Skip to Content
Product Information
Author's profile photo Mackenzie Moylan

Configuring Trust with IAS and SAP Ariba: Step by Step Instructions

One of the goals that SAP has for 2022 is to start enabling the Intelligent Enterprise and allow the various cloud applications to seamlessly interact with each other. A key component for this will be using SAP’s authorization tool, Identity Authentication Services (IAS).

For those who are new to the concept, this page will help provide an overview – Cloud Identity Services Community

This blog post is intended for Security/IT/Procurement admins who wish to start authenticating their user base with IAS. Ideally, this would benefit customers who use SAP Ariba in addition to other SAP cloud products and SAP ERPs. If you wish to enable new BTP services such as SAP Task Center and SAP Workzone, IAS will be a required building block for deployment.

The benefit of using IAS is that it centralizes the authentication process, and will allow you to authenticate users to different SAP cloud applications from one central tool.

I’ll provide the steps that you would need to take on the SAP Ariba and IAS sides to enable trust between the applications that will allow users to authenticate.

Configuring Trust from IAS

  1. First you would log into your IAS account, make sure you are assigned the necessary permissions to perform as an administratorIAS%20Dashboard
  2. Click on Applications & Resources and then go to Applications and click Create. From there you would enter the login link of your Ariba realm which includes the realm name. Note that in suite integrated Ariba configurations, you will want to start configuring trust on the Child site first.
  3. Go to Bundled Applications and then look for Ariba IAS, and click on SAML 2.0 Configuration.Bundled%20Application
  4. From here, you configure manually. The Assertion Consumer Service Endpoint is where you’ll be authenticating into. Typically formatted as https://<Ariba data center>/Buyer/Main/ad/samlAuth/SSOActions?<realm name>. This can be asked for when setting up the SAP Ariba portion via Service Request to SAP Ariba Technical Support.
  5. Configure the Single Logout Endpoint, for test purposes it can be
  6. Add the signing certificate from Ariba. This can be found manually by logging into SAP Ariba Buying and Invoicing and going to Integration Manager>End Point Configuration>Create>Select Outbound and your certificate will appear. Copy and save in a text file and then import into the Certificate section in IAS.SAML%202.0%20Configuration

Configuring Trust in SAP Ariba

  1. In your IAS tenant, go to Tenant Settings and select SAML 2.0 Configuration.
  2. Download the Metadata file.IAS%20Metadata
  3. Create an SR with SAP Ariba Technical Support and ask them to update/enable SSO for SAP Ariba Buying and Invoicing (child reams) and provide them with the Metadata file.
  4. Make sure your user names contain the same UniqueName as the users in IAS, they are by standard tracked by a PXXXXXX number.

If you need to configure this for you SAP Ariba Buyer Parent Realm, repeat the above mentioned steps and you’ll be authenticated for suite integrated realms.

From there, you have configured trust with IAS and SAP Ariba and will be able to use SSO and control user access and authorization from the IAS tool. To add users into the applications you need manage from IAS, you can import them manually using a cdv file underneath the Import Users tab in Users and Administration section. In later series I’ll discuss on how this can me automated.

For More Information:

IAS Security Features: IAS Security Features

IAS Operations Guide: IAS Operations Guide

IAS Overview Video: IAS Overview Video

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Shikha Ghodeshwar
      Shikha Ghodeshwar

      Hi Mackenzie,

      Very informative blog. Awaiting for your next blog for user data load automation on IAS. Are you going to take is from SuccessFactors  or Active directoty ?  Thanks

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      Hi Shikha,


      Thanks! I will look into tackling that topic in the next few months. My next blog post will be about using the IPS tool with Ariba and IAS. My colleague Harjeet made this blog post on Active Directory:

      Let me know if that is helpful or if you're looking for other process information.

      Author's profile photo Bala Karthik
      Bala Karthik

      Hi Moylan,


      Awaiting your blog on Ariba User Provisioning through IPS tool.



      Bala Karthik R

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      Hi Bala,

      Just got this published this morning on the IPS topic.

      I'll keep expanding on this topic throughout the year.

      Author's profile photo Shikha Ghodeshwar
      Shikha Ghodeshwar

      Hi Mackenzie,

      Thank you so much for your response.

      Actually I am looking for an integration from SuccessFactors to Ariba via IAS/IPS

      For SuccessFactors we already enabled IAS/IPS with corporate IDP set up  so all employee are already in IAS. Now I want to make connection from IAS/IPS to Ariba to avoid manual user data load on Ariba

      Author's profile photo Bala Karthik
      Bala Karthik

      We are also looking for a similar scenario. We are looking for automated user provisioning between IAS and IPS. All our user data are in IAS.

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      Hi Shikha Ghodeshwar I would recommend to look into this - You would want to first set up a job to pull users from SuccessFactors into IAS. Then you can use IPS to provision users into Ariba from IAS. This would treat SuccessFactors as the user store and IAS as a proxy.

      Author's profile photo Daniel José Carpio Contreras
      Daniel José Carpio Contreras

      Hi Mackenzie Moylan

      Thank you for your blog, very helpful.

      I have 2 questions:

      First question, in my case I'm integrating IAS with Ariba Sourcing. What URL should I fill in the input "Name" which is located right before the title "Assertion Consumer Service Endpoint"??. Noticed that you didn't mentioned it anytime in the steps provided.

      The URL for Ariba Sourcing is something like this:

      Second question, what is the real URL we must fill for "Single Logout Endpoint"??

      Well, hope you can answer me.  Thanks in advance.

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      Hi Daniel José Carpio Contreras ,

      You're welcome! For the first question, this would be the url to your Ariba realm name. So in your case for Ariba Sourcing. In your case it would be and you'd remove the -T for prod migration. The url can depend on which Data Center your Ariba realm is located.

      For the second question, it can be whatever url you wish to logout. I put google as just an example. If you have a site/landing page in mind I would advise testing it out and see how it operates, should just redirect you to wherever you want your endusers to go.

      Hopes this helps out!