*1/18/23 Update - Using the SCIM API for IPS with Ariba is currently only supported with the SAP Task Center for SAP Ariba use case.
Hello Everyone,
In this month's installment of using SAP BTP services with SAP Ariba, I'll be walking you through the process of provisioning users into SAP Ariba from SAP Identity Provisioning Services (IPS). In my first installment we discussed how to configure trust with SAP Ariba using SAP IAS. This allows you to manage authentication and security for all of SAP's cloud applications from one central tenant.
However, what if you would like to control which users/groups are sent to each application from one central location? That is made possible with IPS. There are two methods for provisioning:
We'll be discussing method two in this blog post. What are the benefits of provisioning users from IPS?
First you'll need to have access to an IPS tenant. Usually they are paired with your IAS tenant. If you have an IAS tenant you can try to access it by putting your IAS link and adding /ips at the end - https://xxxxxxx.accounts.ondemand.com/ips/
In order to provision users from our IAS tenant, we will need to set it up as a Source System in IPS:
Once this has all been done, you should be able to save your Source System.
Now we need to create our Target System.
To run this job, you'll need to go to your Source System and then go to Jobs and click Run Now. This will then take the users you've defined in your IAS system and provision them to the target SAP Ariba system. You can check the Jobs logs to see if they've been successfully updated or if an error occurred.
In the above example, we saw a handful of users were successfully provisioned into SAP Ariba. You can provision your user groups and users into the application. One thing that needs to be noted is currently, the nested user and group information can't be provisioned over. Any user's going into SAP Ariba Buying and Invoicing, will need to have partitioned user information imported. Any custom groups that you want to create and send over to Ariba, will need to have the child groups mapped to them via import once the initial load occurs.
To remove users in SAP Ariba, you can remove them in IAS and then run the provisioning job again. This will deactivate the user in SAP Ariba.
The benefit of this exercise, is that it can be done for multiple cloud applications, and just an example how this can be done for SAP Ariba.
If you would like to learn more on how the Transformations work, please look into the below link:
IPS Transformation Documentation
IPS Documentation Center
Hello Everyone,
In this month's installment of using SAP BTP services with SAP Ariba, I'll be walking you through the process of provisioning users into SAP Ariba from SAP Identity Provisioning Services (IPS). In my first installment we discussed how to configure trust with SAP Ariba using SAP IAS. This allows you to manage authentication and security for all of SAP's cloud applications from one central tenant.
However, what if you would like to control which users/groups are sent to each application from one central location? That is made possible with IPS. There are two methods for provisioning:
- Provisioning users from your IdP (such as Azure AD) into IAS, and then syncing them into your cloud applications using IPS.
- Provisioning users from your IAS tenant into the cloud applications such as SAP Ariba. This is known as the top-down approach and treats IAS as the source of truth for users.
We'll be discussing method two in this blog post. What are the benefits of provisioning users from IPS?
- Centralized tenant for managing user's application and roles within the applications.
- Process can be automated and scheduled.
- Real time, uses SCIM APIs to provision users. Not file based.
- Flexibility, allows you to design and customize the transformation jobs that sends your users and permissions into the applications.
- Fits into SAP's Intelligent Enterprise picture.
First you'll need to have access to an IPS tenant. Usually they are paired with your IAS tenant. If you have an IAS tenant you can try to access it by putting your IAS link and adding /ips at the end - https://xxxxxxx.accounts.ondemand.com/ips/
In order to provision users from our IAS tenant, we will need to set it up as a Source System in IPS:
- Click on Source Systems
- Click on add - Choose system type as Identity Authentication and provide a System Name. If you have a meta data file to import, you can choose to have one.
- After that, keep the out of the box transformation script. This the script that tells us what user/group information we'll be sending to Ariba from IAS.
- In the Parameters section, you'll want to copy the below information. Use the URL from your IAS site. For the User and Password, will need to create a system user in IAS.
Once this has all been done, you should be able to save your Source System.
Now we need to create our Target System.
- Click on the Target System icon and click Add.
- If your SAP Ariba realm is suite integrated, you'll want to make two. One for Parent and one for Child. In this example we'll do parent, and you can export and import to replicate the Targets for the Child realms.
- You'll need to select your Source System as your IAS tenant, and application type as SAP Ariba Applications.
- For the transformations, feel free to copy and paste this basic one for SAP Ariba Applications:
{
"user": {
"mappings": [
{
"sourceVariable": "entityIdTargetSystem",
"targetPath": "$.id"
},
{
"constant": "urn:ietf:params:scim:schemas:core:2.0:User",
"targetPath": "$.schemas[0]"
},
{
"constant": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"targetPath": "$.schemas[1]"
},
{
"constant": "urn:ietf:params:scim:schemas:extension:sap:2.0:User",
"targetPath": "$.schemas[2]"
},
{
"sourcePath": "$.userName",
"targetPath": "$.userName"
},
{
"sourcePath": "$.emails",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.emails"
},
{
"condition": "$.emails[0].length() > 0",
"constant": true,
"targetPath": "$.emails[0].primary"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']"
},
{
"condition": "$.emails[0].value =~ /.*test*@sap.com/",
"sourcePath": "$.displayName",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']"
},
{
"sourcePath": "$.locale",
"optional": true,
"targetPath": "$.locale"
},
{
"sourcePath": "$.displayName",
"optional": true,
"targetPath": "$.displayName"
},
{
"sourcePath": "$.active",
"targetPath": "$.active"
},
{
"sourcePath": "$.timezone",
"optional": true,
"targetPath": "$.timezone"
},
{
"sourcePath": "$.addresses",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.addresses"
},
{
"sourcePath": "$.phoneNumbers",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.phoneNumbers"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
"functions": [
{
"function": "resolveEntityIds"
}
]
}
]
},
"group": {
"mappings": [
{
"sourceVariable": "entityIdTargetSystem",
"targetPath": "$.id"
},
{
"constant": "urn:ietf:params:scim:schemas:core:2.0:Group",
"targetPath": "$.schemas[0]"
},
{
"sourcePath": "$.displayName",
"targetPath": "$.displayName"
},
{
"sourcePath": "$.members[*].value",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.members[?(@.value)]",
"functions": [
{
"type": "resolveEntityIds"
}
]
}
]
}
}- Next you'll need to add your Parameters. In this example, the API key, password, and user will be based off the SCIM API details. These can be attained by creating this API in the SAP Ariba Developer Portal. There are SCIM APIs for Operational and Strategic Procurement. The URL will be based on what region you're in. OAuth Token is the universal SAP Ariba API OAuth Token url. The realm.id will be the ANID tied to your SAP Ariba realm.
- Once that is created, click save and will now have created your Target System. Export and create another target system for your child realms by importing the file. Mind that you need to modify the ANID to your child site. If you're using SCIM for Strategic Procurement, you will need to modify the API credentials to that API.
To run this job, you'll need to go to your Source System and then go to Jobs and click Run Now. This will then take the users you've defined in your IAS system and provision them to the target SAP Ariba system. You can check the Jobs logs to see if they've been successfully updated or if an error occurred.
In the above example, we saw a handful of users were successfully provisioned into SAP Ariba. You can provision your user groups and users into the application. One thing that needs to be noted is currently, the nested user and group information can't be provisioned over. Any user's going into SAP Ariba Buying and Invoicing, will need to have partitioned user information imported. Any custom groups that you want to create and send over to Ariba, will need to have the child groups mapped to them via import once the initial load occurs.
To remove users in SAP Ariba, you can remove them in IAS and then run the provisioning job again. This will deactivate the user in SAP Ariba.
The benefit of this exercise, is that it can be done for multiple cloud applications, and just an example how this can be done for SAP Ariba.
If you would like to learn more on how the Transformations work, please look into the below link:
IPS Transformation Documentation
IPS Documentation Center
- SAP Managed Tags:
17 Comments
