Skip to Content
Technical Articles
Author's profile photo Sonia Petrescu
Sonia Petrescu
November 5, 2020 4 minute read

Integrating SAP Ariba solutions with SAP Cloud Identity Access Governance

The SAP Cloud Identity Access Governance (IAG) solution is a cloud-based solution, built on the SAP Cloud Platform. Starting with Version 2005, IAG runs in SAP Cloud Platform Cloud Foundry Environments whereas previous versions are deployed in NEO Environments. IAG uses SAP NetWeaver APIs and the SAP Cloud Identity Services to fetch data from on-premise and cloud solutions and enables you to use specific services to create access requests, analyze risks, and design roles.

By establishing a central component responsible for access governance tasks a significant reduction of administrative effort, a holistic judgement of potential authorization risks and the compliance to regulatory requirements can be achieved. Additionally, the effort to maintain role assignments in separate disperse applications is reduced.

Key%20Capabilities

Key Capabilities

 

You can connect IAG to various SAP and non-SAP Cloud Products as well as on premise ABAP systems. I recommend you check regularly the official list of supported systems as the list gets updated regularly. If your scenario is not on the above list, than fear not as the IAG roadmap might give you a good news.

Integration with Ariba Solutions

One of the supported scenarios is the integration to SAP Ariba. Let us have a closer look at what are the supported SAP Ariba Modules for this integration as of now and what other options can you use for the rest of them.

Standard integration

The integration between IAG and SAP Ariba solutions is based on the Master Data Native Interface (MDNI). This integration is currently available out of the box for the SAP Ariba Buying and SAP  Ariba Buying and Invoicing solution. Support for other SAP Ariba solutions is possible; this depends, however, on the synchronization options between the other SAP Ariba solutions and the SAP Ariba Buying instance.

If you want to know more about the standard integration technical flow on Ariba side, I recommend you visit the second part of this blog, written by my colleague Soumya Prakash Mishra  – Extending Cloud Integration of SAP IAG to SAP Ariba Strategic Sourcing Suite

Implementation steps

There are three main steps that have to be performed for setting up the out of the box connection :

SAP Cloud Platform destination creation for Ariba

On the SAP Cloud Platform side navigate to the sub-account where IAG in deployed and create the destination that encapsulated the log in details for your Ariba solution.

Note that an Ariba service request will be necessary for this step as on one side, the MDNI activation needs to be performed and on the other side, you will need a user and credentials with MDNI service access in Ariba.

The technical communication between IAG and Ariba is based on SOAP API calls. IAG reads the users from Ariba via MDNI by accessing the fetchUsers and fetchGroups locations specified in the destination. IAG sends via MDNI provisioning requests (users creation request/authorization assignment operations ) to SAP Ariba  at the location defined under uploadXMLUserData. 

Defining the SAP Ariba System in IAG

Navigate to your IAG Cockpit and in the Administration tab search for the Systems tile to define your Ariba sytem.  The exact name of the destination created at the previous step must be specified here.

Sync the SAP Ariba user and group information to IAG

Navigate to your IAG Cockpit and in the Administration tab search for the Job Scheduler tile.  Run the repository sync job that triggers the reading of existing users and groups from Ariba. The result of the job will be visible in the Job History List.

Supported SAP Ariba solutions

[Update: Feb 2021: SAP has now released standard integration between IAG and Ariba Sourcing Suite as well. The below concept is still a valid approach for extensibility purposes.] 

If your SAP Ariba Buying instance is in a connection (Suite Integrated) to the following modules, than the standard SAP IAG integration can be used :

  • SAP Ariba Contracts
  • SAP Ariba Sourcing
  • SAP Ariba Supplier Information and Performance Management
  • SAP Ariba Supplier Lifecycle and Performance
  • SAP Ariba Supplier Risk

 

Technically, as of now (consult the SAP Ariba documentation for updates), the following Ariba solutions cannot be connected via this integration :

  • SAP Ariba Commerce Automation
  • SAP Ariba Catalog
  • SAP Ariba Spot Buy Catalog
  • SAP Ariba Discovery
  • SAP Ariba Invoice Management
  • SAP Ariba Payables
  • SAP Ariba Discount Management
  • SAP Ariba Supply Chain Collaboration
  • SAP Ariba Spend Analysis

Extending the standard IAG – Ariba integration with the SAP Cloud Platform Integration (SAP CPI)

If your architecture includes SAP Ariba modules without a SAP Ariba Buying instance one possibility is to perform the connection via SAP CPI. In this way CPI will simulate the fetchUsers, fetchGroups and uploadXMLUserData  SOAP API calls results.

This approach can be considered for the following SAP Ariba Modules :

  • SAP Ariba Contracts
  • SAP Ariba Sourcing
  • SAP Ariba Supplier Information and Performance Management
  • SAP Ariba Supplier Lifecycle and Performance

One such scenario is the integration to SAP Ariba Sourcing when there is no connection to an existing SAP Ariba Buying module. From an IAG perspective, the implementation can leverage the existing IAG Ariba connector. Therefore the only differences to the standard integration will be in regards to the destination creation.

  • The URL will point to the CPI instance where the connection with Ariba is created.
  • The user is the technical user with CPI access
  • fetchUsers will be connected to the CPI endpoint for further processing
  • fetchGroups will be connected to the CPI endpoint for further processing
  • uploadXMLUserData  will be connected to the CPI endpoint for further processing

 

 

For a detailed view on the SAP CPI integration, I recommend you visit the follow-up post to this blog.

 

 

 

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Trinetra Bhushan
      Trinetra Bhushan

      Hi Sonia,

      We already integrated the IAG with our ARIBA Solution (Buying) suite integrated with Sourcing. The user Provision and creation is working as expected. When the user tries to login after changing the initial password we get the error "User is not defined in any partition". We had a discussion with ARIBA SAP team and they are saying for login "The Other User Info" also needs to be updated which I do not see with IAG. Do you have any details on that?

      Thanks,

      Trinetra Bhushan

      Author's profile photo Dimitrios Pantouveris
      Dimitrios Pantouveris

      Very good point! I would like to see an update on that.

       

      Best Regards,

      Author's profile photo Trinetra Bhushan
      Trinetra Bhushan

      I checked with SAP they are not providing any solution for that. Out of the Box solution is through CPI flow for which we need licensing.

      Author's profile photo Soumya Prakash Mishra
      Soumya Prakash Mishra

      This situation mentioned by you will happen on scenario of SAP Ariba MultipERP Architecture (FPC Realm). Please feel free to take a look at my latest blog: SAP IAG Integration with SAP Ariba – MultiERP Architecture (FPC Realms) for information regarding how to handle this situation. Hope it helps

      Author's profile photo Trinetra Bhushan
      Trinetra Bhushan

      I have gone through the blog as you mentioned "Intervene the interfacing between SAP IAG and SAP Ariba Buying Realms using a middleware" the CPI flow do the same thing but its separate licensing. Do you have details on how to do it without CPI?

      Author's profile photo Soumya Prakash Mishra
      Soumya Prakash Mishra

      First of all, you should note that - Neither SAP IAG not SAP Ariba actually claimed that FPC architecture is officially certified/supported by this integration (yet). May be in the future - but not so far

      Next, if you want to "Extend" an cloud to cloud integration, there needs to be some mechanism of interfering with the standard available connectivity/interface. in that blog, i mentioned Integration suite, but it can be another tool too.

      I would not say to get Integration Suite (CPI) license only for doing this, but find out the extensibility suite and integration suite use cases - which would be way beyond just this. And evaluate different pricing/licensing options on which combination fits best for your organization. you can then chose a much better package, than just worrying about license for only this integration extension.

      Hope this helps.

      Author's profile photo Manoj Suppahiya
      Manoj Suppahiya

      Root cause and solution #1 by Ariba support :

      User is not defined in any partition (ariba.com)

      Another Note- How can we determine which users are missing a partitioned user? (ariba.com)

       

      Please follow the steps to perform when we create the user data:

      1. User (let’s say User1) who has access only to Sourcing/Parent site and no access to the child :
        1. load the UserConsolidated.csv with ImportCtrl=Both in the parent.
        2. There is no need to load the User1 using UserConsolidated.csv file in child site at all.
        3. Step 1.a will create a Shared user and Partition user for user User1 at the parent.
        4. User1 shared user information will replicate down to the child site however lack or Partition User will restrict access for User1 into the child site.
        5. Even if the user tries to access the child site then one should get an error.

       

      1. User (let’s say USER2) who has access to child site and no access to the sourcing/Parent
        1. load the UserConsolidated.csv with ImportCtrl=Shared in the parent.
        2. There is a need to load the USER2 using UserConsolidated.csv file in the child with ImportCtrl=Partition
        3. Step 1.a will create a Shared user and no Partition user for user USER2 at the parent.
        4. USER2’s shared user information will replicate down to the child site and now since we have Partition User information loaded for USER2 into the child site that means user USER2 will be able to access the child site.
        5. However, if the user tries to access parent site then one should get an error .

       

      1. User (let’s say USER3) who has access to child site and access to the sourcing/Parent site
        1. load the UserConsolidated.csv with ImportCtrl=Both in the parent.
        2. There is a need to load the USER3using UserConsolidated.csv file in child with ImportCtrl=Partition
        3. Step 1.a will create a Shared user and Partition user for user USER3 at the parent and hence the access to the parent site is granted.
        4. USER3's shared user information will replicate down to the child site and now since we have Partition User information loaded for USER3 into the child site that means user USER3 will be able to access the child site as well

       

      Solution #2 - Creating Partitioned User from external file-upload without using Ariba website UI.

      i.e. Using HTML Form post http request using POSTMAN or a program.

      Step 1). Get Ariba ITK security authentication secret (Shared Secret) from Ariba Buying Portal--> Core Administration --> Integration Manager --> Integration Toolkit Security

      Step 2). Create a CSV file named as UserConsolidated.csv with following columns and row data.

       

      Step 3). ZIP the above CSV file named as UserConsolidated.zip

       

      Step 4). Upload the ZIP file to Ariba using.

       

      File upload POST request URL details- 

      Request URL https://[AribaHost]/Buyer/fileupload?realm=BuyingPartitionReam

      Important HTML Form parameters:

      Accept: */*

      Content-Type: multipart/form-data

      fullload: false

      event: Import Batch Data

      (Use the same exact value)

      sharedsecret: <mention Here>

       

      Sample HTML Form to test UserConsolidated.zip:

      Change the from action URL.

      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
    <meta http-equiv="content-type" content="text/html;charset=ISO-8859-1">
    <title>Direct access - File upload</title>
</head>
<body>
<h1>Direct access - File upload</h1>
<form method="post"
enctype="multipart/form-data"
action="https://s1.cloud.ariba.com/Buyer/fileupload?realm=XXXXXXXXXXXX">
Event: <input type="text" name="event" value="Import Batch Data"><br>
<input type="radio" name="fullload" value="true">Full Load<br>
<input type="radio" name="fullload" value="false" checked>Incremental<br>
Password: <input type="password" name="sharedsecret" value="AribaItk#1"><br>
Client Type: <input type="text" name="clienttype" value="Firefox"><br>
Client Info: <input type="text" name="clientinfo" value="Master Data Upload Form"><br>
Client Version: <input type="text" name="clientversion" value="1.0"><br>
File: <input type="file" name="content"><br>
<input type=submit value="Submit Post">
</form>
</body>
</html>
      Author's profile photo Trinetra Bhushan
      Trinetra Bhushan

      This is ARIBA explanation and not enhancing IAG in anyways as irrespective of Provisioning tool used you have to set this up in ARIBA system.