One of the goals that SAP has for 2022 is to start enabling the Intelligent Enterprise and allow the various cloud applications to seamlessly interact with each other. A key component for this will be using SAP's authorization tool, Identity Authentication Services (IAS).
For those who are new to the concept, this page will help provide an overview -
Cloud Identity Services Community
This blog post is intended for Security/IT/Procurement admins who wish to start authenticating their user base with IAS. Ideally, this would benefit customers who use SAP Ariba in addition to other SAP cloud products and SAP ERPs. If you wish to enable new BTP services such as SAP Task Center and SAP Workzone, IAS will be a required building block for deployment.
The benefit of using IAS is that it centralizes the authentication process, and will allow you to authenticate users to different SAP cloud applications from one central tool.
I'll provide the steps that you would need to take on the SAP Ariba and IAS sides to enable trust between the applications that will allow users to authenticate.
Configuring Trust from IAS
- First you would log into your IAS account, make sure you are assigned the necessary permissions to perform as an administrator
- Click on Applications & Resources and then go to Applications and click Create. From there you would enter the login link of your Ariba realm which includes the realm name. Note that in suite integrated Ariba configurations, you will want to start configuring trust on the Child site first.
- Go to Bundled Applications and then look for Ariba IAS, and click on SAML 2.0 Configuration.
- From here, you configure manually. The Assertion Consumer Service Endpoint is where you'll be authenticating into. Typically formatted as https://<Ariba data center>/Buyer/Main/ad/samlAuth/SSOActions?<realm name>. This can be asked for when setting up the SAP Ariba portion via Service Request to SAP Ariba Technical Support.
- Configure the Single Logout Endpoint, for test purposes it can be https://www.google.com
- Add the signing certificate from Ariba. This can be found manually by logging into SAP Ariba Buying and Invoicing and going to Integration Manager>End Point Configuration>Create>Select Outbound and your certificate will appear. Copy and save in a text file and then import into the Certificate section in IAS.
Configuring Trust in SAP Ariba
- In your IAS tenant, go to Tenant Settings and select SAML 2.0 Configuration.
- Download the Metadata file.
- Create an SR with SAP Ariba Technical Support and ask them to update/enable SSO for SAP Ariba Buying and Invoicing (child reams) and provide them with the Metadata file.
- Make sure your user names contain the same UniqueName as the users in IAS, they are by standard tracked by a PXXXXXX number.
If you need to configure this for you SAP Ariba Buyer Parent Realm, repeat the above mentioned steps and you'll be authenticated for suite integrated realms.
From there, you have configured trust with IAS and SAP Ariba and will be able to use SSO and control user access and authorization from the IAS tool. To add users into the applications you need manage from IAS, you can import them manually using a cdv file underneath the Import Users tab in Users and Administration section. In later series I'll discuss on how this can me automated.
For More Information:
IAS Security Features:
IAS Security Features
IAS Operations Guide:
IAS Operations Guide
IAS Overview Video:
IAS Overview Video