Click HERE to see how Saviynt Intelligence is transforming the industry.
|
Click HERE to see how Saviynt Intelligence is transforming the industry.
|
Disclaimer
The integration was either created by Saviynt or by Saviynt community users . The integration is available “as is” and fall under standard connectors support for REST, SOAP, JDBC, LDAP, PowerShell, Jar and Saviynt Connector Framework.
This guide describes the integration between Saviynt Enterprise Identity Cloud (EIC) and SAP Ariba.
This guide is intended for administrators and target application integration teams responsible for implementing a secure integration service with SAP Ariba.
SAP Ariba is a cloud-based procurement platform developed by SAP. It is designed to streamline and automate the procurement process for businesses, connecting buyers and suppliers in a digital marketplace. SAP Ariba provides a collaborative platform that allows organizations to manage their procurement activities efficiently, reduce costs, and enhance supplier relationships.
The SOAP connector enables you to seamlessly integrate with SAP Ariba to manage user lifecycle and govern access to their Teams, Entities, and Roles.
For more information about different connectors in EIC, see Saviynt Enterprise Identity Cloud Connectors.
Note: This guide provides information about using the SAP Ariba (SOAP) connector for performing operations listed in the Supported Features
The SAP Ariba integration supports the following features:
| Feature | Capabilities |
| Entitlement Type | Groups |
| Data Import | Full Account Import Full Access Import |
| Account Provisioning | Create Account Update Account Remove Account |
| Access Provisioning | Add Access Remove Access |
Software | Version |
EIC | Release 24.1 and later |
You must create an integration between EIC and the collaboration platform hosted by the target application to perform import, provisioning, and deprovisioning tasks. The following components are involved in the integration:
The Complete Service Management platform Ironclad combines ITSM with ESM and SIAM capabilities, enabling all internal departments, such as IT, HR, and Facilities, as well as external service providers and customers, to collaborate securely and seamlessly on one complete platform, reducing complexity and improving productivity.
Objects are imported as entitlement types into EIC.
Security System represents the connection between EIC and the target application.
It comprises of an endpoint, which is the target application for which you want EIC to manage the identity repository.
It provides application instance abstraction from connectivity including high-level metadata. For more information about creating a security system, see Creating a Security System.
Endpoint is an instance of an application within the context of a security system.
It is the target application or application from which the connector imports the data and performs provisioning or deprovisioning of identity objects, such as users, accounts, and entitlements.
It is mandatory to create an endpoint after creating the security system.
You can associate a single security system with multiple endpoints if the deployment involves modelling of multiple isolated virtual applications (based on sets of specific entitlements according to certain categories) within a single application instance. For more information about creating an endpoint, see Creating an Endpoint for the Security System.
Connector is a software component that enables communication between EIC and the target application. It provides a simplified integration mechanism where in some instances you only need to create a connection with minimal connectivity information for your target application. The REST connector is used for importing, provisioning accounts and access through the SCIM APIs. For more information about creating a connection, see Creating a Connection.
Job Scheduler is a software component that executes a job based on the configured schedule to perform import or provisioning operations from EIC.
When a provisioning job is triggered, it creates provisioning tasks in EIC. When these tasks are completed, the provisioning action is performed on the target application through the configured connector. If you want to instantly provision requests for completing the tasks without running the provisioning job, you must enable Instant Provisioning at the security system level and the Instant Provisioning Tasks global configuration. For more information about the jobs used by the connectors in the Ironclad integration.
EIC uses a SOAP connector for integrating with SAP for importing data and for performing provisioning and deprovisioning tasks.
The following diagram illustrates the integration architecture and communication with the target application.
To get access to the SAP Ariba application, please reach out to the SAP Ariba application team.
The application Team will provide the credentials.
Connection refers to the configuration setup for connecting EIC to target applications. For more information about the procedure to create a connection, see Creating a Connection.
Understanding the Configuration Parameters
While creating a connection, you must specify connection parameters that the connector uses to connect with the target application, define the type of operations to perform, the target application objects against which those operations are performed, and the frequency of performing them. In addition, you can view and edit attribute mappings between EIC and the target application, predefined correlation rules, and provisioning jobs and import jobs.
Configuration Parameters for Account and Access Import
The connector uses the following parameters for creating a connection and for importing account and access from the target application:
ConnectionJSON
Note : ConnectionJSON is currently not available for this document, will updated later.
ACCOUNTS_IMPORT_JSON
{
"CONNECTION1": "call2",
"REQUESTTYPE1": "ENTITLEMENTS",
"REQUESTXML1": "<soapenv:Envelope xmlns:gro=\"http://xxx/SAP Ariba/webservice/groupaccountrepository\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> <soapenv:Header><wsse:Security soapenv:mustUnderstand=\"1\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><wsse:UsernameToken><wsse:Username>$@USERNAME@</wsse:Username><wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\"@PASSWORD@</wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header><soapenv:Body> <gro:readGroupAccountsByCriteria> <criteria xsi:type=\"ns19:fieldSearchClause\" xmlns:ns19=\"http://mitratech.com/SAP Ariba/webservice/type\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"> </criteria><limit>-1</limit> <properties>uniqueKey</properties><properties>displayName</properties></gro:readGroupAccountsByCriteria></soapenv:Body></soapenv:Envelope>",
"REQUESTPARAMS1": {
"Content-Type": "text/xml;charset=UTF-8"
},
"RESPONSEDATAPATH1": "Body.readGroupAccountsByCriteriaResponse.groupAccounts",
"ENTITLEMENTMAPPING1": {
"GROUP": "uniqueKey"
},
"CONNECTION2": "call1",
"REQUESTXML2": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:user=\"http://xxx/SAP Ariba/webservice/useraccountrepository\"><soapenv:Header><wsse:Security soapenv:mustUnderstand=\"1\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><wsse:UsernameToken><wsse:Username>@USERNAME@</wsse:Username><wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">$@PASSWORD@</wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header><soapenv:Body><user:readUserAccountsByCriteria><criteria xsi:type=\"ns19:fieldSearchClause\" xmlns:ns19=\"http://mitratech.com/SAP Ariba/webservice/type\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><operator>AND</operator><criteria xsi:type=\"ns19:stringFieldCriterion\"><fieldPath xsi:type=\"ns19:legacySearchFieldPathExpression\"><searchKeyPath>isActive</searchKeyPath></fieldPath><comparator>EQUALS</comparator><value>1</value></criteria></criteria><limit>-1</limit><properties>username</properties><properties>uniqueKey</properties><properties>active</properties><properties>userType</properties><properties>groups.uniqueKey</properties><properties>groups.uniqueName</properties><properties>groups.displayName</properties></user:readUserAccountsByCriteria></soapenv:Body></soapenv:Envelope>",
"REQUESTPARAMS2": {
"Content-Type": "text/xml;charset=UTF-8"
},
"RESPONSEDATAPATH2": "Body.readUserAccountsByCriteriaResponse.userAccounts",
"ACCOUNTMAPPING2": "NAME:username,ACCOUNTID:uniqueKey,customproperty11:active",
"ENTITLEMENTMAPPING2": {
"GROUP": "groups.uniqueKey"
}
}
STATUS_THRESHOLD_CONFIG
{
"statusAndThresholdConfig":
{
"statusColumn":"customproperty11",
"activeStatus":["true"],
"deleteLinks": true,
"accountThresholdValue" : 50,
"inactivateAccountsNotInFile": false,
"correlateInactiveAccounts" : false
}
}
CREATEACCOUNTJSON
[
{
"CONNECTION": "call3",
"REQUESTXML": "<?xml version=\"1.0\"?><soapenv:Envelope xmlns:con=\"http://xxx/SAP Ariba/webservice/contactrepository\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"><soapenv:Header><wsse:Security soapenv:mustUnderstand=\"1\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><wsse:UsernameToken><wsse:Username>@USERNAME@</wsse:Username><wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">$@PASSWORD@</wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header><soapenv:Body><con:readContactsByCriteria><criteria xsi:type=\"ns19:fieldSearchClause\" xmlns:ns19=\"http://mitratech.com/SAP Ariba/webservice/type\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><operator>AND</operator><criteria xsi:type=\"ns19:stringFieldCriterion\"><fieldPath xsi:type=\"ns19:legacySearchFieldPathExpression\"><searchKeyPath>CONT_INTE_EMPE_NHRF__HRF_Custom02</searchKeyPath></fieldPath><comparator>EQUALS</comparator><value>${user.username}</value></criteria></criteria><limit>1</limit><properties>uniqueKey</properties></con:readContactsByCriteria></soapenv:Body></soapenv:Envelope>",
"REQUESTPARAMS": {
"Content-Type": "application/soap+xml;charset=utf-8"
},
"RESPONSEMAPPING": {
"contactUniqueKey": "Body.readContactsByCriteriaResponse.contacts.uniqueKey",
"TASK.PROVISIONINGCOMMENTS": "Body.readContactsByCriteriaResponse.contacts.uniqueKey"
}
},
{
"CONNECTION": "call1",
"REQUESTXML": "<?xml version=\"1.0\"?><soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:user=\"http://xxx/SAP Ariba/webservice/useraccountrepository\"><soapenv:Header><wsse:Security soapenv:mustUnderstand=\"1\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><wsse:UsernameToken><wsse:Username>$@USERNAME@</wsse:Username><wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">$@PASSWORD@</wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header><soapenv:Body><user:insertUserAccount><userAccount><username>${user.username}</username><contactUniqueKey>${contactUniqueKey}</contactUniqueKey><active>true</active><userType>${USERTYPE}</userType><groupAccountUniqueKeys>${if(UIGROUP=='UI Finance'){'GROU_13961'} else if(UIGROUP=='UI Litigation-Default'){'GROU_13966'} else if(UIGROUP=='UI Litigation-United States'){'GROU_13968'} else if(UIGROUP=='UI Non-Litigation Default'){'GROU_13967'} else if(UIGROUP=='UI Intake'){'GROU_13962'} else {'GROU_13960'}}</groupAccountUniqueKeys><shortDescription>${DESCRIPTION}</shortDescription></userAccount></user:insertUserAccount></soapenv:Body></soapenv:Envelope>",
"REQUESTPARAMS": {
"Content-Type": "application/soap+xml;charset=utf-8"
},
"RESPONSEMAPPING": {
"ACCOUNT.ACCOUNTID": "Body.insertUserAccountResponse.uniqueKey",
"TASK.PROVISIONINGCOMMENTS": "Body.insertUserAccountResponse.uniqueKey",
"userUniqueKey": "Body.insertUserAccountResponse.uniqueKey"
}
}
]
DELETACCOUNTJSON
[
{
"CONNECTION": "call1",
"REQUESTXML": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:user=\"http://xxx/SAP Ariba/webservice/useraccountrepository\"><soapenv:Header><wsse:Security soapenv:mustUnderstand=\"1\" xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\" xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"><wsse:UsernameToken><wsse:Username>USERNAME@</wsse:Username><wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">$@PASSWORD@</wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header><soapenv:Body> <user:updateUserAccount><userAccount><uniqueKey>${account.accountID}</uniqueKey><active>0</active></userAccount></user:updateUserAccount></soapenv:Body></soapenv:Envelope>",
"REQUESTPARAMS": {
"Content-Type": "text/xml;charset=UTF-8"
},
"RESPONSEMAPPING": {
"TASK.PROVISIONINGCOMMENTS": "Body.updateUserAccountResponse"
}
}
]
[
{
"CONNECTION": "call2",
"REQUESTXML": "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:aba=\"http://sap.com/xi/ABA\">\n<soap:Header><soap:AuthenticationInfo>\n<soap:userName>${USERNAME}</soap:userName>\n<soap:password>${PASSWORD}</soap:password>\n<soap:authentication></soap:authentication>\n</soap:AuthenticationInfo>\n</soap:Header><soap:Body><aba:BusinessUserBundleMaintainRequest_sync><BusinessUser actionCode=\"02\"><PersonID>${account.accountID}</PersonID><PersonUUID></PersonUUID><User actionCode=\"02\">${String rolesStr = '';int size = entitlementSet.size();int i = 0;for (String ent : entitlementSet){rolesStr=rolesStr+'<Role actionCode=\"01\"><RoleName>'+ent.toUpperCase()+'</RoleName></Role>';i++;if(i == size){System.out.println(rolesStr);return rolesStr;}}}</User></BusinessUser></aba:BusinessUserBundleMaintainRequest_sync></soap:Body></soap:Envelope>",
"COOKIEOPTIONS": "SAVEFROMRESPONSE",
"REQUESTPARAMS": {
"Content-Type": "text/xml; charset=utf-8"
},
"SOAPAction": "http://sap.com/xi/ABA/QueryBusinessUserIn/QueryBusinessUserInRequest",
"RESPONSEMAPPING": {
"ADDUSERRESPONSE": "Body.BusinessUserBundleMaintainConfirmation_sync.BusinessUser.Log.Item.Note.nodeexists"
},
"SUCCESSCRITERIA": {
"ADDUSERRESPONSE": "1"
}
}
]
REVOKEACCESSJSON
[
{
"CONNECTION": "call2",
"REQUESTXML": "<soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:aba=\"http://sap.com/xi/ABA\">\n<soap:Header><soap:AuthenticationInfo>\n<soap:userName>${USERNAME}</soap:userName>\n<soap:password>${PASSWORD}</soap:password>\n<soap:authentication></soap:authentication>\n</soap:AuthenticationInfo>\n</soap:Header><soap:Body><aba:BusinessUserBundleMaintainRequest_sync><BusinessUser actionCode=\"02\"><PersonID>${account.accountID}</PersonID><PersonUUID></PersonUUID><User actionCode=\"02\">${String rolesStr = '';int size = entitlementSet.size();int i = 0;for (String ent : entitlementSet){rolesStr=rolesStr+'<Role actionCode=\"03\"><RoleName>'+ent.toUpperCase()+'</RoleName></Role>';i++;if(i == size){System.out.println(rolesStr);return rolesStr;}}}</User></BusinessUser></aba:BusinessUserBundleMaintainRequest_sync></soap:Body></soap:Envelope>",
"COOKIEOPTIONS": "SAVEFROMRESPONSE",
"REQUESTPARAMS": {
"Content-Type": "text/xml; charset=utf-8"
},
"SOAPAction": "http://sap.com/xi/ABA/QueryBusinessUserIn/QueryBusinessUserInRequest",
"RESPONSEMAPPING": {
"ADDUSERRESPONSE": "Body.BusinessUserBundleMaintainConfirmation_sync.BusinessUser.Log.Item.Note.nodeexists"
},
"SUCCESSCRITERIA": {
"ADDUSERRESPONSE": "1"
}
}
]
The connection package helps you build the connection with pre-defined JSONs, this can be used if your tenant does not already have out of the box connection templates available. Here are the steps to import the Ironclad connection package.
Note : Connection Package is currently unavailable, will be added later.
Download the connection package.
Navigate to Admin → Transport → select Import Package.
Browse the downloaded package and Import.
Navigate to Admin → Connections → Select “Ironclad” Connection.
Edit the connection with your Ironclad tenant details.
The security system represents the connection between EIC and the target application. For more information on creating a security system, see Creating a Security System.
Endpoint refers to the target application used to provision accounts and entitlements (access). For more information on creating an endpoint, see Creating Endpoints.
You can use the Ironclad integration for performing import and provisioning operations after configuring it to meet your requirements.
You must apply the following guidelines for configuring import:
Run account import before running the access import.
Map all Ironclad attributes to EIC account attributes using ImportAccountEntJSON.
You must apply the following guidelines for configuring provisioning:
Use Java ternary operators if you want to add conditions in the provisioning parameters. You can use Java operations to tweak any attributes by using if-else conditions, substrings, or operators in the JSON for provisioning.
Full account import: When configuring the connection for the first time, first perform full import to import all existing accounts from the target application to EIC. To perform full import, the invoke API gets response from the target application and maps the attributes in the target application with attributes in EIC. As part of this process, the deleted accounts are also identified and marked as suspended from import service.
Full Access import: When configuring the connection for the first time, first perform full import to import all existing access from the target application to EIC. To perform full import, the invoke API gets response from the target application and maps the attributes in the target application with attributes in EIC. As part of this process, the deleted entitlements are also identified and marked as inactive.
The import jobs are automatically created in EIC after you create a connection for the Ironclad integration. For more information about creating jobs, see Data Jobs.
You must import accounts after the users are available in EIC.
To import accounts:
Specify the connection and import parameters. For more information, see Configuration Parameters for Account and Access Import.
Configure the Application Data Import (Single Threaded) job to import accounts and access. For more information, see Data Jobs.
Provisioning is automatically enabled when a connection is configured. For detailed information about performing provisioning tasks, see Access Request System.
To provision objects to the target application:
Specify the connection and provisioning parameters. For more information, see Configuration Parameters for Provisioning.
Configure the Provisioning job (WSRETRY). For more information, see Provisioning Jobs.
When a provisioning job is triggered, it creates provisioning tasks in EIC. When these tasks are completed, the provisioning action is performed on the target application through the connector.
To troubleshoot common problems with connectors, answer frequently asked questions, and provide solutions to a few common issues you might encounter while configuring or working with connectors, see Common Troubleshooting Guide for Connectors.
