Skip to Content
Product Information
Author's profile photo Mackenzie Moylan

Provisioning Users Into SAP Ariba using SAP IAS/IPS

Hello Everyone,

In this month’s installment of using SAP BTP services with SAP Ariba, I’ll be walking you through the process of provisioning users into SAP Ariba from SAP Identity Provisioning Services (IPS). In my first installment we discussed how to configure trust with SAP Ariba using SAP IAS. This allows you to manage authentication and security for all of SAP’s cloud applications from one central tenant.

However, what if you would like to control which users/groups are sent to each application from one central location? That is made possible with IPS. There are two methods for provisioning:

  1. Provisioning users from your IdP (such as Azure AD) into IAS, and then syncing them into your cloud applications using IPS.
  2. Provisioning users from your IAS tenant into the cloud applications such as SAP Ariba. This is known as the top-down approach and treats IAS as the source of truth for users.

We’ll be discussing method two in this blog post. What are the benefits of provisioning users from IPS?

  • Centralized tenant for managing user’s application and roles within the applications.
  • Process can be automated and scheduled.
  • Real time, uses SCIM APIs to provision users. Not file based.
  • Flexibility, allows you to design and customize the transformation jobs that sends your users and permissions into the applications.
  • Fits into SAP’s Intelligent Enterprise picture.

First you’ll need to have access to an IPS tenant. Usually they are paired with your IAS tenant. If you have an IAS tenant you can try to access it by putting your IAS link and adding /ips at the end – https://xxxxxxx.accounts.ondemand.com/ips/

Here is what the IPS home page looks like:

In order to provision users from our IAS tenant, we will need to set it up as a Source System in IPS:

  • Click on Source Systems
  • Click on add – Choose system type as Identity Authentication and provide a System Name. If you have a meta data file to import, you can choose to have one.

  • After that, keep the out of the box transformation script. This the script that tells us what user/group information we’ll be sending to Ariba from IAS.

  • In the Parameters section, you’ll want to copy the below information. Use the URL from your IAS site. For the User and Password, will need to create a system user in IAS.

Once this has all been done, you should be able to save your Source System.

Now we need to create our Target System.

  • Click on the Target System icon and click Add.
  • If your SAP Ariba realm is suite integrated, you’ll want to make two. One for Parent and one for Child. In this example we’ll do parent, and you can export and import to replicate the Targets for the Child realms.
  • You’ll need to select your Source System as your IAS tenant, and application type as SAP Ariba Applications.

 

  • For the transformations, feel free to copy and paste this basic one for SAP Ariba Applications:
{
    "user": {
        "mappings": [
            {
                "sourceVariable": "entityIdTargetSystem",
                "targetPath": "$.id"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:core:2.0:User",
                "targetPath": "$.schemas[0]"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
                "targetPath": "$.schemas[1]"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:extension:sap:2.0:User",
                "targetPath": "$.schemas[2]"
            },
            {
                "sourcePath": "$.userName",
                "targetPath": "$.userName"
            },
            {
                "sourcePath": "$.emails",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.emails"
            },
            {
                "condition": "$.emails[0].length() > 0",
                "constant": true,
                "targetPath": "$.emails[0].primary"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']"
            },
            {
                "condition": "$.emails[0].value =~ /.*test*@sap.com/",
                "sourcePath": "$.displayName",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']"
            },
            {
                "sourcePath": "$.locale",
                "optional": true,
                "targetPath": "$.locale"
            },
            {
                "sourcePath": "$.displayName",
                "optional": true,
                "targetPath": "$.displayName"
            },
            {
                "sourcePath": "$.active",
                "targetPath": "$.active"
            },
            {
                "sourcePath": "$.timezone",
                "optional": true,
                "targetPath": "$.timezone"
            },
            {
                "sourcePath": "$.addresses",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.addresses"
            },
            {
                "sourcePath": "$.phoneNumbers",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.phoneNumbers"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
                "functions": [
                    {
                        "function": "resolveEntityIds"
                    }
                ]
            }
        ]
    },
    "group": {
        "mappings": [
            {
                "sourceVariable": "entityIdTargetSystem",
                "targetPath": "$.id"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:core:2.0:Group",
                "targetPath": "$.schemas[0]"
            },
            {
                "sourcePath": "$.displayName",
                "targetPath": "$.displayName"
            },
            {
                "sourcePath": "$.members[*].value",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.members[?(@.value)]",
                "functions": [
                    {
                        "type": "resolveEntityIds"
                    }
                ]
            }
        ]
    }
}

  • Next you’ll need to add your Parameters. In this example, the API key, password, and user will be based off the SCIM API details. These can be attained by creating this API in the SAP Ariba Developer Portal. There are SCIM APIs for Operational and Strategic Procurement. The URL will be based on what region you’re in. OAuth Token is the universal SAP Ariba API OAuth Token url. The realm.id will be the ANID tied to your SAP Ariba realm.

  • Once that is created, click save and will now have created your Target System. Export and create another target system for your child realms by importing the file. Mind that you need to modify the ANID to your child site. If you’re using SCIM for Strategic Procurement, you will need to modify the API credentials to that API.

To run this job, you’ll need to go to your Source System and then go to Jobs and click Run Now. This will then take the users you’ve defined in your IAS system and provision them to the target SAP Ariba system. You can check the Jobs logs to see if they’ve been successfully updated or if an error occurred.

In the above example, we saw a handful of users were successfully provisioned into SAP Ariba. You can provision your user groups and users into the application. One thing that needs to be noted is currently, the nested user and group information can’t be provisioned over. Any user’s going into SAP Ariba Buying and Invoicing, will need to have partitioned user information imported. Any custom groups that you want to create and send over to Ariba, will need to have the child groups mapped to them via import once the initial load occurs.

To remove users in SAP Ariba, you can remove them in IAS and then run the provisioning job again. This will deactivate the user in SAP Ariba.

The benefit of this exercise, is that it can be done for multiple cloud applications, and just an example how this can be done for SAP Ariba.

If you would like to learn more on how the Transformations work, please look into the below link:

IPS Transformation Documentation

IPS Documentation Center

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Shikha Ghodeshwar
      Shikha Ghodeshwar

      Hi Mackenzie Moylan,

      How are you importing user data on IAS. Manual data load or via AD as per https://blogs.sap.com/2022/02/04/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services-identity-authentication/

      Author's profile photo Shikha Ghodeshwar
      Shikha Ghodeshwar

      Hi Mackenzie Moylan

      How are you uploading data on IAS via manual upload or AD as per below blog

      https://blogs.sap.com/2022/02/04/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services-identity-authentication/

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      Hi Shikha,

      Currently for demo purposes, I've been uploading users on IAS manually. You can look into using AD as your data source if you're interested.

      Regards,

      Mac

      Author's profile photo Shikha Ghodeshwar
      Shikha Ghodeshwar

      Thanks for reponse.

      Now what i am doing

      AD --> IPS--> IAS (user load)

      IAS -->IPS --> Ariba ( user load)

      need few details from you:

      1. IAS and IPS will be free of cost for SAP is proviing on subsctpyion basis for ARiba
      2. I am not able to see Ariba application in IPS target. Why
      Author's profile photo Rajesh Pelluru
      Rajesh Pelluru

      HiĀ Mackenzie Moylan,

      Can we provision user data from SAP Ariba to IAS tenant ?

      Regards,

      Rajesh

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      HI Rajesh Pelluru ,

      I don't see why that would be needed. You should consider IAS as the central user management tool, granting/removing user access using IPS into different applications. Typically users in SAP Ariba come from a source of truth outside of SAP Ariba via master data integration with the ERP. Depending on your overall landscape, you should go with the thinking that IAS is the central pillar to host users either natively or using it as a proxy with your corporate IdP.

      Regards,
      Mac

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Rajesh,

      in the Identity Provisioning Service documentation you find:

      Follow this procedure to set up SAP Ariba Applications as a source system.

      So the answer seems to be yes.

      CU
      Gregor