Follow this procedure to set up SAP Ariba Applications as a source system.
This system is available for bundle tenants running on SAP Cloud Identity infrastructure and standalone tenants running on SAP Cloud Identity infrastructure and SAP BTP, Neo environment. Bundle tenants running on Neo environment can use it only through SAP Jam Collaboration and SAP Identity Access Governance bundle options.
-
You have created a client application on SAP Ariba APIs Portal that needs to be enabled for Identity Provisioning.
If you don’t have an account on SAP Ariba Developer Portal, then ask your Designated Support Contact (DSC) to submit a request for an account. To find your DSC person, see: How can I see my company's Basic users and Designated Support Contacts (DSC)
-
Provide your DSC person with your SAP Ariba realm name, application name, and application key. You have already created the application name along with the application key on step 1. To find your realm name, login to your SAP Ariba system – it's part of your login URL, as shown in the following examples.
- SAP Ariba Buyer example:
https://s1.ariba.com/Buyer/Main/ad/loginPage/...&realm=mycompany-t - SAP Ariba Sourcing example:
http://mycompany.sourcing.ariba.com/
- SAP Ariba Buyer example:
-
Ask your DSC person to submit a service request for you to SAP Ariba Support for component BNS-ARI-SS-API, requesting the client application to be enabled for Identity Provisioning. Request your DSC person to mention the following details in the service request:
- Application name
- Application key
- Realm name
-
When your application is enabled, you can login to SAP Ariba APIs Portal, find your application, and generate a new OAuth secret for it. To learn how, see: How to generate the OAuth Secret and Base64 Encoded Client and secret
-
To configure your SAP Ariba Applications provisioning system (see the procedure below), you will need to map your SAP Ariba application parameters to the relevant Identity Provisioning properties. The property mapping between the two systems is as follows:
SAP Ariba
Identity Provisioning
Values
SCIM API URL
URLExamples:
SAP Ariba OAuth 2.0 Token URL
OAuth2TokenServiceURLExamples:
OAuth Client ID
UserAlphanumeric string
Example:aaaa12345-1111-3333-cccc-1234567890
OAuth Secret
PasswordAlphanumeric string
Example:aaaGGG1eee12abcdefGHIJK123lmnopTTT
Application key
ariba.applications.api.keyAlphanumeric string
Example:123abc123XYZ000abc123ABC012345
AN-ID
ariba.applications.realm.idAN<numeric_string>
Example: AN000111222333
You can read users and groups from SAP Ariba Applications source system and provision them to a target system of your choice.
These source systems consume SCIM 2.0 API provided by SAP Ariba Applications. For more information about the SAP Ariba SCIM API scope of support, see 3228340.
-
Access the Identity Provisioning UI.
-
Sign in to the administration console of SAP Cloud Identity Services and navigate to Identity Provisioning > Source Systems.
-
Add SAP Ariba Applications as a source system. For more information, see Add New Systems.
-
Choose the Properties tab to configure the connection settings for your system.
If your tenant is running on SAP BTP, Neo environment, you can create a connectivity destination in your subaccount in the SAP BTP cockpit, and then select it from the Destination Name combo box in your Identity Provisioning User Interface.
If one and the same property exists both in the cockpit and in the Properties tab, the value set in the Properties tab is considered with higher priority.
We recommend that you use the Properties tab. Use a connectivity destination only if you need to reuse one and the same configuration for multiple provisioning systems.
Mandatory Properties
Property Name
Description & Value
TypeEnter: HTTP
URLEnter the SCIM API URL for your SAP Ariba application (see the Prerequisites section).
ProxyTypeEnter: Internet
AuthenticationEnter: BasicAuthentication
UserEnter the OAuth Client ID (see the Prerequisites section).
Password(Credential) Enter the OAuth Secret (see the Prerequisites section).
OAuth2TokenServiceURLEnter the OAuth 2.0 Token Service URL (see the Prerequisites section).
ariba.applications.api.key(Credential) Enter your application key (see the Prerequisites section).
ariba.applications.realm.idEnter your AN-ID (see the Prerequisites section).
(Optional)
ariba.applications.group.flattenThis property allows or forbids reading "nested groups" (group structures) from SAP Ariba Applications. If enabled (true), group members of type group will be ignored during read in order not to be provisioned to target systems that do not support nested groups. Thus, set it to false only if you are sure that the target system supports nested groups.
Default value: false
Predefined value (during system creation): true
Set it to false only if you are sure that the target system supports nested groups.
ariba.applications.group.members.page.sizeSAP Ariba Applications has a hardcoded limit of the number of group members returned per request when reading the group SCIM resources.
When the Identity Provisioning reads a group, it compares the number of group members with the value configured for
ariba.applications.group.members.page.size. Depending on the value you defined forariba.applications.group.members.paging.enabled, you can expect the following results:-
In case the number of group members equals or exceeds the configured limit and the property
ariba.applications.group.members.paging.enabledis enabled, the Identity Provisioning will perform full read of all group members via subsequent requests. -
In case the number of group members is less than the configured limit or the property
ariba.applications.group.members.paging.enabledis disabled, the Identity Provisioning will get the returned group members from the target system.
Setting the property
ariba.applications.group.members.paging.enabledallows you to read groups with a large number of group members. For more information, see ariba.applications.group.members.paging.enabled.Default value: 50
ariba.applications.group.members.paging.enabledThis property enables the full read of group members.
When it is set to true, all groups with members count exceeding the value defined in
ariba.applications.group.members.page.sizewill be fully read by the Identity Provisioning via subsequent requests.Possible values:
- true - Full read of group members is enabled.
- false - Full read of group members is disabled.
Default value: true
ariba.applications.user.groups.paging.enabledSAP Ariba Applications has a hardcoded limitation over the number of user's groups returned per request.
This limit is specified by the property
ariba.applications.group.members.page.size.To trigger a full read of a user with 'groups' attribute over the configured value, set
ariba.applications.user.groups.paging.enabledto true.Possible values:
-
true - the full read of user's groups is enabled.
-
false - the full read of user's groups is disabled.
Default value: true
ariba.applications.user.groups.page.sizeThe nuber of user groups that SAP Ariba Application returns per request when reading a user.
When the Identity Provisioning reads a user, it compares the number groups assigned with the value configured for
ariba.applications.user.groups.page.size. Depending on the number of groups assigned to the user, you can expect the following results:-
If the number of assigned groups is equal or exceeds the configured value, and the
ariba.applications.user.groups.paging.enabledproperty is set to true, Identity Provisioning will read all user groups in separate requests.For example, if a user has 6 groups assigned and the value of the page size is set to 2, Identity Provisioning will send 3 requests to read the user groups.
-
If the number of assigned groups is less than the configured value for
ariba.applications.user.groups.page.sizeor the propertyariba.applications.user.groups.paging.enabledis disabled, the Identity Provisioning will read all user groups via one request.For example, if a user has 2 groups assigned and the value of the page size is set to 6, Identity Provisioning will read all user groups via one request.
Setting the property
ariba.applications.user.groups.paging.enabledallows you to read users with a large number of groups assigned. For more information, seeariba.applications.user.groups.paging.enabled.Default value: 50
To learn what additional properties are relevant to this system, see List of Properties. You can use the main search, or filter properties by the Name or System Type columns.
Exemplary destination (property configuration):
Type=HTTPAuthentication=BasicAuthenticationProxyType=InternetUser=aaaa12345-1111-3333-cccc-1234567890Password=************OAuth2TokenServiceURL=https://api.ariba.com/v2/oauth/tokenariba.applications.group.flatten=trueariba.applications.api.key=123abc123XYZ000abc123ABC012345ariba.applications.realm.id=AN000111222333 -
-
Configure the transformations.
Transformations are used to map the user attributes from the data model of the source system to the data model of the target system, and the other way around. The Identity Provisioning offers a default transformation for the SAP Ariba Applications source system, whose settings are displayed under the Transformations tab after saving its initial configuration.
You can change the default transformation mapping rules to reflect your current setup of entities in your SAP Ariba Applications source system. For more information, see:
SAP Ariba APIs Portal → Discover → SUPPLIER MANAGEMENT
Default transformation:
{ "user": { "mappings": [ { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.schemas", "preserveArrayWithSingleElement": true, "targetPath": "$.schemas" }, { "sourcePath": "$.userName", "targetPath": "$.userName", "correlationAttribute": true }, { "sourcePath": "$.userName", "targetPath": "$.name.familyName" }, { "sourcePath": "$.emails", "targetPath": "$.emails", "preserveArrayWithSingleElement": true, "optional": true }, { "sourcePath": "$.emails[?(@.primary == true)].value", "optional": true, "correlationAttribute": true }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:sap:2.0:User']['userUuid']", "optional": true }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "optional": true }, { "sourcePath": "$.active", "targetPath": "$.active", "optional": true }, { "sourcePath": "$.title", "targetPath": "$.title", "optional": true }, { "sourcePath": "$.locale", "targetPath": "$.locale", "optional": true }, { "sourcePath": "$.phoneNumbers", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.phoneNumbers" }, { "sourcePath": "$.groups", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.groups", "functions": [ { "condition": "'%ariba.applications.group.prefix%' !== 'null'", "function": "concatString", "applyOnElements": true, "applyOnAttribute": "display", "prefix": "%ariba.applications.group.prefix%" } ] }, { "sourcePath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "targetPath": "$['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User']['manager']['value']", "optional": true } ] }, "group": { "mappings": [ { "sourcePath": "$.id", "targetVariable": "entityIdSourceSystem" }, { "sourcePath": "$.schemas", "preserveArrayWithSingleElement": true, "targetPath": "$.schemas" }, { "sourcePath": "$.displayName", "targetPath": "$.displayName", "functions": [ { "condition": "'%ariba.applications.group.prefix%' !== 'null'", "function": "concatString", "prefix": "%ariba.applications.group.prefix%" } ] }, { "sourcePath": "$.members", "preserveArrayWithSingleElement": true, "optional": true, "targetPath": "$.members" } ] } } -
Now, add a target system to provision users into it. Choose from: Target Systems
- Before starting a provisioning job, you can first subscribe for e-mail notifications from the source system you use in your scenario. This way, you will be notified by e-mail about eventual failed entities during the jobs. For more information, see Manage Job Notifications.
- Now, start an identity provisioning job. For more information, see Monitor Provisioning Job Logs.