on 2020 Sep 29 10:36 AM
Hello all:
I have a scenario for integration that needs some help.
We have vendors connected with their email account to Ariba (externals).
When they open a PO and click on display documents they are directed to on-prem Sharpoint. But since they are using external accounts they can't access without providing user/pw from our AD
Let me clarify that company Azure AD and Ariba are already connected. So for users with AD accounts of course this is not an issue and SSO works. The problem is with external users not registered in company AD.
In sum, is there a way external users not created in company AD can make SSO FROM Ariba TO documents resources on-prem with external accounts?
Hope you can help or guide on how to make this scenario possible.
Best regards,
Jorge
Request clarification before answering.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello JAT,
This can be achieved by doing Configuring Application Gateway for supplier access to non-SAP Ariba applications in Ariba network.
customer must provide access to their non-SAP Ariba cloud applications to their suppliers. to use this feature, buyer third-party applications ( Non SAP) must be set up for single sign-on access. This is done by SAP Ariba Services.
Supplier administrators of authorized suppliers must assign roles that have the required permissions to access SSO. This authorizes users to access the CUSTOMER organization's non-SAP Ariba cloud applications.
The CUSTOMER organization's non-SAP Ariba cloud applications must support the configuration of Ariba Network as the identity provider (IDP) using SAML 2.0.
Suppliers must have active trading relationships with buying organizations. Good help doc available on SAP portal
Regards
Vijay
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jorge
I am not sure if I understand the issue fully.
If the Vendor is collaborating on the invoice and PO on Ariba they should see on their side of the portal already?
If you still want them to login from buyer side they have to be part of your AD and you can make them 3rd Party user in Ariba
Refer this link
and this one
Let me know if this helps.
Regards
Vinita
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Vinita:
The idea is not register all the external vendor in company AD so they can login to Ariba with their own account/email address but having them SSO to see on premise file documents from the PO. This attached documents of the PO are quite big and are located in on premise Sharepoint.
1 First of all Suppliers are not part of company network and work using their own corporate devices and access SAP Ariba using either own IdP or Ariba IdP Company IdP cannot be set as default for Suppliers as company in Ariba Network acts one from many Buyers in the context of Supplier session.
2 Supplier access Ariba Supplier portal using url service.ariba.com and authenticate either using basic authentication with Ariba credentials or using own corporate IdP
3 Supplier in SAP Ariba Supplier portal display Purchase Order documents, however more detailed material documents needs to be accessed from the external source outside Ariba Network, what means directly from the on-premise Buyer Network (in our case from on premise environment). This unfortunately it is not server to server connection (Ariba to company DMS / Sharepoint) but client to server what means that Supplier access DMS / Sharepoint from his/her workstation and should authenticate on named user with SSO. DMS or SharePoint managed by company are already onboarded to Azure AD and allow SSO but only for internals.
4 In practice forget that I am employee, when I access Supplier Portal and act as any Supplier on my own device or using in-private mode
a. I authenticate to Supplier portal using basic authentication (not company corporate email address but for instance firstname.lastname@<corporate_domain>.com
b. Access PO document submitted by company and when want to print PDF document from external source which is company DMS / Sharepoint I open the url to the document which is exchanged by SAML token issued by SAP Ariba IdP.
What that means that I open external document from company.sharepoint.com and url is extended by SAML token Issuer is service.ariba.com claim used for mapping should be john.dow@xcompany.com and mapped with UPN/Email address in Azure ID
However because issuer service.ariba.com is not trusted in company Azure AD authentication fails and I get logon screen to provide my user credentials, what we need to solve and pass without next authentication prompt coming from company IdP. What means that user should be authenticated just once in Ariba IdP and accessing all files from company managed DMS or SharePoint next authentication in company Azure AD should be passed silently when issuer service.company.com is trusted. Thank you again. JAT
Thank you again.
JAT
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.