we have the following issue, please suggest.
From REST adapter dropdown list, the Concur Native Auth Flow for OAuthentication purposes is missing.
maybe you haven't updated the adapter meta data after the upgrade/update
Thanks for the quick reply. I believe you mean " BASIS CONTENT - sc~xi_cnt_sap_basis" which we updated already. please let me know what i am missing.
you need to upload the latest SAP BASIS SWCV to the ESR, you can do this either manually (the tpz file is somewhere hidden in the respective SCA) or you run the respective CTC template
Hi Team ,
we are using sap pi 7.31 version.
business scenario : we are consuming external rest web service. and header authentication fields are mandatory , but where i put header fields at rest adapter in sap pi 7.31 version .please any one guide me.
Did you get a response to your mail as I'm having the same issue.We are on Sap PI 7.3 and also have no header fields tab available.
we are consuming external web service by using java mapping concept .
note:without using receiver rest adapter channel .
Please help me to resolve below issue, I am trying to connect Salesforce to get the session id using REST Adapter. but getting below error while pinging the channel.
the REST Adapter configuration as below :
Have you completed Salesforce Integration with REST Adapter?
If itscompleted please help me. i have done with java coding to get session ID.
Hence i want know how to do in REST Adapter.
Hi AMS HP,
Were you able to resolve it? I'm facing the same issue.
We are on PI 7.31 SP14. Is it possible to integrate with Concur's APIs using REST adapter and authenticating via oAuth? As far as I could understand from your blog, it's only SP15 or later which facilitate the use of oAuth concept in REST adapter. I would really appreciate if you please confirm whether PI 7.31 SP14 is capable or not to integrate with Concur APIs via REST adapter and oAuth.
Thanks a lot.
Hi Alexander Bundschuh,
Is there any plan in future to come up other OAuth 2.0 flows for rest adapter to connect with SalesForce and MS Dynamic CRM? PI rest adapter does not provide great flexibility connecting to 3rd party cloud based tools having different authentications and grant types. We don't want to depend upon adapters provided by other vendors like Seeburger and advantco for these kind of Integration.
Right now only two kind of authorization flows is being supported by PI rest adapter i.e. SAML and Concur.
Nice blog. Thanks for sharing.
I've a requirement where I need to get the access token to connect to the REST service. Just wanted to know if I can use "Option 3" with "Access Token URL" other than the default specified i.e. "https://www.concursolutions.com/net2/oauth2/accesstoken.ashx"? Or is it fixed?
Hello @ Alexander Bundschuh
Your valuable thoughts on this please.
Thanks in advance!
We are in PO 7.5 SP 12. We followed option 2, (to connect to Concur).
It gives error message '403 Forbidden'.
(even for option 3 also, it gives the same error).
And we have heard from Concur team that there is no token valid like 1 year now.
Could you please clarify ?