I recently had to debug issues while integrating Magento 2 and SAP Ariba with Punchout for login, cart transfer and order processing.
We've integrated Magento and other procurement systems via Punchout over 10 times, so I'm used to debugging and solving the odd issue, but there was some really surprising issues that took a while to resolve.
I thought it'll be worth sharing some of these to save you a day (or two) of struggling to fix them.
Here's an outline of the main issues I faced and how to resolve them;
- Chrome 80 Cookie issue
- x-frame-options = SameOrigin
- SNI SSL Support
- Cloudflare Firewall
- 500 error response (Not what you'd expect)
Ok so here's how to fix these issues,
Chrome 80 Cookie issue and Ariba Punchout
With the recent release of Chrome 80 in February, there was a change to the way cookies are handled, this effects Punchout integrations as most systems such as SAP Ariba will present the merchants store inside of an iframe within Ariba. The Cookies handled in the iframe that contain no SameSite header value will be treated by default as "SameSite=Lax".
This can then cause the session cookies to be lost and after a valid Punchout setup request the user wont' have an active session and you'll likely be kicked off the merchant catalog store if login is required and cart sessions won't work as expected. There is settings available in Magento's config that would fix this issues (at time of writing, I believe official support is coming). So a 3rd party module is required, we tested and have installed the following module that fixed this issue, https://github.com/Veriteworks/CookieFix
X-Frame-Option = SameOrigin
As Magento is required to run inside of an iframe while being browsed in SAP Ariba, the default value for the X-frame-option header in Magento = SameOrigin, this will prevent the site from being viewed. This should be updated to,
Allow From : service.ariba.com
To change these values you should update the app/etc/env.php file and set the x-frame-options value accordingly.
Ariba doesn't support SSL's that require SNI Support
I haven't considered any SNI support issues for almost 10 years, since IE6 was still supported, back then it was a pain and this issue brought back a lot of memories!
Server Name Indication is an extension of the TLS protocol that allows one to host multiple SSL certificates at the same IP address.
The Punchout catalog that we were integrating into was on a complex hosting setup with load balancers, varnish and a few other bits, so when I raised with the I.T team that we required the Magento Punchout catalog's domain to be setup without SNI support, the answer was pretty clear (that isn't going to happen anytime soon!).
So with a new large customer going live and needing the Punchout integration we needed another way. After some investigation I discovered we could use Cloudflare to proxy the requests and provide an non-sni SSL connection to the user and then Cloudflare would connect to the server with the SNI connection. We also get the benefit of the security features(more on that below!) and a great CDN all builtin with minimal effort.
This was thankfully a great fix and was easy to implement, it requires a basic $20 plan, and an email to their customer support asking that you'd like a non-sni setup, within a few hours they'd done that and we could connect to the site.
You can use this service https://www.ssllabs.com/ssltest to test if SNI support is required on your domain, if you get the blue line as pictured below this won't be supported with SAP Ariba.
After getting unsuccessful Punchout login requests, we kept being told by SAP's support that we was returning a 403 unauthorised response code. I wasn't aware of any firewall that would have been blocking the request and viewing the access log and security logs on the server I was sure the response wasn't coming from that.
One of the unintended consequence of switching to Cloudflare was that they have some security features in place and switched on by default. One of these features is a User Agent check, they block all non-standard User Agents, so SAP Ariba uses a UA of Ariba Buyer x.x. So make sure you whitelist this in your Cloudflare Firewall rules, the following config will do this.
500 error response from Punchout
From nearly all errors that we had the stock Response from our Punchout connection attempts in Ariba was,
Status code="500" text="Internal Server Error"
Please keep in mind that this isn't actually a response from your Punchout Catalog, even though it looks like it and SAP support may suggest it is. Unless you're actually sending a 500 error responses, or can see a 500 error being thrown on your server, it's most likely that the error is a response from the internal SAP Ariba system. So you'll have to raise with a support ticket to find out exactly what caused the issue. Hopefully if you are aware of the issues above you can rule those out and you'll successfully integrate Magento 2 and SAP Ariba with Punchout.