Enforce the Use of HTTPS in SAP Ariba Solutions - Frequently asked questions

To ensure that SAP Ariba can securely transmit data, receive data, and display URLs in the user interface and email messages, SAP Ariba will enforce the use of HTTPS URLs starting with the 2310 service pack. Customers will need to update URLs from HTTP to HTTPS, and reconfigure their outbound endpoint URLs to HTTPS as soon as possible.

Customers who fail to update the HTTP outbound endpoint URLs to HTTPS before the 2310 service pack, SAP Ariba will not transmit or receive data, or display the corresponding URL links in the user interface.

The following frequently asked questions provide more details related to this change.

 

General questions

• Q: Why is SAP Ariba enforcing the use of HTTPS?
  A: SAP Ariba is enforcing the use of HTTPS to meet the industry standard of security protocol and to ensure your data is secure when in transit.
  
  
• Q: What is the difference between HTTP and HTTPS?
  A: HTTPS is HTTP with encryption and verification. The difference between the two protocols is that HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses, and to digitally sign those requests and responses. Without using HTTPS, your data is sent in cleartext. With HTTPS, data is encrypted in transit in both directions: going to and coming from the origin server. The protocol keeps communications secure so that malicious parties can't observe what data is being sent. As a result, HTTPS is far more secure than HTTP.
  
  
• Q: Who will be impacted?
  A: The following will be impacted:
  • Buying organizations using SAP Ariba Procurement and Sourcing solutions.
  • Buying organizations transacting with SAP Business Network and using integrations directly to transact with SAP Business Network. Make sure you are complaint with HTTPS.
    
    
• Q: What will be the timeline for HTTPS to be required?
  A: Your outbound endpoint URLs configured on all SAP Procurement Applications must be reconfigured to HTTPS before the 2310 SP release. While the SAP Business Network will not enforce HTTPS in the same release, we recommend that you also update the endpoint URLs at the same time. The SAP Business Network will provide a timeline in the coming weeks with a schedule that includes both SAP Business Network buyer and supplier organizations.
  
  
• Q: Do I need to update all URLs?
  A: You will need to update all HTTP URLs, including vanity URLs (see next question), to HTTPS, and reconfigure your outbound endpoint URLs to HTTPS before the 2310 SP release to ensure that SAP Ariba can transmit data, receive data, and display URLs in the user interface and email messages.
  
  
• Q: What if I use vanity URLs? Do they need to be updated too?
  A: All vanity URLs on other sites need to be updated to HTTPS. However, if your SAP Procurement solution site is on s1-2.ariba.com or s1-2-eu.ariba.com, do not update the vanity URLs.
  
  
• Q: How do I update them to HTTPS?
  A: Buy or obtain an SSL certificate that SAP Ariba trusts, which you can find in the Trusted certificate authorities for SAP Ariba article. Install the SSL certificate on your servers that interact with SAP Ariba. We would also recommend redirecting all HTTP traffic to HTTPS. This pertains to all outbound requests only.
  
  You are also advised to review parameters, configurations, flex fields, or any text fields where they currently use HTTP URLs.
  
  
• Q: Our organization is using single sign-on (SSO) within SAP Procurement Applications. How will this impact us?
  A: This is not immediately required. However, we have plans to enforce HTTPS in SSO configurations in 2024 (tentative). It is recommended to take actions as soon as possible, and have your DSC create a case with support to update the issuer ID to HTTPS in your SSO configuration. 
  
  
• Q: What happens if I don't update my HTTP URLs to HTTPS?
  A: HTTP URLs will not be supported for security reasons. If the URLs are not updated to HTTPS:
  • There could be limitations and risks associated with using unsecured HTTP URLs.
  • SAP Ariba will block the creation of new HTTP outbound endpoint URLs. It will also block existing HTTP outbound calls.
  • News, Hana Cloud Platform (HCP), and RSS portlets that use HTTP URLs will not display data.
  • Catalog images will not display, resulting an “Image Not Available” error in the interface.
  • Guided buying action tiles which reference HTTP URLs will not be impacted immediately. However, action tiles will stop redirecting to the specified URLs with a future release. We recommend that you take actions now.
    
    
• Q: Will this also impact SAP Integration Suite, managed gateway for spend management and SAP Business Network?
  A: No, this will not impact SAP Integration Suite, managed gateway for spend management and SAP Business Network. No action is required.
  
  
• Q: How will this impact supplier PunchOut catalogs?
  A: If you can’t access the catalogs or if the catalog images are missing, please contact your suppliers and ask them to update their catalog URLs to HTTPS. The updated catalog files will then need to be resubmitted. 

• Q: How can I ensure that my application’s Reply URL is correctly configured in the IDP to support SSO after migrating from AFD to PFD?
  A: To ensure seamless SSO functionality after migrating from AFD to PFD, follow these steps: 1.Copy the existing Reply URL from your IDP configuration. 2.Remove the "-2" from the newly added URL entry.

• • For example, if your current Reply URL is:
    https://s1-2.ariba.com/Buyer/Main/ad/samlAuth/SSOActions?realm=<RealmID>
    The new Reply URL should be:
    https://s1.ariba.com/Buyer/Main/ad/samlAuth/SSOActions?realm=<RealmID>

This will ensure that the authentication request and response are directed to the correct endpoint, allowing for successful authentication upon migration from AFD to PFD.

 

 

Troubleshooting

• Q: Some of my catalog images don’t display, what happened?
  A: Images of the catalogs may not display if the URLs have not been updated to HTTPS. To fix the issue, please update the HTTP URLs to HTTPS.
  
  
• Q: Why are the vanity URLs not working after updating to HTTPS?
  A: If your SAP Ariba solution site is on s1-2.ariba.com or s1-2-eu.ariba.com, do not update to HTTPS.
  
  
• Q: Why is my guided buying tile tenant action tile for navigation not working? 
  A: To fix the issue, please update the action tile Target URL from HTTP to HTTPS.
  
  
• Q: Why are my suppliers’ PunchOut catalogs not displaying, and local catalog images are missing?
  A: To fix the issue:
  • For PunchOut catalog - Contact your suppliers and let them know they need to update their PunchOut catalog URLs to HTTPS. The updated catalog files will then need to be resubmitted.
  • For local catalog - Update the local catalog URLs to HTTPS.

 

Please review the documentation for more information.