Skip to content

Latest commit

 

History

History
379 lines (220 loc) · 14.4 KB

sap-ariba-buying-79bea0b.md

File metadata and controls

379 lines (220 loc) · 14.4 KB

SAP Ariba Buying

Follow this procedure to set up SAP Ariba Buying as a proxy system.

Context

SAP Ariba Buying offers users a personalized, guided process for finding and ordering things they need for work. SAP Ariba Buying allows buyers and suppliers to integrate procurement solutions with their procurement process seamlessly.

After fulfilling the prerequisites, you can create an SAP Ariba Buying proxy system to load its users into an on-premise system and provision new users back to SAP Ariba Buying.

These proxy systems consume SCIM 2.0 API provided by SAP Ariba Buying.

Note:

SAP Ariba Buying does not support groups.

Note:

The Identity Provisioning implementation of the Proxy System SCIM API (based on the SCIM Query) supports single entity and delta read filtering for users and groups. For more information, see Query Parameters for Proxy System SCIM API.

Procedure

  1. Open your subaccount in SAP BTP cockpit (valid for OAuth authentication to the Identity Provisioning proxy system).

    Note:

    If you have a bundle tenant, then in the cockpit → NeoOverview, you can see the Global account, which SAP provides for your bundle in the corresponding Identity Provisioning region. Then, in the global account, you can see your subaccount, where the Identity Provisioning is enabled as a service for the bundle. The display name of the subaccount starts with SAP_BUNDLE.

  2. Sign in to the administration console of SAP Cloud Identity Services and navigate to Users & Authorizations > Administrators.

  3. Create a technical user with the necessary authorizations. It will later be used by the external consumer to connect to Identity Provisioning.

    • For Certificate-based authentication, follow the procedure in Manage Certificates for Inbound ConnectionSAP BTP, Neo Environment

    • For OAuth authentication, proceed as follows:

      1. Go to Security > OAuth > Clients and choose Register New Client.

      2. From the Subscription combo box, select <provider_subaccount>/ipsproxy.

      3. From the Authorization Grant combo box, select Client Credentials.

      4. In the Secret field, enter a password (client secret) and remember it. You will need it later, for the repository configuration in the external system.

      5. Copy/paste and save (in a notepad) the generated Client ID. You will need it later, too.

      6. From the left-side navigation, choose Subscriptions > Java Applications > ipsproxy .

      7. From the left-side navigation, choose Roles > IPS_PROXY_USER.

      8. Choose Assign and enter oauth_client_<client_ID>.

        For <client_ID>, enter the one you have saved in the previous main step.

    • For Certificate-based authentication, upload the certificate for the technical user of type System, as described in Add System as Administrator and enable the Access Proxy System API permission.

    • For Basic authentication, proceed as follows:

      1. Add an administrator user of type System and configure the basic authentication method for this user.

        If you already have a technical user, skip this step.

      2. Save your changes.

      3. Select your administrator user of type System and enable the Access Proxy System API permission.

      4. Save your changes.

  4. Access the Identity Provisioning UI.

  5. Add SAP Ariba Buying as a proxy system. For more information, see Add New Systems.

  6. Choose the Properties tab to configure the connection settings for your system.

    Note:

    If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.

    If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.

    We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.

    Mandatory Properties

    Property Name

    Description & Value

    Type

    Enter: HTTP

    URL

    Enter the SCIM API URL for your SAP Ariba Buying application.

    ProxyType

    Enter: Internet

    Authentication

    Enter: BasicAuthentication

    User

    Enter the OAuth Client ID.

    Password

    (Credential) Enter the OAuth Secret.

    OAuth2TokenServiceURL

    Enter the OAuth 2.0 Token Service URL.

    ariba.buying.include.if.match.wildcard.header

    Makes the SAP Ariba Buying connector send the If-Match HTTP header with a value of “*” for every request to the target system. This header could be used by an SAP Ariba Buying system for entity versioning.

    Possible values:

    • true
    • false

    Default value: false

    (Optional) ariba.buying.user.filter

    When specified, only those SAP Ariba Buying users matching the filter expression will be read. You can set a single attribute or multiple ones as search criteria.

    Supported filtering by the following attributes:

    • id

    • userName

    • emails.value

    • urn:ietf:params:scim:schemas:extension:sap:2.0:User:userUuid

    • active

    For more information, see List of Properties.

    ariba.buying.user.unique.attribute

    When Identity Provisioning attempts to provision a user for the first time, it may detect that such a user already exists on the target system. Thus, the service needs to retrieve the entityId of the existing user via filtering by user unique attribute(s).

    This property defines by which unique attribute(s) the existing user to be searched (resolved). If the service finds such a user on the target system via this filter, then the conflicting user will overwrite the existing one. If the service does not find such a user, the creation will fail.

    The property is automatically added during system creation. If the service finds an existing user by at least one of the uniqueness criteria, which are email, userName, or urn:ietf:params:scim:schemas:extension:sap:2.0:User:userUuid, it updates this user with the data of the conflicting one. If such a user is not found, that means the conflict is due to another reason, so the update of the conflicting user fails. If more than one users with these unique attributes are found, the update fails.

    For more information, see List of Properties.

    (Optional) ariba.buying.support.patch.operation

    This property controls how modified users in the source system are updated in the target system.

    • If set to true, Identity Provisioning sends a PATCH request to the user or group resource in the target system. Only attributes without "scope": "createEntity" in the attribute mappings in the write transformation will be updated.

      For example, if the last name of a user is changed in the source system, the patch operation will update it in the target system and will leave unchanged other attributes with explicitly set "scope": "createEntity".

    • If set to false, PUT operations are used to update users in the target system. This means, for example, that if a user attribute is modified, all user attributes are replaced in the target system, instead of updating only the modified ones.

    Users can be updated in the target system in various cases, such as:

    • In the source system, some user attributes are modified, or new attributes are added.

    • In the source system, a condition or a filter is set for users not to be read anymore.

    • A user is deleted from the source system.

    In the last two cases, it's possible to keep the entity in the target system – it will not be deleted but only disabled. To do this, use the deleteEntity scope in the transformation of your target or proxy system. See: Transformation ExpressionsdeleteEntity.

    Possible values:

    • true
    • false

    Default value: false

    To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.

  7. Configure the transformations.

    Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the SAP Ariba Buying proxy system, whose settings are displayed under the Transformations tab after saving its initial configuration.

    You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Ariba Buying. For more information, see:

    Manage Transformations

    API LINK

    Default read and write transformations:

    Tip:

    The proxy Read Transformation is used when the external client application (for example, SAP Identity Management) makes initial load. That is, executing GET requests to the resource endpoints (/Users or /Groups) to retrieve the corresponding entities of the particular type. The external client application can also execute GET requests to a single resource endpoint (querying a single resource is supported). In this case, the proxy system acts as a source one.

    The proxy Write Transformation is used when the external application manages the entities in the proxy system – creates new entities, updates existing ones, or deletes existing ones. In this case, the proxy system acts as a target one.

    However, after a Create or Update operation is performed on the proxy system, the Read Transformation is applied to the result, so that the created or updated entity is sent back to the external application. This behavior demonstrates that the proxy Read Transformation is used for write cases, as well.

    Read Transformation

    Write Transformation

    Code Syntax:

    Code Syntax:

  8. Connect the external consumer to Identity Provisioning with the technical user you have created in step 2.

    If the external consumer system is SAP Identity Management, you can export the newly created proxy system as a SCIM repository from Identity Provisioning and import it in SAP Identity Management. This will create a SCIM repository in SAP Identity Management where most of the repository constants will be automatically filled in. You need to provide the technical user credentials that you have set up in step 2 and the SCIM assignment method as described below:

    • For AUTH_USER and AUTH_PASSWORD, enter your client ID and secret.

    • For the SCIM_ASSIGNMENT_METHOD constant, make sure the value is PATCH.

    • For AUTH_USER and AUTH_PASSWORD, enter the user ID and password of the Identity Authentication technical user for which you have set permission Access Proxy System API.

    • For the SCIM_ASSIGNMENT_METHOD constant, make sure the value is PATCH.

    Note:

    For external consumer systems, other than SAP Identity Management, you should also use the PATCH method for modifying entities.

Related Information

The SAP Ariba developer portal

Video: Create application and API approval process