Technical Articles
Integrating SAP Ariba solutions with SAP Cloud Identity Access Governance
The SAP Cloud Identity Access Governance (IAG) solution is a cloud-based solution, built on the SAP Cloud Platform. Starting with Version 2005, IAG runs in SAP Cloud Platform Cloud Foundry Environments whereas previous versions are deployed in NEO Environments. IAG uses SAP NetWeaver APIs and the SAP Cloud Identity Services to fetch data from on-premise and cloud solutions and enables you to use specific services to create access requests, analyze risks, and design roles.
By establishing a central component responsible for access governance tasks a significant reduction of administrative effort, a holistic judgement of potential authorization risks and the compliance to regulatory requirements can be achieved. Additionally, the effort to maintain role assignments in separate disperse applications is reduced.
Key Capabilities
You can connect IAG to various SAP and non-SAP Cloud Products as well as on premise ABAP systems. I recommend you check regularly the official list of supported systems as the list gets updated regularly. If your scenario is not on the above list, than fear not as the IAG roadmap might give you a good news.
Integration with Ariba Solutions
One of the supported scenarios is the integration to SAP Ariba. Let us have a closer look at what are the supported SAP Ariba Modules for this integration as of now and what other options can you use for the rest of them.
Standard integration
The integration between IAG and SAP Ariba solutions is based on the Master Data Native Interface (MDNI). This integration is currently available out of the box for the SAP Ariba Buying and SAP Ariba Buying and Invoicing solution. Support for other SAP Ariba solutions is possible; this depends, however, on the synchronization options between the other SAP Ariba solutions and the SAP Ariba Buying instance.
If you want to know more about the standard integration technical flow on Ariba side, I recommend you visit the second part of this blog, written by my colleague Soumya Prakash Mishra – Extending Cloud Integration of SAP IAG to SAP Ariba Strategic Sourcing Suite
Implementation steps
There are three main steps that have to be performed for setting up the out of the box connection :
SAP Cloud Platform destination creation for Ariba
On the SAP Cloud Platform side navigate to the sub-account where IAG in deployed and create the destination that encapsulated the log in details for your Ariba solution.
Note that an Ariba service request will be necessary for this step as on one side, the MDNI activation needs to be performed and on the other side, you will need a user and credentials with MDNI service access in Ariba.
The technical communication between IAG and Ariba is based on SOAP API calls. IAG reads the users from Ariba via MDNI by accessing the fetchUsers and fetchGroups locations specified in the destination. IAG sends via MDNI provisioning requests (users creation request/authorization assignment operations ) to SAP Ariba at the location defined under uploadXMLUserData.
Defining the SAP Ariba System in IAG
Navigate to your IAG Cockpit and in the Administration tab search for the Systems tile to define your Ariba sytem. The exact name of the destination created at the previous step must be specified here.
Sync the SAP Ariba user and group information to IAG
Navigate to your IAG Cockpit and in the Administration tab search for the Job Scheduler tile. Run the repository sync job that triggers the reading of existing users and groups from Ariba. The result of the job will be visible in the Job History List.
Supported SAP Ariba solutions
[Update: Feb 2021: SAP has now released standard integration between IAG and Ariba Sourcing Suite as well. The below concept is still a valid approach for extensibility purposes.]
If your SAP Ariba Buying instance is in a connection (Suite Integrated) to the following modules, than the standard SAP IAG integration can be used :
- SAP Ariba Contracts
- SAP Ariba Sourcing
- SAP Ariba Supplier Information and Performance Management
- SAP Ariba Supplier Lifecycle and Performance
- SAP Ariba Supplier Risk
Technically, as of now (consult the SAP Ariba documentation for updates), the following Ariba solutions cannot be connected via this integration :
- SAP Ariba Commerce Automation
- SAP Ariba Catalog
- SAP Ariba Spot Buy Catalog
- SAP Ariba Discovery
- SAP Ariba Invoice Management
- SAP Ariba Payables
- SAP Ariba Discount Management
- SAP Ariba Supply Chain Collaboration
- SAP Ariba Spend Analysis
Extending the standard IAG – Ariba integration with the SAP Cloud Platform Integration (SAP CPI)
If your architecture includes SAP Ariba modules without a SAP Ariba Buying instance one possibility is to perform the connection via SAP CPI. In this way CPI will simulate the fetchUsers, fetchGroups and uploadXMLUserData SOAP API calls results.
This approach can be considered for the following SAP Ariba Modules :
- SAP Ariba Contracts
- SAP Ariba Sourcing
- SAP Ariba Supplier Information and Performance Management
- SAP Ariba Supplier Lifecycle and Performance
One such scenario is the integration to SAP Ariba Sourcing when there is no connection to an existing SAP Ariba Buying module. From an IAG perspective, the implementation can leverage the existing IAG Ariba connector. Therefore the only differences to the standard integration will be in regards to the destination creation.
- The URL will point to the CPI instance where the connection with Ariba is created.
- The user is the technical user with CPI access
- fetchUsers will be connected to the CPI endpoint for further processing
- fetchGroups will be connected to the CPI endpoint for further processing
- uploadXMLUserData will be connected to the CPI endpoint for further processing
For a detailed view on the SAP CPI integration, I recommend you visit the follow-up post to this blog.
Hi Sonia,
We already integrated the IAG with our ARIBA Solution (Buying) suite integrated with Sourcing. The user Provision and creation is working as expected. When the user tries to login after changing the initial password we get the error "User is not defined in any partition". We had a discussion with ARIBA SAP team and they are saying for login "The Other User Info" also needs to be updated which I do not see with IAG. Do you have any details on that?
Thanks,
Trinetra Bhushan
Very good point! I would like to see an update on that.
Best Regards,
I checked with SAP they are not providing any solution for that. Out of the Box solution is through CPI flow for which we need licensing.
This situation mentioned by you will happen on scenario of SAP Ariba MultipERP Architecture (FPC Realm). Please feel free to take a look at my latest blog: SAP IAG Integration with SAP Ariba – MultiERP Architecture (FPC Realms) for information regarding how to handle this situation. Hope it helps
I have gone through the blog as you mentioned "Intervene the interfacing between SAP IAG and SAP Ariba Buying Realms using a middleware" the CPI flow do the same thing but its separate licensing. Do you have details on how to do it without CPI?
First of all, you should note that - Neither SAP IAG not SAP Ariba actually claimed that FPC architecture is officially certified/supported by this integration (yet). May be in the future - but not so far
Next, if you want to "Extend" an cloud to cloud integration, there needs to be some mechanism of interfering with the standard available connectivity/interface. in that blog, i mentioned Integration suite, but it can be another tool too.
I would not say to get Integration Suite (CPI) license only for doing this, but find out the extensibility suite and integration suite use cases - which would be way beyond just this. And evaluate different pricing/licensing options on which combination fits best for your organization. you can then chose a much better package, than just worrying about license for only this integration extension.
Hope this helps.
Root cause and solution #1 by Ariba support :
User is not defined in any partition (ariba.com)
Another Note- How can we determine which users are missing a partitioned user? (ariba.com)
Please follow the steps to perform when we create the user data:
Solution #2 - Creating Partitioned User from external file-upload without using Ariba website UI.
i.e. Using HTML Form post http request using POSTMAN or a program.
Step 1). Get Ariba ITK security authentication secret (Shared Secret) from Ariba Buying Portal--> Core Administration --> Integration Manager --> Integration Toolkit Security
Step 2). Create a CSV file named as UserConsolidated.csv with following columns and row data.
Step 3). ZIP the above CSV file named as UserConsolidated.zip
Step 4). Upload the ZIP file to Ariba using.
File upload POST request URL details-
Request URL https://[AribaHost]/Buyer/fileupload?realm=BuyingPartitionReam
Important HTML Form parameters:
Accept: */*
Content-Type: multipart/form-data
fullload: false
event: Import Batch Data
(Use the same exact value)
sharedsecret: <mention Here>
Sample HTML Form to test UserConsolidated.zip:
Change the from action URL.
This is ARIBA explanation and not enhancing IAG in anyways as irrespective of Provisioning tool used you have to set this up in ARIBA system.