See as well:
- Summary: SAP Ariba SSO with SAP Cloud Identity Services - Identity Authentication
- Overview: SAP Ariba SSO with SAP Cloud Identity Services - Identity Authentication
Table of Contents:
- SAP Business Network Single Sign-On (SSO) Overview
- SAP Business Network Access
- SAP Business Network Credentials Access (SSO Disabled)
- SAP Business Network SSO Access
- SAP Business Network SSO Access via IdP-Initiated URL
- SAP Business Network SSO & Credentials Access
- SAP Business Network Access
- SAP Business Network Single Sign-On (SSO) Setup
- SAP IAS SAML Metadata Retrieval
- SAP Business Network SAML Metadata Retrieval
- SAP IAS SAML Authentication Configuration
- SAP Business Network User Configuration
- SAP Business Network SAML Authentication Configuration (non-self-service)
SAP Business Network Single Sign-On Overview
Note: Single Sign-On (SSO) is supported only for SAP Business Network Buyer access (SAP Business Network Supplier access is not supported).
SAP Business Network Access
SAP Business Network can be accessed via https://service.ariba.com
To access SAP Business Network as Buyer, navigate to [Buyer] button or directly navigate to https://service.ariba.com/Buyer.aw
To access the SAP Business Network as Buyer, enter the Buyer user login name and hit [Next]. Based on the SAP Business Network Buyer account SSO setup, one of below login screens will appear.
SAP Business Network Credentials Access (SSO Disabled)
In case SAP Business Network Single Sign-on (SSO) for Buyer account is disabled, login screen to enter the SAP Business Network password is displayed.
SAP Business Network SSO Access
In case SAP Business Network Single Sign-on (SSO) for Buyer account is enabled with SAP Business Network credentials access is disabled, configured SSO login screen to enter the SSO credentials is displayed (e.g. the SAP IAS login screen in case the SSO is configured with SAP IAS).
SAP Business Network SSO Access via IdP-Initiated URL
With the assumption that the SAP Business Network SSO is enabled with SAP IAS as per this blog instructions, you can access SAP Business Network instead of https://service.ariba.com link, by following the IdP-Initiated URL:
- https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/idp/sso?sp=ANxxxxxxxxxxx-T&index=1
Using this approach, you can skip one step, which is providing the SAP Business Network user id and login directly within your SAP IAS login credentials.
SAP Business Network SSO & Credentials Access
In case SAP Business Network Single Sign-on (SSO) for Buyer account is enabled together with SAP Business Network credentials access, login screen to enter the SAP Business Network password or [Sign in with SSO] choice is displayed.
SAP Business Network Single Sign-On (SSO) Setup
SAP IAS SAML Metadata Retrieval
To retrieve SAML Metadata from SAP IAS:
- enter the below SAP IAS URL into browser:
https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/metadata?action=download - store the downloaded SAP IAS Metadata File
SAP Business Network SAML Metadata Retrieval
Note: Retrieval of SAP Business Network SAML Metadata is not self-service and needs to be requested via case opened against SBN-AN-LOG component. This blog instructions are bypassing the SAP Business Network SAML Metadata retrieval and instead it provides manual steps of setting the SAP Business Network Buyer Account in SAP IAS.
To retrieve the SAP Business Network signing certificate navigate to https://support.ariba.com/item/view/192337 and download Current Certificate – RSA certificate for service.ariba.com and store it as SAP Business Network Signing Certificate File
SAP IAS SAML Authentication Configuration
Prerequisites:
- SAP IAS user added as Administrator to SAP IAS (Users & Authorizations -> Administrators -> [Add])
- Retrieve SAP Business Network Buyer Account ANId (e.g. ANxxxxxxxxxxx-T)
- Replace xxxxxxxxxxx with your SAP Business Network Buyer Account AN Id
Note: SAP Business Network SSO setup requires the IdP-Initiated SSO to be enabled in SAP IAS.
To enable IdP-Initiated SSO in SAP IAS:
- enter the SAP IAS Administration Console via https://<SAP IAS tenant id>.accounts.ondemand.com/admin
- navigate to Application & Resources ->
- Application & Resources -> Tenant Settings -> Single Sign-On -> IdP-Initiated SSO
To configure SAP IAS SAML Authentication with SAP Business Network:
- enter the SAP IAS Administration Console via https://<SAP IAS tenant id>.accounts.ondemand.com/admin
- navigate to Application & Resources -> Application -> [Create] to create Application for SAP Ariba as Service Provider (SP)
- Enter the Display Name, choose SAP Ariba solution as Type, SAML 2.0 as Protocol Type and hit [Create]
- navigate to SAML 2.0 Configuration and enter:
- Name <SAP Business Network Buyer Account AN Id> (e.g. ANxxxxxxxxxxx-T)
- Assertion Consumer Service Endpoints
- Signing Certificate
- upload the downloaded SAP Business Network Signing Certificate File
- Signing Options
- Sign authentication responses -> true
- hit [Save]
- navigate to Subject Name Identifier and set the Primary Attribute Value to Login Name and hit [Save]
Note: Subject Name Identifier setting can vary based on the customer user setup in SAP IAS. The property chosen in the Subject Name Identifier in the user profile in SAP IAS shall hold the very same value as the Corporate Username of the user in SAP Business Network.
- navigate to Users & Authorizations -> User Management -> and specific user SAP IAS Login Name needs to match user SAP Ariba UniqueName
SAP IAS User Profile:
SAP Business Network User Profile:
SAP Business Network User Configuration
Note:
- Navigate to SAP Business Network Buyer account Settings -> Users -> Manage Users
- Actions -> Edit -> Corporate Username
SAP Business Network SAML Authentication Configuration (non-self-service)
Note: SAP Business Network Single Sign-On (SSO) configuration is not self-service and needs to be requested as per the instructions below.
Create case against SBN-AN-LOG component providing below details:
- SAP Business Network Buyer Account Id (e.g. ANxxxxxxxxxxx-T)
- SAP IAS URL https://<SAP IAS tenant id>.accounts.ondemand.com
- SAP IAS Metadata File
- Disable SAP Business Network Login: Yes/No
- SAP IAS User Profile field value for SAP IAS for SAP Business Network Admin User (e.g. I0****6 - this needs to match the SAP IAS user profile property value, which is set as Subject Name Identifier)
- SAP Business Network Admin User is not maintained in the list of the users in SAP Business Network and thus his Corporate Username cannot be set, therefore the SAP IAS Login Id shall be setup extra and passed as this setting
SAP personnel as part of the case execution will apply below setting in the SAP Business Network:
- Assertion Issuer: SAP IAS URL (e.g. https://<SAP IAS tenant id>.accounts.ondemand.com
- Corporate User ID: SAP IAS User Profile field value for SAP IAS for SAP Business Network Admin User (e.g. I0****6)
- Site Minder Affliate Name: SAP Business Network Buyer Account Id (e.g. ANxxxxxxxxxxx-T)
- Get Assertion Service URL: https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/idp/sso?sp=<SAP Business Network Buyer Account Id>&index=1 (e.g. https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/idp/sso?sp=ANxxxxxxxxxxx-T&index=1
- Portal Query URL:
- https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/idp/sso?sp=<SAP Business Network Buyer Account Id>&index=1 (e.g. https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/idp/sso?sp=ANxxxxxxxxxxx-T&index=1
- Portal Login URL:
- https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/idp/sso?sp=<SAP Business Network Buyer Account Id>&index=1 (e.g. https://<SAP IAS tenant id>.accounts.ondemand.com/saml2/idp/sso?sp=ANxxxxxxxxxxx-T&index=1
- Disable Manual Logon to AN: Disable SAP Business Network Login
- Certificate Store for Site Minder SSL: *.crt certificate extracted from SAP IAS Metadata File
Once the instructions in opened case are executed, you have successfully configured the Single Sign-On (SSO) between SAP Business Network as Service Provider (SP) and SAP IAS as Identity Provider (IdP)!
See as well:
- SAP Managed Tags:
