>
    Onboard an SAP Ariba App to SSPM
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Onboard SaaS Apps Supported by SSPM
    4. Onboard an SAP Ariba App to SSPM
    Download PDF
    SaaS Security

    Onboard an SAP Ariba App to SSPM

    Table of Contents

    Onboard an SAP Ariba App to SSPM

    Connect an SAP Ariba App instance to SSPM to detect posture risks.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Strata Cloud Manager)
    • SaaS Security Posture Management license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    For SSPM to detect posture risks in your SAP Ariba instance, you must onboard your SAP Ariba instance to SSPM. Through the onboarding process, SSPM logs in to SAP Ariba using administrator account credentials. SSPM uses this account to scan your SAP Ariba realm for misconfigured settings. If there are misconfigured settings, SSPM suggests a remediation action based on best practices.
    During the onboarding process, you will supply SAP Ariba account credentials to SSPM. SSPM can access the account directly or through the Microsoft Azure identity provider. Having SSPM access the account through Microsoft Azure requires MFA, which adds an extra layer of security.
    To onboard your SAP Ariba instance, you complete the following actions:

    Collect Information for Connecting to Your SAP Ariba Instance

    To access your SAP Ariba instance, SSPM requires the following information, which you will specify during the onboarding process.
    ItemDescription
    Username
    The username or email address of an SAP Ariba administrator account. The format that you use can depend on whether SSPM will be logging in directly to your account or through an identity provider. The account must be registered to the SAP Ariba realm that you want SSPM to scan.
    PasswordThe password for the SAP Ariba administrator account.
    RealmThe SAP Ariba realm that SSPM will scan for misconfigurations.
    If SSPM will be accessing the administrator account directly, you will also be prompted to select the following information:
    ItemDescription
    FQDNThe fully qualified domain name (FQDN) for connecting to your SAP Ariba instance. For example: s1.ariba.com
    If you are using Azure Active Directory (AD) as your identity provider, you must provide SSPM with the following additional information:
    ItemDescription
    Azure 2FA secretA key that is used to generate one-time passcodes for MFA.
    As you complete the following steps, make note of the values of the items described in the preceding tables. You will need to enter these values during onboarding to access your SAP Ariba realm from SSPM.
    1. Identify the SAP Ariba account whose login credentials you will supply to SSPM during onboarding.
      (Required Permissions) The account must have administrator permissions to the SAP Ariba realm that you want SSPM to scan.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through the Microsoft Azure identity provider.
      Using Microsoft Azure adds an extra layer of security by requiring MFA using one-time passcodes. If you do use Microsoft Azure instead of direct login, SSPM requires more information for MFA.
    3. (For Microsoft Azure log in) To access the administrator account through Microsoft Azure:
      1. Enable third-party software OATH tokens for the administrator account.
      2. Configure the account for MFA and copy the MFA secret key.
    4. Identify the name of your SAP Ariba realm and FQDN.
      1. Log in to your SAP Ariba realm using the administrator account that you identified earlier.
        After you log in to SAP Ariba, a query parameter of the URL shows your realm name.
      2. From the browser's address bar, locate the realm parameter in the URL.
      3. Make note of the value of the realm parameter. This is your realm name, which you will provide to SSPM during onboarding.
      4. (For direct log in) If SSPM will be accessing the administrator account directly, also make note of the fully qualified domain name that is shown in the browser's address bar. During onboarding, you will be prompted to select the FQDN from a list. Possible FQDNs include s1.ariba.com and s3.ariba.com.

    Connect SSPM to Your SAP Ariba Instance

    By adding an SAP Ariba app in SSPM, you enable SSPM to connect to your SAP Ariba instance.
    1. From the Add Application page (Posture SecurityApplicationsAdd Application ), click the SAP Ariba tile.
    2. Under posture security instances, Add Instance or, if there is already an instance configured, Add New instance.
    3. Specify how you want SSPM to connect to your SAP Ariba instance. SSPM can Log in with Credentials or Log in with Azure.
    4. When prompted, provide SSPM with the administrator credentials and your realm name. If SSPM will connect to the account by using direct login, select the FQDN for your SAP Ariba instance. If SSPM will connect to the account through Microsoft Azure, specify the information that SSPM needs for MFA.
    5. Connect.

    © 2025 Palo Alto Networks, Inc. All rights reserved.