Product Information
Provisioning Users Into SAP Ariba using SAP IAS/IPS
*1/18/23 Update – Using the SCIM API for IPS with Ariba is currently only supported with the SAP Task Center for SAP Ariba use case.
Hello Everyone,
In this month’s installment of using SAP BTP services with SAP Ariba, I’ll be walking you through the process of provisioning users into SAP Ariba from SAP Identity Provisioning Services (IPS). In my first installment we discussed how to configure trust with SAP Ariba using SAP IAS. This allows you to manage authentication and security for all of SAP’s cloud applications from one central tenant.
However, what if you would like to control which users/groups are sent to each application from one central location? That is made possible with IPS. There are two methods for provisioning:
- Provisioning users from your IdP (such as Azure AD) into IAS, and then syncing them into your cloud applications using IPS.
- Provisioning users from your IAS tenant into the cloud applications such as SAP Ariba. This is known as the top-down approach and treats IAS as the source of truth for users.
We’ll be discussing method two in this blog post. What are the benefits of provisioning users from IPS?
- Centralized tenant for managing user’s application and roles within the applications.
- Process can be automated and scheduled.
- Real time, uses SCIM APIs to provision users. Not file based.
- Flexibility, allows you to design and customize the transformation jobs that sends your users and permissions into the applications.
- Fits into SAP’s Intelligent Enterprise picture.
First you’ll need to have access to an IPS tenant. Usually they are paired with your IAS tenant. If you have an IAS tenant you can try to access it by putting your IAS link and adding /ips at the end – https://xxxxxxx.accounts.ondemand.com/ips/
In order to provision users from our IAS tenant, we will need to set it up as a Source System in IPS:
- Click on Source Systems
- Click on add – Choose system type as Identity Authentication and provide a System Name. If you have a meta data file to import, you can choose to have one.
- After that, keep the out of the box transformation script. This the script that tells us what user/group information we’ll be sending to Ariba from IAS.
- In the Parameters section, you’ll want to copy the below information. Use the URL from your IAS site. For the User and Password, will need to create a system user in IAS.
Once this has all been done, you should be able to save your Source System.
Now we need to create our Target System.
- Click on the Target System icon and click Add.
- If your SAP Ariba realm is suite integrated, you’ll want to make two. One for Parent and one for Child. In this example we’ll do parent, and you can export and import to replicate the Targets for the Child realms.
- You’ll need to select your Source System as your IAS tenant, and application type as SAP Ariba Applications.
- For the transformations, feel free to copy and paste this basic one for SAP Ariba Applications:
{
"user": {
"mappings": [
{
"sourceVariable": "entityIdTargetSystem",
"targetPath": "$.id"
},
{
"constant": "urn:ietf:params:scim:schemas:core:2.0:User",
"targetPath": "$.schemas[0]"
},
{
"constant": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User",
"targetPath": "$.schemas[1]"
},
{
"constant": "urn:ietf:params:scim:schemas:extension:sap:2.0:User",
"targetPath": "$.schemas[2]"
},
{
"sourcePath": "$.userName",
"targetPath": "$.userName"
},
{
"sourcePath": "$.emails",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.emails"
},
{
"condition": "$.emails[0].length() > 0",
"constant": true,
"targetPath": "$.emails[0].primary"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']"
},
{
"condition": "$.emails[0].value =~ /.*test*@sap.com/",
"sourcePath": "$.displayName",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']"
},
{
"sourcePath": "$.locale",
"optional": true,
"targetPath": "$.locale"
},
{
"sourcePath": "$.displayName",
"optional": true,
"targetPath": "$.displayName"
},
{
"sourcePath": "$.active",
"targetPath": "$.active"
},
{
"sourcePath": "$.timezone",
"optional": true,
"targetPath": "$.timezone"
},
{
"sourcePath": "$.addresses",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.addresses"
},
{
"sourcePath": "$.phoneNumbers",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.phoneNumbers"
},
{
"sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
"optional": true,
"targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']",
"functions": [
{
"function": "resolveEntityIds"
}
]
}
]
},
"group": {
"mappings": [
{
"sourceVariable": "entityIdTargetSystem",
"targetPath": "$.id"
},
{
"constant": "urn:ietf:params:scim:schemas:core:2.0:Group",
"targetPath": "$.schemas[0]"
},
{
"sourcePath": "$.displayName",
"targetPath": "$.displayName"
},
{
"sourcePath": "$.members[*].value",
"preserveArrayWithSingleElement": true,
"optional": true,
"targetPath": "$.members[?(@.value)]",
"functions": [
{
"type": "resolveEntityIds"
}
]
}
]
}
}
- Next you’ll need to add your Parameters. In this example, the API key, password, and user will be based off the SCIM API details. These can be attained by creating this API in the SAP Ariba Developer Portal. There are SCIM APIs for Operational and Strategic Procurement. The URL will be based on what region you’re in. OAuth Token is the universal SAP Ariba API OAuth Token url. The realm.id will be the ANID tied to your SAP Ariba realm.
- Once that is created, click save and will now have created your Target System. Export and create another target system for your child realms by importing the file. Mind that you need to modify the ANID to your child site. If you’re using SCIM for Strategic Procurement, you will need to modify the API credentials to that API.
To run this job, you’ll need to go to your Source System and then go to Jobs and click Run Now. This will then take the users you’ve defined in your IAS system and provision them to the target SAP Ariba system. You can check the Jobs logs to see if they’ve been successfully updated or if an error occurred.
In the above example, we saw a handful of users were successfully provisioned into SAP Ariba. You can provision your user groups and users into the application. One thing that needs to be noted is currently, the nested user and group information can’t be provisioned over. Any user’s going into SAP Ariba Buying and Invoicing, will need to have partitioned user information imported. Any custom groups that you want to create and send over to Ariba, will need to have the child groups mapped to them via import once the initial load occurs.
To remove users in SAP Ariba, you can remove them in IAS and then run the provisioning job again. This will deactivate the user in SAP Ariba.
The benefit of this exercise, is that it can be done for multiple cloud applications, and just an example how this can be done for SAP Ariba.
If you would like to learn more on how the Transformations work, please look into the below link:
Hi Mackenzie Moylan,
How are you importing user data on IAS. Manual data load or via AD as per https://blogs.sap.com/2022/02/04/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services-identity-authentication/
Hi Mackenzie Moylan
How are you uploading data on IAS via manual upload or AD as per below blog
https://blogs.sap.com/2022/02/04/provision-users-from-microsoft-azure-ad-to-sap-cloud-identity-services-identity-authentication/
Hi Shikha,
Currently for demo purposes, I've been uploading users on IAS manually. You can look into using AD as your data source if you're interested.
Regards,
Mac
Thanks for reponse.
Now what i am doing
AD --> IPS--> IAS (user load)
IAS -->IPS --> Ariba ( user load)
need few details from you:
Hi Mackenzie Moylan,
Can we provision user data from SAP Ariba to IAS tenant ?
Regards,
Rajesh
HI Rajesh Pelluru ,
I don't see why that would be needed. You should consider IAS as the central user management tool, granting/removing user access using IPS into different applications. Typically users in SAP Ariba come from a source of truth outside of SAP Ariba via master data integration with the ERP. Depending on your overall landscape, you should go with the thinking that IAS is the central pillar to host users either natively or using it as a proxy with your corporate IdP.
Regards,
Mac
Hi Rajesh,
in the Identity Provisioning Service documentation you find:
Follow this procedure to set up SAP Ariba Applications as a source system.
So the answer seems to be yes.
CU
Gregor
Hi @Mackenzie Moylan
Thank you for the nice blog.
Question: Note 3228340 says that "Note: The current scope of identity provisioning using SAP Cloud Identity Services - Identity Provisioning for SAP Ariba solutions is only limited to support the SAP Task Center use case."
Does that mean we can't provision users in Ariba using IPS for regular Ariba usage?
Regards
Hi Senthil Murugan Jeya Pandi ,
That is correct. I just checked and the SCIM API that used can only be enabled for SAP Task Center use cases with SAP Ariba. I will update this blog to reflect that.
Regards,
Mac
Mackenzie Moylan Thank you for your response.
Can you please suggest a solution for our scenario?
Regards
Senthil
Is BTP prerequisite to enable this SCIM API?
Karsu
Hello Mackenzie Moylan
When you say provisioning of users in below statement, Could you please confirm if users can be created in SAP Ariba with IAS as source of truth? or you are saying that only Ariba roles/groups can be provisioned? Thank you.
"Provisioning users from your IAS tenant into the cloud applications such as SAP Ariba. This is known as the top-down approach and treats IAS as the source of truth for users."
Regards,
Surya
Hi Suryatheja Appala ,
You can provision users from IAS as the source of truth, or use IAS as a proxy for your IdP. It depends on how your security and identity access is handled on a foundational level.
Regards,
Mac
Mackenzie Moylan When you mention "provision" user from IAS, do you mean to say that upon authentication with Ariba, if a user does not exist in Ariba and is trusted with the IDP (whether it be IAS or external), IAS will also create the user, or is this "provision" a manual step done from IAS to Ariba before authentication is initiated? I would have always consider IAS as just an IDP, so can IAS also create users in satellite systems?
Hi Mackenzie Moylan,
Thanks for sharing the blog. We have similar requirement.
Could you please help to understand more in transformation in IPS.
How to I add constant values for e.g. in groupconsolidated file we upload csv file with below fields -
User_UniqueName, PasswordAdapter, PurchasingUnit, UniqueName
Is it possible to perform this activity?
Is there any specific list of transformation lists I can use to provision users in Ariba? Where can I find that list?
How do I check which webservice or event/task is used by SAP Ariba application in backend?
Regards,
Rashmi
Hi Mackenzie,
is this limitation still valid?
*1/18/23 Update – Using the SCIM API for IPS with Ariba is currently only supported with the SAP Task Center for SAP Ariba use case.
regards
Johannes