See as well:
Table of Contents:
- SAP IAS SAML Metadata Retrieval
- SAP Ariba SAML Metadata Retrieval (PLICM-871)
- SAP IAS SAML Authentication Configuration
- SAP Ariba SAML Authentication Self-service Configuration (PLICM-871)
- SAP Ariba SSO Verification
- Validate the SAP Ariba SSO via Intelligent Configuration Management
- Validate the SAP Ariba SSO by accessing the SAP Ariba URL in the browser
- SAP Ariba without SSO
- SAP Ariba with SSO to SAP IAS
- SAP Ariba with SSO to Microsoft Entra ID
SAP IAS SAML Metadata Retrieval
To retrieve SAML Metadata from SAP IAS:
- enter the below SAP IAS URL into browser:
https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/metadata?action=download - store the downloaded SAP IAS Metadata File
SAP Ariba SAML Authentication Self-service Configuration (PLICM-871)
From 2402 release of "PLICM-871: Ability to Configure SAML Authentication Settings in Intelligent Configuration Manager" feature, customers can retrieve the SAP Ariba metadata file as self-service.
Note: In case of configuring the SSO setup for SAP Ariba Sourcing, SAP Ariba Contracts, SAP Ariba Supplier Lifecycle and Performance for suite-integrated tenants the SSO setup and thus the metadata retrieval needs to be executed on the SAP Ariba procurement tenant (e.g. for US DC https://<SAP Ariba tenant id>.procurement.ariba.com). In case of SAP Ariba multi-ERP configuration setup (f.k.a Federated Process Control FPC) the SSO configuration and metadata retrieval needs to happen for the parent tenant.
For standalone (not suite-integrated) SAP Ariba sourcing tenant (e.g. for US DC https://<SAP Ariba tenant id>.sourcing.ariba.com)
Prerequisites:
- SAP Ariba user with Third Party Enterprise User (Ariba) type
- SAP Ariba user with Customer Administrator group membership
To configure SAP Ariba SAML Authentication with SAP IAS:
- enter the SAP Ariba tenant as per Note above using the Third Party Enterprise User (Ariba) login URL (e.g. for US DC https://<SAP Ariba tenant id>.procurement.ariba.com/?passwordadapter=ThirdPartyUser)
- navigate to Manage -> (Core Administration - for SAP Ariba procurement tenant or Administration for SAP ariba sourcing tenant) -> Intelligent Configuration Manager -> Manage Configurations -> [Continue] -> Authentication -> [Update]
- load the SAP IAS Metadata File you retrieved from SAP IAS
- select Enable SAML authentication to Yes, to enable the SSO (all the data are pregonfigured from the imported SAP IAS Metadata File)
- press [Submit]
- press [Apply] - after this step SAP Ariba SSO changes will take effect!
- In case the Enable SAML authentication is set to Yes, SAP Ariba will use to authenticate the users credentials (passwords) stored in SAP IAS and not credentials (passwords) stored in SAP Ariba. Therefore SAP Ariba business users will need to be invited to SAP IAS, activate their accounts and create their user credentials (passwords)
- In case the Enable SAML authentication is set to No, SAP Ariba will use to authenticate the users credentials (passwords) stored in SAP Ariba
Note: Users of type Third Party Enterprise User (Ariba), using the *?passwordadapter=ThirdPartyUser URL to login into SAP Ariba will always keep using credentials (passwords) stored in SAP Ariba, no matter of the SSO enablement
SAP Ariba SAML Metadata Retrieval (PLICM-871)
From 2402 release of "PLICM-871: Ability to Configure SAML Authentication Settings in Intelligent Configuration Manager" feature, customers can retrieve the SAP Ariba metadata file as self-service.
Note: In case of configuring the SSO setup for SAP Ariba Sourcing, SAP Ariba Contracts, SAP Ariba Supplier Lifecycle and Performance for suite-integrated tenants the SSO setup and thus the metadata retrieval needs to be executed on the SAP Ariba procurement tenant. In case of SAP Ariba multi-ERP configuration setup (f.k.a Federated Process Control FPC) the SSO configuration and metadata retrieval needs to happen for the parent tenant.
Prerequisites:
- SAP Ariba user with Customer Administrator group membership
To retrieve SAML Metadata from SAP Ariba:
- enter the SAP Ariba tenant as per Note above
- navigate to Manage -> (Core Administration - for SAP Ariba procurement tenant or Administration for SAP ariba sourcing tenant) -> Intelligent Configuration Manager -> Manage Configurations -> [Continue] -> Authentication
- download and store the appropriate Test or Production SAP Ariba Metadata File
Note: Because of current temporary gap in the SAP Ariba Metadata File generation, manual adjustment to the entityID attribute value is required as per the process described below.
(assumption here is that the SAP Ariba SSO SAML configuration was already setup and SAP Ariba tenant has SSO enabled)
Manual SAP Ariba Metadata File adjustment process:
- Run chrome://extensions/ in Google Chrome browser
- Navigate to Chrome Web Store
- Search for SAML Chrome Panel -> [Add to Chrome]
- Hit [F12] to open the Chrome DevTools
- Open your SAP Ariba tenant URL in Google Chrome
(e.g. https://<SAP Ariba tenant id>.procurement.ariba.com) - Navigate to the Chrome DevTools -> SAML -> copy the value of the SAP Ariba SAML Request saml2:Issuer XML element (e.g. http://<SAP Ariba tenant id>.procurement.ariba.com)
- Open the SAP Ariba Metadata File and replace the value of entityID attribute with the value of saml2:Issuer XML element, retrieved from SAP Ariba SAML in the Chrome DevTools and save the modified SAP Ariba Metadata File
SAP IAS SAML Authentication Configuration
Prerequisites:
- SAP IAS user added as Administrator to SAP IAS (Users & Authorizations -> Administrators -> [Add])
To configure SAP IAS SAML Authentication with SAP Ariba:
- enter the SAP IAS Administration Console via https://<SAP IAS tenant id>.accounts.ondemand.com/admin
- navigate to Application & Resources -> Application -> [Create] to create Application for SAP Ariba as Service Provider (SP)
- Enter the Display Name, choose SAP Ariba solution as Type, SAML 2.0 as Protocol Type and hit [Create]
- navigate to SAML 2.0 Configuration and upload the adjusted SAP Ariba Metadata File
- SAML 2.0 configuration is pre-set out of the uploaded SAP Ariba Metadata File
- navigate to Subject Name Identifier and set the Primary Attribute Value to Login Name and hit [Save]
- ensure the users setup in SAP IAS have the Login Name set and matching to the SAP Ariba user UniqueName
- navigate to Users & Authorizations -> User Management -> and specific user SAP IAS Login Name needs to match user SAP Ariba UniqueName
SAP IAS User Profile:
SAP Ariba User Profile:
In case you are reading this line, you have successfully configured the Single Sign-On (SSO) between SAP Ariba as Service Provider (SP) and SAP IAS as Identity Provider (IdP)!
SAP Ariba SSO Verification
To verify the status of the SAP Ariba SSO Setup follow one of the options below:
- Validate the SAP Ariba SSO via Intelligent Configuration Management
- Validate the SAP Ariba SSO by accessing the SAP Ariba URL in the browser
Validate the SAP Ariba SSO via Intelligent Configuration Management
Prerequisites:
- SAP Ariba user with Customer Administrator group membership
To review existing SAP Ariba SSO setup:
- enter the SAP Ariba tenant
- navigate to Manage -> (Core Administration - for SAP Ariba procurement tenant or Administration for SAP ariba sourcing tenant) -> Intelligent Configuration Manager -> Manage Configurations -> [Continue] -> Authentication
- check the SAP Ariba SSO configuration for Test or Production
Validate the SAP Ariba SSO by accessing the SAP Ariba URL in the browser
Validate the SAP Ariba SSO setup by accessing the SAP Ariba URL via browser - accessing the business user access URL (e.g. for US DC https://<SAP Ariba tenant id>.sourcing.ariba.com).
Below tests will not work in case browser certificate is used and the business user is logged in to SAP Ariba without entering credentials.
SAP Ariba without SSO
Reaching below SAP Ariba Login screen means, SAP Ariba SSO is not setup and SAP Ariba site requires the user credentials to be entered as stored in SAP Ariba
SAP Ariba with SSO to SAP IAS
Reaching below SAP IAS Login screen means, SAP Ariba SSO is setup with SAP IAS (directly, without further identity federation) and SAP Ariba site requires the user credentials to be entered as stored in SAP IAS
SAP Ariba with SSO to Microsoft Entra ID
Reaching below Microsoft Entra ID Login screen means, SAP Ariba SSO is setup with Microsoft Entra ID and SAP Ariba site requires the user credentials to be entered as stored in SAP Microsoft Entra ID
Note: You can achieve the usage of Microsoft Entra ID for SAP Ariba SSO via direct configuration to Microsoft Entra ID or via Identity Federation setup of SAP IAS, in case of Identity Federation, SAP Ariba SSO is setup to SAP IAS and SAP IAS delegates all the authentication requests to Microsoft Entra ID. Because of this we might not be able to recognize whether the SAP Ariba SSO is setup directly with Microsoft Entra ID or via SAP IAS Identity Federation.
See as well: