Skip to Content
Product Information
Author's profile photo Mackenzie Moylan

Provisioning Users Into SAP Ariba using SAP IAS/IPS

*1/18/23 Update – Using the SCIM API for IPS with Ariba is currently only supported with the SAP Task Center for SAP Ariba use case.

Hello Everyone,

In this month’s installment of using SAP BTP services with SAP Ariba, I’ll be walking you through the process of provisioning users into SAP Ariba from SAP Identity Provisioning Services (IPS). In my first installment we discussed how to configure trust with SAP Ariba using SAP IAS. This allows you to manage authentication and security for all of SAP’s cloud applications from one central tenant.

However, what if you would like to control which users/groups are sent to each application from one central location? That is made possible with IPS. There are two methods for provisioning:

  1. Provisioning users from your IdP (such as Azure AD) into IAS, and then syncing them into your cloud applications using IPS.
  2. Provisioning users from your IAS tenant into the cloud applications such as SAP Ariba. This is known as the top-down approach and treats IAS as the source of truth for users.

We’ll be discussing method two in this blog post. What are the benefits of provisioning users from IPS?

  • Centralized tenant for managing user’s application and roles within the applications.
  • Process can be automated and scheduled.
  • Real time, uses SCIM APIs to provision users. Not file based.
  • Flexibility, allows you to design and customize the transformation jobs that sends your users and permissions into the applications.
  • Fits into SAP’s Intelligent Enterprise picture.

First you’ll need to have access to an IPS tenant. Usually they are paired with your IAS tenant. If you have an IAS tenant you can try to access it by putting your IAS link and adding /ips at the end – https://xxxxxxx.accounts.ondemand.com/ips/

Here is what the IPS home page looks like:

In order to provision users from our IAS tenant, we will need to set it up as a Source System in IPS:

  • Click on Source Systems
  • Click on add – Choose system type as Identity Authentication and provide a System Name. If you have a meta data file to import, you can choose to have one.

  • After that, keep the out of the box transformation script. This the script that tells us what user/group information we’ll be sending to Ariba from IAS.

  • In the Parameters section, you’ll want to copy the below information. Use the URL from your IAS site. For the User and Password, will need to create a system user in IAS.

Once this has all been done, you should be able to save your Source System.

Now we need to create our Target System.

  • Click on the Target System icon and click Add.
  • If your SAP Ariba realm is suite integrated, you’ll want to make two. One for Parent and one for Child. In this example we’ll do parent, and you can export and import to replicate the Targets for the Child realms.
  • You’ll need to select your Source System as your IAS tenant, and application type as SAP Ariba Applications.

 

  • For the transformations, feel free to copy and paste this basic one for SAP Ariba Applications:
{
    "user": {
        "mappings": [
            {
                "sourceVariable": "entityIdTargetSystem",
                "targetPath": "$.id"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:core:2.0:User",
                "targetPath": "$.schemas[0]"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
                "targetPath": "$.schemas[1]"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:extension:sap:2.0:User",
                "targetPath": "$.schemas[2]"
            },
            {
                "sourcePath": "$.userName",
                "targetPath": "$.userName"
            },
            {
                "sourcePath": "$.emails",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.emails"
            },
            {
                "condition": "$.emails[0].length() > 0",
                "constant": true,
                "targetPath": "$.emails[0].primary"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']"
            },
            {
                "condition": "$.emails[0].value =~ /.*test*@sap.com/",
                "sourcePath": "$.displayName",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']"
            },
            {
                "sourcePath": "$.locale",
                "optional": true,
                "targetPath": "$.locale"
            },
            {
                "sourcePath": "$.displayName",
                "optional": true,
                "targetPath": "$.displayName"
            },
            {
                "sourcePath": "$.active",
                "targetPath": "$.active"
            },
            {
                "sourcePath": "$.timezone",
                "optional": true,
                "targetPath": "$.timezone"
            },
            {
                "sourcePath": "$.addresses",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.addresses"
            },
            {
                "sourcePath": "$.phoneNumbers",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.phoneNumbers"
            },
            {
                "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
                "optional": true,
                "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
                "functions": [
                    {
                        "function": "resolveEntityIds"
                    }
                ]
            }
        ]
    },
    "group": {
        "mappings": [
            {
                "sourceVariable": "entityIdTargetSystem",
                "targetPath": "$.id"
            },
            {
                "constant": "urn:ietf:params:scim:schemas:core:2.0:Group",
                "targetPath": "$.schemas[0]"
            },
            {
                "sourcePath": "$.displayName",
                "targetPath": "$.displayName"
            },
            {
                "sourcePath": "$.members[*].value",
                "preserveArrayWithSingleElement": true,
                "optional": true,
                "targetPath": "$.members[?(@.value)]",
                "functions": [
                    {
                        "type": "resolveEntityIds"
                    }
                ]
            }
        ]
    }
}

  • Next you’ll need to add your Parameters. In this example, the API key, password, and user will be based off the SCIM API details. These can be attained by creating this API in the SAP Ariba Developer Portal. There are SCIM APIs for Operational and Strategic Procurement. The URL will be based on what region you’re in. OAuth Token is the universal SAP Ariba API OAuth Token url. The realm.id will be the ANID tied to your SAP Ariba realm.

  • Once that is created, click save and will now have created your Target System. Export and create another target system for your child realms by importing the file. Mind that you need to modify the ANID to your child site. If you’re using SCIM for Strategic Procurement, you will need to modify the API credentials to that API.

To run this job, you’ll need to go to your Source System and then go to Jobs and click Run Now. This will then take the users you’ve defined in your IAS system and provision them to the target SAP Ariba system. You can check the Jobs logs to see if they’ve been successfully updated or if an error occurred.

In the above example, we saw a handful of users were successfully provisioned into SAP Ariba. You can provision your user groups and users into the application. One thing that needs to be noted is currently, the nested user and group information can’t be provisioned over. Any user’s going into SAP Ariba Buying and Invoicing, will need to have partitioned user information imported. Any custom groups that you want to create and send over to Ariba, will need to have the child groups mapped to them via import once the initial load occurs.

To remove users in SAP Ariba, you can remove them in IAS and then run the provisioning job again. This will deactivate the user in SAP Ariba.

The benefit of this exercise, is that it can be done for multiple cloud applications, and just an example how this can be done for SAP Ariba.

If you would like to learn more on how the Transformations work, please look into the below link:

IPS Transformation Documentation

IPS Documentation Center

Assigned Tags

      16 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Shikha Ghodeshwar
      Shikha Ghodeshwar

      Hi Mackenzie Moylan,

      How are you importing user data on IAS. Manual data load or via AD as per https://blogs.sap.com/2022/02/04/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services-identity-authentication/

      Author's profile photo Shikha Ghodeshwar
      Shikha Ghodeshwar

      Hi Mackenzie Moylan

      How are you uploading data on IAS via manual upload or AD as per below blog

      https://blogs.sap.com/2022/02/04/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services-identity-authentication/

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      Hi Shikha,

      Currently for demo purposes, I've been uploading users on IAS manually. You can look into using AD as your data source if you're interested.

      Regards,

      Mac

      Author's profile photo Shikha Ghodeshwar
      Shikha Ghodeshwar

      Thanks for reponse.

      Now what i am doing

      AD --> IPS--> IAS (user load)

      IAS -->IPS --> Ariba ( user load)

      need few details from you:

      1. IAS and IPS will be free of cost for SAP is proviing on subsctpyion basis for ARiba
      2. I am not able to see Ariba application in IPS target. Why
      Author's profile photo Rajesh Pelluru
      Rajesh Pelluru

      Hi Mackenzie Moylan,

      Can we provision user data from SAP Ariba to IAS tenant ?

      Regards,

      Rajesh

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      HI Rajesh Pelluru ,

      I don't see why that would be needed. You should consider IAS as the central user management tool, granting/removing user access using IPS into different applications. Typically users in SAP Ariba come from a source of truth outside of SAP Ariba via master data integration with the ERP. Depending on your overall landscape, you should go with the thinking that IAS is the central pillar to host users either natively or using it as a proxy with your corporate IdP.

      Regards,
      Mac

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Rajesh,

      in the Identity Provisioning Service documentation you find:

      Follow this procedure to set up SAP Ariba Applications as a source system.

      So the answer seems to be yes.

      CU
      Gregor

      Author's profile photo Senthil Murugan Jeya Pandi
      Senthil Murugan Jeya Pandi

      Hi @Mackenzie Moylan

      Thank you for the nice blog.

      Question: Note 3228340 says that  "Note: The current scope of identity provisioning using SAP Cloud Identity Services - Identity Provisioning for SAP Ariba solutions is only limited to support the SAP Task Center use case."

      Does that mean we can't provision users in Ariba using IPS for regular Ariba usage?

      Regards

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      Hi Senthil Murugan Jeya Pandi ,

      That is correct. I just checked and the SCIM API that used can only be enabled for SAP Task Center use cases with SAP Ariba. I will update this blog to reflect that.

      Regards,
      Mac

      Author's profile photo Senthil Murugan Jeya Pandi
      Senthil Murugan Jeya Pandi

      Mackenzie Moylan Thank you for your response.

      Can you please suggest a solution for our scenario?

      • We don't use SAP Task Center
      • We want our on-prem IDM to provide users to Ariba using IPS as a proxy.

      Regards

      Senthil

      Author's profile photo Karsu F.D.
      Karsu F.D.

      Is BTP prerequisite to enable this SCIM API?

      Karsu

      Author's profile photo Suryatheja Appala
      Suryatheja Appala

      Hello Mackenzie Moylan

      When you say provisioning of users in below statement, Could you please confirm if users can be created in SAP Ariba with IAS as source of truth? or you are saying that only Ariba roles/groups can be provisioned? Thank you.

      "Provisioning users from your IAS tenant into the cloud applications such as SAP Ariba. This is known as the top-down approach and treats IAS as the source of truth for users."

       

      Regards,

      Surya

      Author's profile photo Mackenzie Moylan
      Mackenzie Moylan
      Blog Post Author

      Hi Suryatheja Appala ,

      You can provision users from IAS as the source of truth, or use IAS as a proxy for your IdP. It depends on how your security and identity access is handled on a foundational level.

      Regards,

      Mac

      Author's profile photo Michael Healy
      Michael Healy

      Mackenzie Moylan When you mention "provision" user from IAS, do you mean to say that upon authentication with Ariba, if a user does not exist in Ariba and is trusted with the IDP (whether it be IAS or external), IAS will also create the user, or is this "provision" a manual step done from IAS to Ariba before authentication is initiated? I would have always consider IAS as just an IDP, so can IAS also create users in satellite systems?

      Author's profile photo Rashmi Joshi
      Rashmi Joshi

      Hi Mackenzie Moylan,

      Thanks for sharing the blog. We have similar requirement.

      Could you please help to understand more in transformation in IPS.

      How to I add constant values for e.g. in groupconsolidated file we upload csv file with below fields -

      User_UniqueName, PasswordAdapter,  PurchasingUnit, UniqueName

      Is it possible to perform this activity?

      Is there any specific list of transformation lists I can use to provision users in Ariba? Where can I find that list?

      How do I check which webservice or event/task is used by SAP Ariba application in backend?

       

      Regards,

      Rashmi

      Author's profile photo Johannes Schneider
      Johannes Schneider

      Hi Mackenzie,

       

      is this limitation still valid?

      *1/18/23 Update – Using the SCIM API for IPS with Ariba is currently only supported with the SAP Task Center for SAP Ariba use case.

       

      regards

      Johannes