Skip to Content
Technical Articles
Author's profile photo Sonia Petrescu

Integrating SAP Ariba solutions with SAP Cloud Identity Access Governance

The SAP Cloud Identity Access Governance (IAG) solution is a cloud-based solution, built on the SAP Cloud Platform. Starting with Version 2005, IAG runs in SAP Cloud Platform Cloud Foundry Environments whereas previous versions are deployed in NEO Environments. IAG uses SAP NetWeaver APIs and the SAP Cloud Identity Services to fetch data from on-premise and cloud solutions and enables you to use specific services to create access requests, analyze risks, and design roles.

By establishing a central component responsible for access governance tasks a significant reduction of administrative effort, a holistic judgement of potential authorization risks and the compliance to regulatory requirements can be achieved. Additionally, the effort to maintain role assignments in separate disperse applications is reduced.


Key Capabilities


You can connect IAG to various SAP and non-SAP Cloud Products as well as on premise ABAP systems. I recommend you check regularly the official list of supported systems as the list gets updated regularly. If your scenario is not on the above list, than fear not as the IAG roadmap might give you a good news.

Integration with Ariba Solutions

One of the supported scenarios is the integration to SAP Ariba. Let us have a closer look at what are the supported SAP Ariba Modules for this integration as of now and what other options can you use for the rest of them.

Standard integration

The integration between IAG and SAP Ariba solutions is based on the Master Data Native Interface (MDNI). This integration is currently available out of the box for the SAP Ariba Buying and SAP  Ariba Buying and Invoicing solution. Support for other SAP Ariba solutions is possible; this depends, however, on the synchronization options between the other SAP Ariba solutions and the SAP Ariba Buying instance.

If you want to know more about the standard integration technical flow on Ariba side, I recommend you visit the second part of this blog, written by my colleague Soumya Prakash Mishra  – Extending Cloud Integration of SAP IAG to SAP Ariba Strategic Sourcing Suite

Implementation steps

There are three main steps that have to be performed for setting up the out of the box connection :

SAP Cloud Platform destination creation for Ariba

On the SAP Cloud Platform side navigate to the sub-account where IAG in deployed and create the destination that encapsulated the log in details for your Ariba solution.

Note that an Ariba service request will be necessary for this step as on one side, the MDNI activation needs to be performed and on the other side, you will need a user and credentials with MDNI service access in Ariba.

The technical communication between IAG and Ariba is based on SOAP API calls. IAG reads the users from Ariba via MDNI by accessing the fetchUsers and fetchGroups locations specified in the destination. IAG sends via MDNI provisioning requests (users creation request/authorization assignment operations ) to SAP Ariba  at the location defined under uploadXMLUserData. 

Defining the SAP Ariba System in IAG

Navigate to your IAG Cockpit and in the Administration tab search for the Systems tile to define your Ariba sytem.  The exact name of the destination created at the previous step must be specified here.

Sync the SAP Ariba user and group information to IAG

Navigate to your IAG Cockpit and in the Administration tab search for the Job Scheduler tile.  Run the repository sync job that triggers the reading of existing users and groups from Ariba. The result of the job will be visible in the Job History List.

Supported SAP Ariba solutions

[Update: Feb 2021: SAP has now released standard integration between IAG and Ariba Sourcing Suite as well. The below concept is still a valid approach for extensibility purposes.] 

If your SAP Ariba Buying instance is in a connection (Suite Integrated) to the following modules, than the standard SAP IAG integration can be used :

  • SAP Ariba Contracts
  • SAP Ariba Sourcing
  • SAP Ariba Supplier Information and Performance Management
  • SAP Ariba Supplier Lifecycle and Performance
  • SAP Ariba Supplier Risk


Technically, as of now (consult the SAP Ariba documentation for updates), the following Ariba solutions cannot be connected via this integration :

  • SAP Ariba Commerce Automation
  • SAP Ariba Catalog
  • SAP Ariba Spot Buy Catalog
  • SAP Ariba Discovery
  • SAP Ariba Invoice Management
  • SAP Ariba Payables
  • SAP Ariba Discount Management
  • SAP Ariba Supply Chain Collaboration
  • SAP Ariba Spend Analysis

Extending the standard IAG – Ariba integration with the SAP Cloud Platform Integration (SAP CPI)

If your architecture includes SAP Ariba modules without a SAP Ariba Buying instance one possibility is to perform the connection via SAP CPI. In this way CPI will simulate the fetchUsers, fetchGroups and uploadXMLUserData  SOAP API calls results.

This approach can be considered for the following SAP Ariba Modules :

  • SAP Ariba Contracts
  • SAP Ariba Sourcing
  • SAP Ariba Supplier Information and Performance Management
  • SAP Ariba Supplier Lifecycle and Performance

One such scenario is the integration to SAP Ariba Sourcing when there is no connection to an existing SAP Ariba Buying module. From an IAG perspective, the implementation can leverage the existing IAG Ariba connector. Therefore the only differences to the standard integration will be in regards to the destination creation.

  • The URL will point to the CPI instance where the connection with Ariba is created.
  • The user is the technical user with CPI access
  • fetchUsers will be connected to the CPI endpoint for further processing
  • fetchGroups will be connected to the CPI endpoint for further processing
  • uploadXMLUserData  will be connected to the CPI endpoint for further processing



For a detailed view on the SAP CPI integration, I recommend you visit the follow-up post to this blog.




Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Trinetra Bhushan
      Trinetra Bhushan

      Hi Sonia,

      We already integrated the IAG with our ARIBA Solution (Buying) suite integrated with Sourcing. The user Provision and creation is working as expected. When the user tries to login after changing the initial password we get the error "User is not defined in any partition". We had a discussion with ARIBA SAP team and they are saying for login "The Other User Info" also needs to be updated which I do not see with IAG. Do you have any details on that?


      Trinetra Bhushan