Skip to Content
Technical Articles
Author's profile photo Harjeet Judge

Configure SAML SSO with SAP Ariba Business Network and SAP Cloud Identity Authentication Service

In this blog I will discuss SAML trust setup between SAP Ariba Business Network and SAP Cloud Identity Authentication Service(IAS).  Before we go through the setup process I wanted to highlight couple points that are important.

  1. SAP Ariba Business Network supports Identity Provider(IDP) initiated single sign-on only.  Service Provider(SP) initiated SSO is not possible.
  2. SAML response must be signed.

For the purpose of this blog, I am also going to assume that you are following SAP best practices and have other SAP applications setup to trust IAS.  Furthermore, your IAS tenant is already configured to proxy to your corporate Identity Provider such as Microsoft Azure or others.  In such scenario you may have a requirement to have corporate users authenticate to SAP Ariba using your corporate IDP and non-corporate user authenticate through SAP Cloud Identity Authentication Service.  Let’s see how we can setup such a scenario.

Setup trust with SAP Cloud Identity Authentication in SAP Ariba Business Network

In order to set up SAML trust on the Ariba side, you will need to work SAP Ariba support team.  The SAP Ariba support team will need the SAML metadata from your SAP Cloud Identity Authentication Service.  To download the metadata follow these steps:

  1. Access your SAP Cloud Identity Authentication(IAS) Admin console.  The URL of the admin console for IAS is in the format: https://<tenantid>
  2. Click Applications & Resources >> Tenant Settings.
  3. Scroll down on the page and click SAML 2.0 Configuration.
  4. Click the Download Metadata File from the top right corner of the page.
  5. Send the downloaded xml file to your SAP Ariba team.
  6. The SAP Ariba team will configure your SAP Ariba Business Network using the provided metadata.  The screenshot below is for reference only as the config shown in the screenshot will be done by SAP.

Setup SAP Ariba Business Network application in SAP Cloud Identity Authentication Service

  1. Access your SAP Cloud Identity Authentication(IAS) Admin console.  The URL of the admin console for IAS is in the format: https://<IASTenantId>
  2. Click Applications & Resources >> Applications.
  3. Specify a Display Name for your app and set the Type to SAP Ariba Solution.
  4. Click SAML 2.0 Configuration.
  5. Browse for the SAML metadata file provided by Ariba admin.
  6. Make note of the Name value (aka Entity ID) as this will be required to construct the URL needed to access SAP Ariba Buyer portal.
  7. Verify the signing certificate is valid and ensure that the Sign authentication responses toggle is enabled.
  8. Save your application.
  9. Click Subject Name Identifier and change it from User ID to E-Mail.


As mentioned earlier, SAP Ariba Business Network supports IDP initiated SSO only.  Once the trust between Ariba and IAS is setup, access the IDP initiated URL to confirm successful login to Ariba.  The URL would take the following format:

https://<IASTenantID><Entity ID of Ariba application>

If the test is successful you can proceed with the next steps to further configure the application to support both corporate and non-corporate users.  The process to configure a corporate identity provider with IAS is beyond the scope of this blog and already well documented and covered in other blogs.  I’ve listed just a few resources you can use to setup your corporate identity provider with IAS:

Configure the setup to support corporate and non-corporate users

  1. In the admin console of IAS, click Applications & Resources >> Applications.
  2. Select your Ariba application entry created earlier, and click Conditional Authentication.
  3. Change the Default Identity Provider to your corporate identity provider
  4. Enable Allow users stored in Identity Authentication service to log on and save your configuration.
  5. Navigate to Identity Providers >> Corporate Identity Providers.
  6. Select your corporate identity provider and click on Identity Federation.
  7. Confirm “Use Identity Authentication user store” toggle is enabled.

What IDP initiated URL do I use to authenticate corporate and non-corporate users?

Authenticate with SAP Cloud Identity (non-corporate users)

https://<IASTenantID><Entity ID of Ariba application>&idp=<IASTenantID>

User will see the IAS login screen and must specify an IAS username and password to authenticate.

Authenticate with Corporate IDP (corporate users)

https://<IASTenantID><Entity ID of Ariba application>

User will be redirected to the login screen of the corporate identity provider and must specify the corporate IDP credentials to authenticate.

Happy reading!


Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo SEBASTIAN Rodriguez
      SEBASTIAN Rodriguez

      Nice Blog Harjeet, just what I was looking for!

      I have some questions:

      Is it possible from SAP Ariba that we can configure two different IdP providers to do the SSO (IdP-Initiated)?

      In other words, we now have a SAML federation with Ariba to do SSO through an IdP. Now I would like to add SAP IAS as a new IdP on Ariba but without Ariba having to undo the current configuration, so that both federations continue working (for some time), just like we did with SAP Concur.

      Is this possible to do with Ariba?


      Kind regards.