Introduction:

We are happy to introduce you to the Joule in SAP Ariba!!!

This document will guide you through setting up Joule with SAP Ariba realms. Joule revolutionizes how you interact with SAP business systems, making every touchpoint count and every task simpler. This is the beginning of the journey to helping you work faster and smarter by leveraging your existing data, processes, and authorizations. 

Joule is not specific to SAP Ariba but is used widely across the SAP Line of Businesses. Please look at the blogs below to learn more about the AI transformation you are embarking on.

Before we get started with the Joule integration with SAP Ariba, it’s important to understand the overall Joule integration for your organization. Please look at the blogs below:

Tip: In case you do not have the Joule licenses, you can find the information here on how to opt for the Joule Base - 0$ license to get started or opt for SAP AI Units. Reach your account executive for more information.

****************************************************************************

This blog post is a series for Joule Activation:

• SAP Business AI – Overview for all !!! (Includes information on Joule Supported Data Centers, Different scenarios during Joule setup, etc..)
• Joule - Unified Setup: Bridging Simplicity and Performance (Demo Video to understand the Unified Setup, Joule basics & architecture, how to set up Joule, etc...) 
• Joule for SAP S/4HANA Cloud Private Edition - A Comprehensive Setup Guide
• Joule Setup – End-to-End Setup Guide (for all Line of Business) Unified Approach

• Joule for SAP S/4HANA Cloud Public Edition - Setup Guide
• SAP Digital Supply Chain
• Joule for SAP Integrated Business Planning (SAP IBP) – Setup Guide
• Joule Setup for SAP Integrated Product Development
• Joule – Getting Started with Document Grounding - setup guide
• Activate Joule with SAP Build Work Zone and SAP Mobile Start

• Analytics Insights in Joule – Setup Guide
• Activate Joule in SAP Concur - a Step-by-Step Guide

Joule in SAP Ariba – Setup Guide - You are Here

Blogs - Work in Progress (WIP):

• SAP SuccessFactors Joule Activation (Refer to SAP Discovery Center)
• Joule in SAP Signavio Process Transformation Suite – Setup Guide
• SAP Digital Supply Chain (WIP)
• SAP Asset Performance Management
• SAP Digital Manufacturing
• SAP Concur
• and more to be added towards General Availability

****************************************************************************

Pre-requisites:

 We can get started with looking at the prerequisites for the Joule activation with your SAP Ariba realms.

• SAP Ariba Realms
  • SAP Cloud Identity Services should be configured with SAP Ariba for user logon. In case this is not done, a third-party user in your SAP Ariba realm is required to achieve this
  • Ariba Core Administrator access
• SAP Business Technology Platform – Global Administrator
  • Joule Commercials
• SAP Cloud Identity Services – Administrator

Reference Architecture: 

Now that you have the details on prerequisites, let us take a minute to understand the setup process. In the architecture diagram below, you will see that Joule can be activated for your SAP Ariba Buying realm and the Guided Buying system. Both these systems will require a single SAP BTP Subaccount to integrate the Joule services.

If you plan to integrate Joule with SAP Ariba Child realms, you may need another SAP BTP Subaccount to activate the Joule integration and have dedicated Joule formations using the booster process.

Image 1

Note:

• One Joule instance can connect to one SAP Ariba Realm (Sourcing & Procurement)
• Today, Joule can only be connected to multiple backend systems to achieve a unified integration. However, Joule limits its integration to one system type. This limitation is applicable to SAP Ariba Parent and Child, as they are considered the same sources
• In case of Child Realms, you may need a dedicated subaccount for each child realm. Access to child Joule instances will be a dedicated connection, and Joule cannot communicate with parent realms
• With this approach, the end users may need to log in to the respective child realms to interact
• This limitation will soon be resolved in the upcoming releases

Integration Process:

Please read the details below to understand your Joule Integration Process based on your current setup in your organization. The blog is focused on the SAP Ariba Parent Realm. A similar process needs to be followed for Child realms.

Pick and choose the right scenario and follow the process mentioned below.

Image 2

Let us have a look at the steps involved for the integration:

1. SAP Ariba SSO with SAP Cloud Identity Services (ICM Process)

2. OAuth Credentials for CDM API (SAP Ariba Developer Portal)

3. Configure Identity Provisioning Service from SAP Ariba Applications to IAS

• Create Ariba to IAS User Sync - Source System
• Create Ariba to IAS User - Target System

4. Integrating Joule

• Scenario 1: Joule in SAP Ariba - new setup
• Scenario 2: You have an existing Joule setup, and a formation has been created

5. Post-integration checks

• Validate Application List
• Validate the Attributes
• Trusted Domains
• Conditional Authentication

6. Destination Setup

• SAP Ariba Sourcing Destinations
  • SAP Ariba Sourcing Destinations – DT
  • SAP Ariba Sourcing Destinations – RT
• SAP Ariba Procurement Destinations
  • SAP Ariba Procurement Destinations – DT
  • SAP Ariba Procurement Destinations – RT

7. SAP Build Work Zone - Content Provider 

• Content Provider for SAP Ariba Sourcing Solutions
•  Content Provider for SAP Ariba Procurement Solutions
• Channel Updates

8. Configure Identity Provisioning Service from IAS to SAP Build Work Zone

• Configure the Source System
• Configure Target Systems
  • SAP Ariba Buyer Target
  • SAP Ariba Sourcing – Target
• Run the Sync Job 

9. Joule test scenarios

Disclaimer: Any users syncing from IAS to Ariba or Ariba to IAS should be self-evaluated during the setup process. The blog details the basic setup functionalities. For additional questions/support, please reach out to your SAP Ariba contacts. 

Now that we have a process in place, we are ready to get started:

1. SAP Ariba SSO with SAP Cloud Identity Services

Ensure the blogs are followed, the users are replicated from SAP Cloud Identity Services to Ariba for user authentication, and you are able to log in to the SAP Ariba Realm using the SSO with SAP Cloud Identity Services.

Important: When setting up SAP Ariba SSO, we recommend using an existing SAP Cloud Identity Services connected with other LoB applications to achieve a unified setup with Joule. You can find more information here: Joule—Unified Setup: Bridging Simplicity and Performance.

In your existing setup, if the users are maintained in SAP Ariba Realm, you can do a user sync to SAP Cloud Identity Services. The details are documented in Step 3. Configure Identity Provisioning Service from SAP Ariba Applications to IAS below, as the User sync is required vice versa.

User replication in SAP Cloud Identity Services(CIS) is a mandatory process, as Joule will require the users in CIS, as it uses the GUID value for user authentication and conversations.

Caution: Please validate step 3 before you sync users from Ariba to IAS, as it may block Users from logging into Ariba. We have observed that a change in First Name, Last Name, and Email Address could impact users in case of missing configurations.

• Configure Single-Sign-On for SAP Ariba with SAP Cloud Identity Services

If you have an existing third-party service like Microsoft Entra as your Corporate Identity Provider, you can configure it using the following documentation: Integrating the Service with Microsoft Entra ID.

Your SAP Ariba should have the status as shown below.

Image 3

Note: If you are trying to achieve a Joule with a unified setup with SAP SuccessFactors and other LoB applications, you may want to check the Establish Trust at your SAP BTP Subaccount. If you are using the domain "https://xxxx.cloud.sap", then you should be validating the "Authenticator sign-in URL." If your system shows the format below, we are good. 

https://xxxxxxxx.accounts.cloud.sap/saml2/idp/sso/asqo0oaz2.accounts.ondemand.com  

In case the Authenticator sign-in URL is with ondemand.com, you may need to edit it manually for your settings, in case of no access, please raise an SAP Ticket to get this changed to cloud.sap which will ensure your SSO with other LoBs will be supported. 

Once the changes are completed, you should be able to see the changes as below:

Image 3(a)

Once the above setup is completed, you should be able to see the SAP Ariba applications, Source, and Target created by the SAP Cloud Identity Services automatically.

Listed in Applications:

Image 4

Listed in Identity Authentication as Source.

Image 5

Ariba Buyer as Target:

Image 6

You may go ahead and do a user sync from IAS to Ariba by clicking on Source Systems, Ariba Source, Jobs, navigate to Read Job, and then on Run Now.

Image 7

This will help us complete the IAS to Ariba Sync. Before we do the Ariba to IAS system user sync, we will need a few additional credentials, for which we will follow step 2.

2. OAuth Credentials for CDM API (SAP Ariba Developer Portal)

Note – This temporary manual process to manage the destinations and CIS jobs will be automated soon by the product engineering teams.

As a part of the current release, we will need to generate a few OAuth credentials for the CDM APIs to be exposed and consumed by the Joule services.

To perform the steps below, you will need an SAP Ariba Organization Admin role and be aware of the SAP Ariba Realms data center details.

To create the credentials, you can log in to the SAP Ariba Development Portal (https://developer.ariba.com/api/home).

In my case, I am demonstrating it in the EU Data Center. Please select your DC and sign in as per your Ariba realms:

Image 8

Click on Manage and then click on Applications.

Image 9

Here, you will need to locate your required Ariba realm from the application list. Once you identify your realm, you can click on Actions and Request API Access.

We will create the SAP Ariba Applications, which will generate an OAuth Client ID and Secret used during the setup process. 

Image 10

Select “Workzone CDM Content for Sourcing” from the dropdown list in the Select an API section. Then, select “Sourcing,” choose the realms you would like to use for Joule, and click on Submit.

Note: You have one for each of your sourcing realms or one for each of your buyer realms. If you wish to have separate environments for each realm (Test and Production), you may wish to create one for each.

Image 11

Once you submit the details, the process will be automated, and as indicated below, it may take some time to get this approved.

Image 12

Once this is approved, you should be able to click on Actions and Generate OAuth Secret. Ensure you save the OAuth Secret, as this will be a one-time display. In case you miss it, you may have to regenerate it and copy/change this value in all your setups.

Image 13

 If you are integrating Joule with your Procurement system, repeat the above step for “Workzone CDM Content for Procurement” and save the values for both.

3. Configure Identity Provisioning Service from SAP Ariba Applications to IAS

 This is an important step to ensure the users in your SAP Cloud Identity services are not impacted during the user sync from Ariba. This step will ensure you have the Users replicated from Ariba to SAP Cloud Identity Services and the respective roles. Please pay close attention during this setup. This process will also be automated soon by the SAP Ariba product team.

3.1 Create Ariba to IAS User Sync - Source System

Within your SAP Cloud Identity Services system, navigate to Identity Provisioning, click on Source System, create a new source system - SAP Ariba Applications, or import the Source file “3.1 Ariba to IAS User Sync - XXXXXXXXX Source.json”, and modify the values as explained below. Once you import or create a new one, you may use the details below.

Image 14

Save the Source System and then click on Transformation, click on Edit, and click on the JSON View icon to see the code. In this section, you will need to find the FamilyName - delete the code, and save the settings.

{
  "sourcePath": "$.userName",
  "targetPath": "$.name.FamilyName",
},

You can follow the screen below to verify the details.

Image 15

Next, click on the Properties tab and add the following properties that you generated from the SAP Ariba Developer Portal.

We recommend validating the user sync with one or a few users for testing. In our case, we have used the filter “ariba.applications.user.filter” with username as demonstrated below.

Image 16

3.2 Create Ariba to IAS User - Target System

Navigate to the Target System, create SAP Cloud Identity Service—Identity Authentication as a target system, or import the file “3.2 Ariba User Sync to IAS—Target System.json”. Then, select the source system that you edited in the above steps and save the settings.  

Image 17

Click on the Properties Tab, and validate the details below.

Image 18

Also, add/set the value for “ias.support.patch.operation” to true, as shown below.

Image 18

Now click on the Transformation tab and remove the following values, givenName, FamilyName, middleName, and honorificPrefix from the transformation as shown below.

Image 19

Save the settings, and this should take care of the user sync.

Please navigate to your Ariba Source System created in step 3.1 and click the Jobs tab and the Read Job - Run Now option.

Image 20

Tip: This step will ensure that the SAP Ariba Users, Groups, and Roles are replicated to the SAP Cloud Identity Services. In the subsequent steps, we will replicate the users, groups, and roles from SAP Cloud Identity Services to the SAP Build Work Zone to support Joule conversations. This process is specific to Ariba to support automation in the near future.

Ensure the Job is successfully executed. Now, as an admin, please navigate to the user profile and check that the existing user's first name, last name, username, and email validation have not been changed.

Image 21

Ensure the user is able to log in to the SAP Ariba system without any issues. If this user sync is good, only then proceed with other users by removing the User Filter in the source system to run the job again for all the users.

Note: In case of issues with test user sync, please do not run the Job for all users without filters. If additional support is required, please contact the SAP Support team.

 This completes the User sync in bi-directional if all the settings are looking good.

4. Integrating Joule

Scenario 1: Joule in SAP Ariba - new setup

As mentioned above, for the new Joule setup in SAP Ariba, you can follow the steps below.

You can follow the steps in this blog - Joule Setup – End-to-End Setup Guide (for all Line of Business) Unified Approach.

Skip the following steps:

3. Registering an SAP System – token exchange

3a.SAP S/4HANA Cloud Public Edition – Maintain Extensions on SAP BTP
3b. SAP SuccessFactors - Extension Center
3c. Validate your System Registration in SAP BTP

13. Create NavigationService Destination (this step has been taken care of by SAP and does not require a manual setup)

Follow all the steps apart from the ones listed above, and once completed, you may focus on the steps below:

As mentioned in the blog above, you should be able to see the Joule formation in Ready status. Follow the next steps from 5. Post Integration Validation.

Scenario 2: You have an existing Joule setup, and a formation has been created

In this section, we will show you how to activate Joule in SAP Ariba in the context of an existing Joule formation.

Note: You do not have to re-run the Joule booster.

Within your SAP BTP Global Account, navigate to System Landscapes, click on Formations, and search for the Joule formation you have already set up. In my case, I am using one of the existing formations, which has multiple SAP products connected to one Joule instance, as shown below. You can click on Include System.

Image 22

In the pop-up screen, filter the options by selecting SAP Ariba Buyer and SAP Ariba Sourcing. Now you can select the realms where Joule needs to be enabled. In my case, I am selecting the “T” systems for demonstration and click on Next.

Image 23

In the next step, please ensure to select the Enable Capability Deployment and Enable the Joule Icon in the Integrated System, and click on Review.

Image 24

Review the selected systems and click on Include.

Image 25

Once you click on Include, the Joule formation status changes from Ready to Synchronizing mode, which may take 5-8 minutes at times. Once the background activities are completed, you should be able to see it back in Ready status and with the SAP Ariba realms added to the formation.   

Image 26

This completes the setup process, and you should be able to see the Joule Icon in the SAP Ariba systems.

5. Post-integration checks

5.1 Validate Application List

Upon Joule integration, multiple background activities run to make the integration successful. You can navigate to your SAP Cloud Identity Services to check if the following Applications are created.

Image 27

5.2 Validate the Attributes

In the SAP Cloud Identity Services, click on Applications & Resources, look for the Ariba System Sourcing / Buyer, navigate to Attributes, and you should be able to see the “aud” with a few values, as shown below. 

Image 28

5.3 Trusted Domains

We will go ahead and add the SAP Ariba domain to the Trusted Domain. To do this, click on Application & Resources -> select Tenant Settings -> select Customization -> click on Trusted Domain and click on Add and enter your Ariba URL, and click on Save.

Image 29

Similar settings in your SAP BTP Subaccount also need to be done as shown below. 

Image 30

5.4 Conditional Authentication

Optional: If you have a third-party IDP, you may need to change the settings to make it compatible with Joule. Click on the das-ias -> select Conditional Authentication -> and enable/select/configure the same setting that you have for your Ariba systems. You can see the below for reference.

Image 31

Ensure you have the following settings to Use Identity Authentication User Store: Click on Identity Providers, select your third-party IDP, select Single Sign On, and enable the option Use Identity Authentication User Store.

Image 32

6. Destination Setup

We will now set up the destinations required for the Joule services to work with the SAP Build Work Zone services. Based on your SAP Ariba realms, the destination setup will require creating 2 destinations for each. If you are setting up for Sourcing and Procurement, it will be 4 destinations in total.

To simplify this, we have created a sample template that you can import and update the details for your system.

6.1 SAP Ariba Sourcing Destinations

6.1.1 SAP Ariba Sourcing Destinations - DT

Let us set up the destinations specifically for the SAP Ariba Sourcing realm, which will include the Design-Time and Run-Time destinations. If you are creating it manually, you can navigate to the Destinations options in your Subaccount and click on Create -> select From Scratch and add the details below, or import the file template – “6.1.1 AribaApp2AppDestinationSourcing_DT.json”.

When you import the template, you will need to edit the following values:

Image 33

The details can be found on the SAP Help page, or you can check the details below:

In the Additional Properties section, enter the following information:

The final details should be as shown below:

Image 34

6.1.2 SAP Ariba Sourcing Destinations - RT

If you are creating it manually, you can navigate to the Destinations options in your Subaccount and click on Create -> select From Scratch and add the details below or import the file template – “6.1.2 Ariba_Sourcing_RT.json”.

When you import the template, you will need to edit the following values:

Image 35

Additional properties:

The final values should be as shown below:

Image 36

6.1.3 SAP Ariba Procurement Destinations - DT

If you are creating it manually, you can navigate to the Destinations options in your Subaccount and click on Create -> select From Scratch and add the details below or import the file template – “6.1.3 AribaApp2AppDestinationBuyer_DT.json”.

When you import the template, you will need to edit the following values:

Image 37

In the Additional Properties section, enter the following information:

 The final details should be as shown below:

Image 38

6.1.4 SAP Ariba Procurement Destinations – RT

If you are creating it manually, you can navigate to the Destinations options in your Subaccount and click on Create -> select From Scratch, and add the details below, or import the file template – “6.1.4 Ariba_Buyer_RT.json”.

When you import the template, you will need to edit the following values:

Image 39

The final details should be as shown below: 

Image 40

You should be able to see all 4 destinations configured as shown below:

Image 41

7. SAP Build Work Zone - Content Provider

7.1 Content Provider for SAP Ariba Sourcing Solutions

We will be setting up the content provider from your SAP Ariba Sourcing realm, for which you will need access to your SAP Build Work Zone as an administrator. Navigate to Channel Manager and create the following Content Channels, click on New, and ensure the following details below:

You should be able to see the setup as below.

Image 42

7.2 Content Provider for SAP Ariba Procurement Solutions

We will be setting up the content provider from your SAP Ariba Buyer realm, for which you will need access to your SAP Build Work Zone as an administrator. Navigate to Channel Manager and create the following Content Channels, click on New, and ensure the following details below:

You should be able to see the setup as below. 

Image 43

7.3 Channel Updates

While creating both the above Content Providers for the Sourcing and Buyer system, the status should be “Created”; you can click on the refresh icon under the action options.

Image 44

The status should be as shown below for both realms. If there are any errors, it could be because a setting in your DT or RT in step 5 is missing/incorrect. Please ensure you have validated them. 

8. Configure Identity Provisioning Service from IAS to SAP Build Work Zone

In this step, we will set up the Source and Target services to ensure we replicate the SAP Ariba roles to the SAP Build Work Zone.

8.1 Configure the Source System

In this step, we are going to use the existing SAP Source System that was created during the SAP Ariba ICM process. This Source system can be reused for the user replication form IAS to SAP Build Work Zone also.

Note:

• If you have integrated CIS with SAP Ariba without the ICM process, you may have to manually create the source system as per the help portal. Later, follow the steps below.

 In my case for the blog, we are using the source system “IAS for Ariba Buyer XXXXX_XGB – source” that was created during the ICM process.

8.2 Configure Target Systems

Based on your system integrations for SAP Ariba Realms, you will create the required Target systems. In our case, we are going to create two target systems, one for the Buyer and one for Sourcing.

8.2.1 SAP Ariba Buyer Target

You can either follow the new setup or simply import the Buyer Target file that is made available to you “8.2.1 IAS to WZ for Ariba Buyer Target System.json”

To create a new one, you will need to follow the settings below:

If you simply import the Buyer Target file, you should be able to see the details below. Ensure to modify the values to meet your setup.

Image 45

If you have manually created a Target System, navigate to Transformation and switch to JSON view, click on Edit, and add the following attribute mapping for the group entity.

Skip this step if you have done a file import, as this is taken care.

It should be as shown below:

Image 46

Save the settings and click on the Properties tab to add the following details below.

The values are from your SAP Build Work Zone Service Key file, as shown below:

Image 47

8.2.2 SAP Ariba Sourcing – Target

You can either follow the new setup or simply import the Sourcing Target file that is made available to you, “8.2.2 IAS to WZ for Ariba Sourcing Target System.json”

Or

You can simply export your SAP Ariba Buyer Target that was created in the step above and edit the naming to Sourcing, as shown below.

Image 48

Ensure the values are accurate from your SAP Build Work Zone Service Key and click on Save.

Image 49

8.3 Run the Sync Job

To run the sync of users and groups to SAP Build Work Zone, you can navigate to SAP Cloud Identity Services, click on the IAS for Ariba Buyer—XXXX_XGB services you have used for target mapping, and click on Jobs. Here, you can click Run Now, as shown below.

Image 50

 You can go to the Provisioning logs to see the user and user groups updated to the SAP Build Work Zone, as shown below. 

Image 51

If you look at the logs, you will see that User and Group READ from SAP IAS as the Source system and the WRITE action of User and Group to the Target system SAP Ariba Buyer, SAP Build Woke Zone for Buyer & Sourcing.  

In case of failed users, you may have to check the logs and fix them.  

This completes the Ariba integration with Joule.

Note: You may need to schedule regular jobs to ensure that the User, Groups, and Roles are synced with your SAP Build Work Zones.

9. Joule Test Scenarios

The Joule icon should now be visible in your SAP Ariba Systems. You can log in to the Joule service and use the services listed in the SAP Ariba Joule Capabilities.

Image 52

Congratulations. You have successfully activated Joule in SAP Ariba Realms, and it should be visible in your Buyer and Sourcing system.

PS: Thanks to the SAP Ariba Team and the Joule Engineering team for helping to put this blog together. 

Happy Learning!!!

 Regards,
Nagesh Caparthy