cancel
Showing results for 
Search instead for 
Did you mean: 

Ariba integration from external accounts

0 Kudos
1,257

Hello all:

I have a scenario for integration that needs some help.

We have vendors connected with their email account to Ariba (externals).

When they open a PO and click on display documents they are directed to on-prem Sharpoint. But since they are using external accounts they can't access without providing user/pw from our AD

Let me clarify that company Azure AD and Ariba are already connected. So for users with AD accounts of course this is not an issue and SSO works. The problem is with external users not registered in company AD.

In sum, is there a way external users not created in company AD can make SSO FROM Ariba TO documents resources on-prem with external accounts?

Hope you can help or guide on how to make this scenario possible.

Best regards,

Jorge

Accepted Solutions (0)

Answers (3)

Answers (3)

swarupprusti
Associate
Associate
0 Kudos
VijayTalekar
Explorer
0 Kudos

Hello JAT,

This can be achieved by doing Configuring Application Gateway for supplier access to non-SAP Ariba applications in Ariba network.

  • Configuring Application Gateway for supplier access to non-SAP Ariba applications in CUSTOMER Firewalls (share-point/document repository)
  • Ariba Network can be configured as an Application Gateway providing suppliers with access to a CUSTOMER’s non-SAP Ariba applications through Single Sign-On (SSO).
  • CUSTOMER can use this tool to provide any of its suppliers (with an active trading
  • relationship) access to one or more of its third-party party applications.
  • CUSTOMER to request SAP Ariba to configure an Application Gateway on the supplier
  • home page.
  • This gateway shows links to CUSTOMER’s applications that supplier users can access
  • through Ariba Network SSO.
  • CUSTOMER Buyers can then assign suppliers to access the third-party applications.
  • DSC submits Request. SAP Ariba representative will follow up with information about SAP Ariba Services.

customer must provide access to their non-SAP Ariba cloud applications to their suppliers. to use this feature, buyer third-party applications ( Non SAP) must be set up for single sign-on access. This is done by SAP Ariba Services.

Supplier administrators of authorized suppliers must assign roles that have the required permissions to access SSO. This authorizes users to access the CUSTOMER organization's non-SAP Ariba cloud applications.

The CUSTOMER organization's non-SAP Ariba cloud applications must support the configuration of Ariba Network as the identity provider (IDP) using SAML 2.0.

Suppliers must have active trading relationships with buying organizations. Good help doc available on SAP portal

Regards

Vijay

Former Member
0 Kudos

Hi Jorge

I am not sure if I understand the issue fully.

If the Vendor is collaborating on the invoice and PO on Ariba they should see on their side of the portal already?

If you still want them to login from buyer side they have to be part of your AD and you can make them 3rd Party user in Ariba

Refer this link

https://help.sap.com/viewer/25dc4e05f77f4cb185ab75385a54beef/cloud/en-US/10de916eeef2408c850ebea6ee5...

and this one

https://help.sap.com/viewer/c7b90f921e8b421c9b5e384b7c3e473b/cloud/es-ES/1a6eb6eea6a2472e8a4cd3e142b...

Let me know if this helps.
Regards

Vinita

0 Kudos

Hello Vinita:

The idea is not register all the external vendor in company AD so they can login to Ariba with their own account/email address but having them SSO to see on premise file documents from the PO. This attached documents of the PO are quite big and are located in on premise Sharepoint.

1 First of all Suppliers are not part of company network and work using their own corporate devices and access SAP Ariba using either own IdP or Ariba IdP Company IdP cannot be set as default for Suppliers as company in Ariba Network acts one from many Buyers in the context of Supplier session.

2 Supplier access Ariba Supplier portal using url service.ariba.com and authenticate either using basic authentication with Ariba credentials or using own corporate IdP

3 Supplier in SAP Ariba Supplier portal display Purchase Order documents, however more detailed material documents needs to be accessed from the external source outside Ariba Network, what means directly from the on-premise Buyer Network (in our case from on premise environment). This unfortunately it is not server to server connection (Ariba to company DMS / Sharepoint) but client to server what means that Supplier access DMS / Sharepoint from his/her workstation and should authenticate on named user with SSO. DMS or SharePoint managed by company are already onboarded to Azure AD and allow SSO but only for internals.

4 In practice forget that I am employee, when I access Supplier Portal and act as any Supplier on my own device or using in-private mode

a. I authenticate to Supplier portal using basic authentication (not company corporate email address but for instance firstname.lastname@<corporate_domain>.com

b. Access PO document submitted by company and when want to print PDF document from external source which is company DMS / Sharepoint I open the url to the document which is exchanged by SAML token issued by SAP Ariba IdP.

What that means that I open external document from company.sharepoint.com and url is extended by SAML token Issuer is service.ariba.com claim used for mapping should be john.dow@xcompany.com and mapped with UPN/Email address in Azure ID

However because issuer service.ariba.com is not trusted in company Azure AD authentication fails and I get logon screen to provide my user credentials, what we need to solve and pass without next authentication prompt coming from company IdP. What means that user should be authenticated just once in Ariba IdP and accessing all files from company managed DMS or SharePoint next authentication in company Azure AD should be passed silently when issuer service.company.com is trusted. Thank you again. JAT

Thank you again.

JAT