Product Information
Configuring Trust with IAS and SAP Ariba: Step by Step Instructions
One of the goals that SAP has for 2022 is to start enabling the Intelligent Enterprise and allow the various cloud applications to seamlessly interact with each other. A key component for this will be using SAP’s authorization tool, Identity Authentication Services (IAS).
For those who are new to the concept, this page will help provide an overview – Cloud Identity Services Community
This blog post is intended for Security/IT/Procurement admins who wish to start authenticating their user base with IAS. Ideally, this would benefit customers who use SAP Ariba in addition to other SAP cloud products and SAP ERPs. If you wish to enable new BTP services such as SAP Task Center and SAP Workzone, IAS will be a required building block for deployment.
The benefit of using IAS is that it centralizes the authentication process, and will allow you to authenticate users to different SAP cloud applications from one central tool.
I’ll provide the steps that you would need to take on the SAP Ariba and IAS sides to enable trust between the applications that will allow users to authenticate.
Configuring Trust from IAS
- First you would log into your IAS account, make sure you are assigned the necessary permissions to perform as an administrator
- Click on Applications & Resources and then go to Applications and click Create. From there you would enter the login link of your Ariba realm which includes the realm name. Note that in suite integrated Ariba configurations, you will want to start configuring trust on the Child site first.
- Go to Bundled Applications and then look for Ariba IAS, and click on SAML 2.0 Configuration.
- From here, you configure manually. The Assertion Consumer Service Endpoint is where you’ll be authenticating into. Typically formatted as https://<Ariba data center>/Buyer/Main/ad/samlAuth/SSOActions?<realm name>. This can be asked for when setting up the SAP Ariba portion via Service Request to SAP Ariba Technical Support.
- Configure the Single Logout Endpoint, for test purposes it can be https://www.google.com
- Add the signing certificate from Ariba. This can be found manually by logging into SAP Ariba Buying and Invoicing and going to Integration Manager>End Point Configuration>Create>Select Outbound and your certificate will appear. Copy and save in a text file and then import into the Certificate section in IAS.
Configuring Trust in SAP Ariba
- In your IAS tenant, go to Tenant Settings and select SAML 2.0 Configuration.
- Download the Metadata file.
- Create an SR with SAP Ariba Technical Support and ask them to update/enable SSO for SAP Ariba Buying and Invoicing (child reams) and provide them with the Metadata file.
- Make sure your user names contain the same UniqueName as the users in IAS, they are by standard tracked by a PXXXXXX number.
If you need to configure this for you SAP Ariba Buyer Parent Realm, repeat the above mentioned steps and you’ll be authenticated for suite integrated realms.
From there, you have configured trust with IAS and SAP Ariba and will be able to use SSO and control user access and authorization from the IAS tool. To add users into the applications you need manage from IAS, you can import them manually using a cdv file underneath the Import Users tab in Users and Administration section. In later series I’ll discuss on how this can me automated.
For More Information:
IAS Security Features: IAS Security Features
IAS Operations Guide: IAS Operations Guide
IAS Overview Video: IAS Overview Video
Hi Mackenzie,
Very informative blog. Awaiting for your next blog for user data load automation on IAS. Are you going to take is from SuccessFactors or Active directoty ? Thanks
Hi Shikha,
Thanks! I will look into tackling that topic in the next few months. My next blog post will be about using the IPS tool with Ariba and IAS. My colleague Harjeet made this blog post on Active Directory:
https://blogs.sap.com/2022/02/04/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services-identity-authentication/
Let me know if that is helpful or if you're looking for other process information.
Hi Moylan,
Awaiting your blog on Ariba User Provisioning through IPS tool.
Thanks,
Bala Karthik R
Hi Bala,
Just got this published this morning on the IPS topic. https://blogs.sap.com/2022/03/29/provisioning-users-into-sap-ariba-using-sap-ias-ips/
I'll keep expanding on this topic throughout the year.
Hi Mackenzie,
Thank you so much for your response.
Actually I am looking for an integration from SuccessFactors to Ariba via IAS/IPS
For SuccessFactors we already enabled IAS/IPS with corporate IDP set up so all employee are already in IAS. Now I want to make connection from IAS/IPS to Ariba to avoid manual user data load on Ariba
We are also looking for a similar scenario. We are looking for automated user provisioning between IAS and IPS. All our user data are in IAS.
Hi Shikha Ghodeshwar I would recommend to look into this - https://blogs.sap.com/2021/03/28/ias-integration-with-sap-successfactors-application-1/ You would want to first set up a job to pull users from SuccessFactors into IAS. Then you can use IPS to provision users into Ariba from IAS. This would treat SuccessFactors as the user store and IAS as a proxy.
Hi Mackenzie Moylan
Thank you for your blog, very helpful.
I have 2 questions:
First question, in my case I'm integrating IAS with Ariba Sourcing. What URL should I fill in the input "Name" which is located right before the title "Assertion Consumer Service Endpoint"??. Noticed that you didn't mentioned it anytime in the steps provided.
The URL for Ariba Sourcing is something like this: https://s3.ariba.com/Sourcing/Main?realm=Antamina-T&passwordadapter=ThirdPartyUser
Second question, what is the real URL we must fill for "Single Logout Endpoint"??
Well, hope you can answer me. Thanks in advance.
Hi Daniel José Carpio Contreras ,
You're welcome! For the first question, this would be the url to your Ariba realm name. So in your case for Ariba Sourcing. In your case it would be http://realmname-T.sourcing3.ariba.com and you'd remove the -T for prod migration. The url can depend on which Data Center your Ariba realm is located.
For the second question, it can be whatever url you wish to logout. I put google as just an example. If you have a site/landing page in mind I would advise testing it out and see how it operates, should just redirect you to wherever you want your endusers to go.
Hopes this helps out!
Dear Mackenzie Moylan,
can you please clarify for which SAP Ariba products this configuration can be applied? We are currently implementing the Ariba Network and Ariba Sourcing. Is there a similar configuration with them? So can we use IPS to provision the corporate users to Ariba Network and Ariba Sourcing? And then can be use IAS to have SSO to Ariba Network and Ariba Sourcing?
Best Regards
Gregor
Hi Gregor Wolf ,
I used Ariba Buying for this implementation. Ariba Sourcing should follow a similar configuration. Depends on the Ariba customer's realm configuration. If they are suite integrated and using Ariba Buying and Ariba Sourcing, then they would need to setup trust with IAS for both products, and then run the IPS job targeting the parent realm. That way they exist in all products and then can be assigned the proper groups/data they need. If it's not suite integrated, then target the specific products.
For Ariba Network, it will be a different process. It will need to be work with Ariba Network support since the Ariba Network is built differently, but you should be able to use IAS for SSO.
Regards,
Mac
Hi Mac,
thank you for the quick reply. So there is still hope that we can get SSO for both products. But can you still answer one open topic if Ariba Network does support the User Provisioning using IPS?
Best Regards
Gregor
Hi Gregor,
You're welcome! User Provisioning with IPS is currently not supported for Ariba Network, currently no firm details one when that will be supported. Also found that the SCIM API for Ariba that is used with IPS is only supported for SAP Task Center Enablement.
Regards,
Mac
Hi Mac,
thank you. Do you have any details on the topic of "IPS is only supported for SAP Task Center Enablement"? Does that mean that users still needed to be created manually but the User UUID (which is required by SAP Task Center) is then updated using IPS?
Best Regards
Gregor
Hi Gregor,
I have this support note - https://launchpad.support.sap.com/#/notes/3228340. Users would have imported/managed via master data integration it looks like. So unless the customer is planning to use SAP Task Center, you might need to revisit the IPS approach.
Regards,
Mac
Thanks Mackenzie Moylan for your blog, it is the best documentation I found for this subject so far, I will sooner integrate SAP Task Center with SAP Ariba Sourcing, so your blog will be very handy!
Regards
Mauricio
Nice Blog Mackenzie Moylan, thanks for share!
I have some questions if you allow me:
Is it possible from SAP Ariba that we can configure two different IdP providers to do the SSO (IdP-Initiated)?
In other words, we now have a SAML federation with Ariba to do SSO through an IdP to Sourcing. Now I would like to add SAP IAS as a new IdP on Ariba but without Ariba having to undo the current configuration, so that both federations continue working (for some time), just like we did with SAP Concur.
Is this possible to do that with Ariba?
Thanks,
Kind regards.
Sebastián.
Hi Mackenzie Moylan
many thanks for your blog and time. I'm working in a trust integration between Ariba and the Identity Service. We exchanged and uploaded the metadata, without other configurations. Now I'm redirected to the Ariba page with the "User doesn't exist" message. The funny thing is that the login is not done.
Now SAP, in the service request, says that the problem is on our side because we are not sending the NameID and says that we have to modify the configuration in the Identity Service. I'm pretty sure that there is no configuration to modify on our side but nevertheless, based on your experience, do you have an idea about this problem?
Your colleague Sigismondo Passaro will send to you our Ariba link, maybe you can help.
Thanks for helping
If SAML is used for the authentication you can try to check the content of the SAML assertion using SAML-tracer