> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a SAP Concur connector
> C1 provides identity governance and just-in-time provisioning for Concur. Integrate your Concur instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Capabilities
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Roles | | |
The Concur connector supports [automatic account provisioning](/product/admin/account-provisioning). Go to [Configuring Concur account provisioning](/baton/concur#configuring-concur-account-provisioning) for more information.
This connector does not support account deprovisioning. You must deprovision accounts directly in Concur.
## Gather Concur credentials
Configuring the connector requires you to pass in credentials generated in Concur. Gather these credentials before you move on.
A user with Admin access in Concur must perform this task.
### Create a Concur app
In the Concur admin panel, navigate to the **OAuth 2.0 Application Management** page.
Click **+ Create New App**.
Give the new app a name, such as "C1 integration", and add a description.
In the **Grants/Scopes** area of the page, add the following:
Grants:
* `client_credentials`
* `refresh_token`
* `password`
Scopes:
* `USER`
* `openid`
* `identity.user.core.read`
* `identity.user.coresensitive.read`
* `identity.user.enterprise.read`
* `spend.user.general.read`
Also add these scopes to give C1 READ/WRITE (provisioning) access:
* `user.write`
* `user.provision.write`
* `identity.user.coreenterprise.writeonly`
* `identity.user.externalID.writeonly`
* `identity.user.emails.verified.writeonly`
* `identity.user.sap.writeonly`
* `emails.verified identity.user.externalID.writeonly`
* `spend.user.general.writeonly`
Click **Submit**. The system displays the new app's client ID and client secret.
Carefully copy and save the client ID and client secret.
Also make note of the app's `geolocation`, which is one of the following:
* [https://us2.api.concursolutions.com](https://us2.api.concursolutions.com)
* [https://us1.api.concursolutions.com](https://us1.api.concursolutions.com)
* [https://emea.api.concursolutions.com](https://emea.api.concursolutions.com)
* [https://cn.api.concursolutions.com](https://cn.api.concursolutions.com)
### Generate a refresh token
Follow the Concur documentation to [Create Tokens Required for Concur API Access](https://developers.sap.com/tutorials/concur-get-refresh-token..html) to generate a refresh token.
Carefully copy and save the refresh token.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Concur connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Concur credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Concur** and click **Add**.
Choose how to set up the new Concur connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Select your Concur geolocation from the **Base URL** list.
Paste your Concur client ID and secret into the **Client ID** and **Client Secret** fields.
Paste your refresh token into the **Refresh Token** field.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Concur connector is now pulling access data into C1.
**Follow these instructions to use the Concur connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
[Contact C1's support team](mailto:support@c1.ai) to download the latest version of the connector.
### Step 1: Set up a new Concur connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Concur connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Concur connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-concur-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-concur-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Concur-specific credentials
BATON_CONCUR_BASE_URL:
BATON_CONCUR_CLIENT_ID:
BATON_CONCUR_CLIENT_SECRET:
BATON_CONCUR_REFRESH_TOKEN:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-concur.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-concur
labels:
app: baton-concur
spec:
selector:
matchLabels:
app: baton-concur
template:
metadata:
labels:
app: baton-concur
baton: true
baton-app: concur
spec:
containers:
- name: baton-concur
image: ghcr.io/conductorone/baton-concur:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-concur
envFrom:
- secretRef:
name: baton-concur-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Concur connector to. Concur data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Concur connector is now pulling access data into C1.
## Configuring Concur account provisioning
Concur allows administrators to configure custom required fields for user accounts. The `baton-concur` connector dynamically selects which fields to include during account creation based on admin-defined rules.
Rules:
* Every property will generate a field in the account creation form with the default value.
* Array strings will represent options in a multi-select dropdown.
Here is a sample field configuration:
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
email: ""
displayname: ""
givenname: ""
familyname: ""
emails:
- email: ""
type: work
phones:
- value: 555-555-5555
type: work
roles:
- value:
- EXP_USER
- SHD_BUDGET_VIEWER
- SHD_CONFIG_ADMIN_RO
- REQ_APPROVER
entitlements:
- value:
- Expense
- Invoice
- Request
- Travel
employeenumber: "{{$timestamp}}_EmployeeNumber@{{email_domain}}"
department: Tour Operations
division: Theme Park
organization: Universal Studios
costcenter: CC01
locale: en-US
companyid: e5756608-5824-4ede-889c-e231245850ef
active: true
timezone: Asia/Karachi
preferredlanguage: de-DE
approvers:
- value: 90f836a5-ea9d-4fec-bcc0-0c621f946c58
ref: http://localhost:8061/100001
displayname: approver@plat2.com
employeenumber: approver@plat2.com
cashadvance:
- value: 90f836a5-ea9d-4fec-bcc0-0c621f946c58
ref: http://localhost:8061/100001
displayname: approver@plat2.com
employeenumber: approver@plat2.com
delegateexpense:
- canapprove: true
canprepare: true
canprepareforapproval: true
canreceiveapprovalemail: true
canreceiveemail: true
cansubmit: true
cansubmittravelrequest: true
canusebi: true
canviewreceipt: true
delegate:
employeenumber: approver@plat2.com
displayname: John Smith
value: 90f836a5-ea9d-4fec-bcc0-0c621f946c58
temporarydelegatation:
temporarydelegationfromdate: 2025-07-24T15:50:04.291096-04:00
temporarydelegationtodate: 2025-07-24T15:50:04.291096-04:00
sapuseruuid: TestSAPUUID_{{$timestamp}}
cashadvanceaccountcode: "1233"
testemployee: false
country: US
stateprovince: WA
ledgercode: DEFAULT
reimbursementcurrency: USD
reimbursementtype: CONCUR_PAY
budgetcountrycode: US
bimanager: 694924f4-3231-4a20-9fad-4ea2ca821f07
customfields:
- id: custom_field_1
value: Custom Value 1
- id: custom_field_2
value: Custom Value 2
```
### Skipping keys
To prevent a key from being included in the account creation form, add the key into the skip map option.
The following are all keys available to skip for the sample field configuration shown above:
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
delegateExpense[0]/canSubmit
cashAdvanceAccountCode
reimbursementType
displayName
emails[0]/type
preferredLanguage
delegateExpense[0]/canSubmitTravelRequest
country
stateProvince
ledgerCode
locale
companyID
approvers[0]/value
delegateExpense[0]/canReceiveApprovalEmail
delegateExpense[0]/canViewReceipt
delegateExpense[0]/delegate/employeeNumber
testEmployee
cashAdvance[0]/employeeNumber
givenName
familyName
entitlements[0]/value
active
timezone
delegateExpense[0]/canPrepare
delegateExpense[0]/canUseBi
email
phones[0]/value
approvers[0]/employeeNumber
delegateExpense[0]/canApprove
delegateExpense[0]/canReceiveEmail
sapUserUUID
reimbursementCurrency
customFields[0]/id
customFields[1]/id
emails[0]/email
division
delegateExpense[0]/temporaryDelegatation/temporaryDelegationFromDate
budgetCountryCode
roles[0]/value
department
cashAdvance[0]/displayName
biManager
customFields[0]/value
customFields[1]/value
organization
approvers[0]/displayName
cashAdvance[0]/value
cashAdvance[0]/ref
delegateExpense[0]/canPrepareForApproval
delegateExpense[0]/delegate/displayName
delegateExpense[0]/delegate/value
delegateExpense[0]/temporaryDelegatation/temporaryDelegationToDate
phones[0]/type
employeeNumber
costCenter
approvers[0]/ref
```