Follow this procedure to set up SAP Ariba Applications as a target system.
This system is available for bundle tenants running on SAP Cloud Identity infrastructure and standalone tenants running on SAP Cloud Identity infrastructure and SAP BTP, Neo environment. Bundle tenants running on Neo environment can use it only through SAP Identity Access Governance bundle option.
-
You have created a client application on SAP Ariba APIs Portal that needs to be enabled for Identity Provisioning.
If you don’t have an account on SAP Ariba Developer Portal, then ask your Designated Support Contact (DSC) to submit a request for an account. To find your DSC person, see: How can I see my company's Basic users and Designated Support Contacts (DSC)
-
Provide your DSC person with your SAP Ariba realm name, application name, and application key. You have already created the application name along with the application key on step 1. To find your realm name, login to your SAP Ariba system – it's part of your login URL, as shown in the following examples.
- SAP Ariba Buyer example:
https://s1.ariba.com/Buyer/Main/ad/loginPage/...&realm=mycompany-t - SAP Ariba Sourcing example:
http://mycompany.sourcing.ariba.com/
- SAP Ariba Buyer example:
-
Ask your DSC person to submit a service request for you to SAP Ariba Support for component BNS-ARI-SS-API, requesting the client application to be enabled for Identity Provisioning. Request your DSC person to mention the following details in the service request:
- Application name
- Application key
- Realm name
-
When your application is enabled, you can login to SAP Ariba APIs Portal, find your application, and generate a new OAuth secret for it. To learn how, see: How to generate the OAuth Secret and Base64 Encoded Client and secret
-
To configure your SAP Ariba Applications provisioning system (see the procedure below), you will need to map your SAP Ariba application parameters to the relevant Identity Provisioning properties. The property mapping between the two systems is as follows:
SAP Ariba
Identity Provisioning
Values
SCIM API URL
URLExamples:
SAP Ariba OAuth 2.0 Token URL
OAuth2TokenServiceURLExamples:
OAuth Client ID
UserAlphanumeric string
Example:aaaa12345-1111-3333-cccc-1234567890
OAuth Secret
PasswordAlphanumeric string
Example:aaaGGG1eee12abcdefGHIJK123lmnopTTT
Application key
ariba.applications.api.keyAlphanumeric string
Example:123abc123XYZ000abc123ABC012345
AN-ID
ariba.applications.realm.idAN<numeric_string>
Example: AN000111222333
After fulfilling the prerequisites, you can create an SAP Ariba Applications target system to provision users and groups.
These target systems consume SCIM 2.0 API provided by SAP Ariba Applications. For more information about the SAP Ariba SCIM API scope of support, see 3228340.
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Target Systems.
-
Add SAP Ariba Applications as a target system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLEnter the SCIM API URL for your SAP Ariba application (see the Prerequisites section).
ProxyTypeEnter: Internet
AuthenticationEnter: BasicAuthentication
UserEnter the OAuth Client ID (see the Prerequisites section).
Password(Credential) Enter the OAuth Secret (see the Prerequisites section).
OAuth2TokenServiceURLEnter the OAuth 2.0 Token Service URL (see the Prerequisites section).
ariba.applications.api.key(Credential) Enter your application key (see the Prerequisites section).
ariba.applications.realm.idEnter your AN-ID (see the Prerequisites section).
(Optional)
ips.delete.threshold.groupsUse this property to control the number of groups to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of groups, for example by adding a filter or condition.
For more information, see: List of Properties
(Optional)
ips.delete.threshold.usersUse this property to control the number of users to be deleted in a target system by defining a threshold. This will prevent you from accidentally deleting a huge number of users, for example by adding a filter or condition.
For more information, see: List of Properties
Exemplary destination (property configuration):
Type=HTTPAuthentication=BasicAuthenticationProxyType=InternetUser=aaaa12345-1111-3333-cccc-1234567890Password=************OAuth2TokenServiceURL=https://api.ariba.com/v2/oauth/tokenariba.applications.api.key=123abc123XYZ000abc123ABC012345ariba.applications.realm.id=AN000111222333To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
-
Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the SAP Ariba Applications target system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Ariba Applications. For more information, see:
SAP Ariba APIs Portal → Discover → SUPPLIER MANAGEMENT
To make group assignments via the user resource, you need to change the default transformation of the target system as described in Enabling Group Assignment.
Default transformation:
{ "user": { "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "constant": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", "urn:ietf:params:scim:schemas:extension:sap:2.0:User", "urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User", "urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User", "urn:sap:cloud:scim:schemas:extension:custom:2.0:profile:User" ], "targetPath": "$.schemas" }, { "sourcePath": "$.userName", "targetPath": "$.userName" }, { "sourcePath": "$.emails", "targetPath": "$.emails", "preserveArrayWithSingleElement": true, "optional": true }, { "condition": "$.emails[0].length() > 0", "constant": true, "targetPath": "$.emails[0].primary" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "optional": true, "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']" }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['companyCode']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['companyCode']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['costCenter']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['costCenter']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['purchasingGroup']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['purchasingGroup']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['generalLedgerAccount']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['generalLedgerAccount']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['purchasingOrganization']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['purchasingOrganization']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['plant']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap.odm:2.0:User']['plant']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['currency']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['currency']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['deliverTo']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['deliverTo']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['purchasingUnit']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['purchasingUnit']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['network']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['network']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['addresses']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['addresses']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['passwordAdapter']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:ariba:2.0:User']['passwordAdapter']", "optional": true }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:profile:User']['alternativeDisplayNames']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:profile:User']['alternativeDisplayNames']", "optional": true }, { "sourcePath": "$.locale", "optional": true, "targetPath": "$.locale" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$.active", "targetPath": "$.active" }, { "sourcePath": "$.timezone", "optional": true, "targetPath": "$.timezone" }, { "sourcePath": "$.phoneNumbers", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.phoneNumbers", "functions": [ { "function": "putIfAbsent", "key": "type", "defaultValue": "work" } ] }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true, "functions": [ { "function": "resolveEntityIds" } ] } ] }, "group": { "condition": "('%ariba.applications.group.prefix%' === 'null') || ($.displayName =~ /%ariba.applications.group.prefix%.*/)", "mappings": [ { "sourceVariable": "entityIdTargetSystem", "targetPath": "$.id" }, { "constant": [ "urn:ietf:params:scim:schemas:core:2.0:Group", "urn:ietf:params:scim:schemas:extension:sap:2.0:Group", "urn:sap:cloud:scim:schemas:extension:custom:2.0:profile:Group" ], "targetPath": "$.schemas" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "functions": [ { "condition": "('%ariba.applications.group.prefix%' !== 'null') && (@ =~ /%ariba.applications.group.prefix%.*/)", "function": "replaceFirstString", "regex": "%ariba.applications.group.prefix%", "replacement": "" } ] }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['type']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['type']", "optional": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['supportedOperations']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:Group']['supportedOperations']", "optional": true }, { "sourcePath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:profile:Group']['alternativeDisplayNames']", "targetPath": "$['urn:sap:cloud:scim:schemas:extension:custom:2.0:profile:Group']['alternativeDisplayNames']", "optional": true }, { "sourcePath": "$.members[*].value", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members[?(@.value)]", "functions": [ { "type": "resolveEntityIds" } ] } ] } } -
Now, add a source system from which to read users and groups. Choose from: Source Systems
- Before starting a provisioning job, you can first subscribe to the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during your jobs. For more information, see Manage Job Notifications.
- Now, start an identity provisioning job. For more information, see Monitor Provisioning Job Logs.