Business & Technology Nexus

Dave Stephens on technology and business trends

cXML and Supplier Punchout

with 13 comments

Although I can't quite figure out whether is truly independent or just an Ariba "satellite state", they do have some good documentation on their website on the Ariba-sponsored and largely Ariba-specific cXML business documents.

One of the most widely used areas of the cXML "standard" is supplier punch-out. For those few un-initiated, supplier punch-out is a mechanism that allows procurement systems to direct employees to supplier websites to shop for (& configure) items while still retaining context & knowledge of the buying system. After shopping & configuring, employees "check-out" through their regular procurement system.

cXML is a handy standard for suppliers, given that Oracle also supports it. Plus there are a good number of supplier helper applications offering built-in support. So a supplier can be sure that investing in support of cXML for punchout will pay off – buyers will use it!

There are 3 central documents in the cXML punchout framework:

PunchOutSetupRequest – from buyer to supplier as the employee "punches in" to the supplier website to shop

PunchOutSetupResponse – from supplier to buyer acknowledging request & returning webstore URL for employee to shop at

PunchOutOrderMessage – from supplier to buyer concluding shopping experience and returning items selected for purchase

The messages are unique, but here are some of the elements you'll find within them:

1) From, To, and "Sender" sections identifying the parties involved

2) URL's for systems communications between buyer and supplier

3) Ship-to information

(This is a strange part of the protocol, where Ariba wants to make it easy for suppliers to treat the punchout as an online order & match the eventual PO back to a shopping cart they saved. It's dangerous to use this though, as ship-to addresses are not final until the buying organization cuts the PO. So my advice to most suppliers is to ignore this info. Not only could you wind up computing the taxes incorrectly, you could also send the order to the wrong place!)

4) Items to be purchased

An interesting aspect of the cXML punchout is security. Unfortunately, there are "options" which is a terrible, terrible thing for a standard to have. Why terrible? Because it means a buyer can't just say "do you support cXML punchout?" – instead there has to be a detailed conversation of how they support it.

The simplest security mechanism is a "SharedSecret," essentially a password sent in clear text that the supplier can recognize. Other methods are using a MAC code (completely worthless and complicated, don't bother), and using server digital certificates.

Now initially, and even in the documentation today, recommends "SharedSecret" be used only when directing punchout via the Ariba supplier network. In this way, the network becomes the trusted agent, and will faithfully intercept a buyer's secret and parse it out of the XML, replace it with the supplier's secret, and forward it on. Neither buyer nor supplier need to know each other's secret. Now that's handy!

But handy comes with a price – suppliers and buyers are locked-in to the Ariba supplier network, which now charges! The lock-in earns Ariba a critical stream of information on buying patterns they could later use for benchmarking.

The trouble is the network adds no value and at the same time inserts a single point of failure! Not good. Real-time punchout is far different & more difficult from an operational standpoint than the other documents the network handles, such as PO's and Invoices.

So avoid using an intermediary for punchout if at all possible!

It would be interesting to find out how many buyers and suppliers are ignoring's advice and are circumventing the network while still using the SharedSecret for authentication. I believe it's the primary use case even though it's nowhere near secure.

Server digital certificates seem like the eventual winner for "direct" punchout, but until recently they have cost real money to acquire. Verisign and others charge between $1000 and $2500 for a certificate (you ridiculously expensive incumbent vendors ought to be ashamed of yourselves as the provisioning of a certificate and its maintenance are TRIVIAL). But luckily, emerging services such as are driving the cost to 0 & in my view should quickly force the incumbents to adapt or die. But until news of the new services drives down costs, not every supplier will be quick to spend a few grand a year to support a buyer convenience.

Now, for detailed step-by-step instructions on supporting cXML, check out this pdf on

Have your own thoughts about cXML punchout & experiences you're willing to share? Send 'em my way!


Written by Dave Stephens

05/19/06 11:26 AM at 11:26 am

Posted in Opinion

13 Responses

Subscribe to comments with RSS.

  1. PunchOut is perhaps a concept ahead of it’s days when SOAP and WSDL were either non-existent or in their nascent days.

    There are two parts for a concept like Punchout to be successful. The technology standards and the functionality standards. Prior to Punchout concept, neither existed to support such a flow. But SOAP provides the transport level standards and organizations like can provide the functional standards of a shopping cart and the need for any middleman is gone. Time will tell.


    05/19/06 9:14 PM at 9:14 pm

  2. I think there’s a 3rd “part” required – neither functional nor technical. It has to do with marketing and momentum around a “standard” – Ariba did a great job at this. So even though their specification (cXML) by today’s standards is awful on both the technology and functionality fronts, it’s what is used. I’ll comment on WSDL and SOAP separately – as these are “in fashion” but have significant problems.

    Dave Stephens

    05/20/06 10:15 AM at 10:15 am

  3. has some hints as to who owns it. Judge for yourself how ambiguous it is.

    cXML.FAQ #10 and #11 (
    “Ariba … retains control over the standard.”
    “ is not open to membership requests.”

    And if that’s not clear enough, check out the License Agreement, item #9 (
    “Ariba, Inc. shall be deemed the Licensor.”

    Another Dave

    05/24/06 2:06 PM at 2:06 pm

  4. Hello,

    Do you have any usuful guideline as to where to start when intergation Ariba with PeopleSoft applications( ERP)?

    Any feedback will be greatly appreciated!

    Thank you,

    Mike Smith

    Mike Smith

    12/21/06 11:56 AM at 11:56 am

  5. mike, that’s worthy of a post, which i will try and do after the holidays. the short answer (which may not be helpful) is that you need to decide where ariba buyer ends and peoplesoft ERP begins. the simplest form of integration is to tie ariba buyer (or any other eprocurement best-of-breed) into peoplesoft GL, using ariba for as much of the requisition-to-pay process as possible.. backing up from there, you can pass approved invoices into peoplesoft payables and manage the integration at that point. it gets more complicated as you retreat – the next place is to feed “approved” PO’s from ariba buyer into peoplesoft purchasing – this is probably the most popular way to do it, but you must figure out your change mgmt process. drop me a line at dave at coupa dot com and tell me which approach you’re going with and i’ll see if i can provide more helpful detail.

    Dave Stephens

    12/23/06 11:32 AM at 11:32 am

  6. Mike, We have implemented a customized messaging to talk to Ariba. Unfornately, PeopleSoft does not offer delivered way to communicated to Ariba like it does for Perfect Commerce. Hence we had to develop custom messaging which sends out PO to Ariba and recieves POA and Invoices


    01/31/08 7:57 AM at 7:57 am

  7. Hi All, I am really confused about all of this. In order to integrate a procurement application (for SAP), I need a buyer account (called networkid) to test punchout. We have developed the application , we dont want to use ariba procurement, just send the punchout request, but from Ariba they say I need to PAY for a test account??… any ideas??



    07/11/09 3:05 AM at 3:05 am

    • go to and follow the instructions there – that should get you pointed in the right direction.. you shouldn’t need to use the ariba stuff to test, although i’m sure they would love to milk you…

      Dave Stephens

      07/18/09 11:35 AM at 11:35 am

  8. Hi Dave, yes , is really clear about buyer integration. THe problem is when we try to parse the cxml, I get errors indicating the the from (buyer) ID is not valid. So the question is, does someone know how to test puchout request???…I dont need to setup a site, just to send the request , get the response ….

    Thanks for your answer


    07/19/09 5:11 AM at 5:11 am

    • We need to pull together a quick open source project for a punchout tester.. Usually an IT person writes “both sides” (a harness) and tests that way.. But it’s a lot of repeat work. Contact me if you have an interest in sharing the harness with others and we can publish it.

      Dave Stephens

      07/26/09 8:21 PM at 8:21 pm

    • We need to pull together a quick open source project for a punchout tester.. Usually an IT person writes “both sides” (a harness) and tests that way.. But it’s a lot of repeat work. Contact me if you have an interest in sharing the harness with others and we can publish it.

      Dave Stephens

      07/26/09 8:21 PM at 8:21 pm

  9. Hi Dave, any luck on having a cxml standard code to implement?? We are struggling on direct punchout but in order to build it…we need accounts.



    02/25/10 11:10 AM at 11:10 am

    • Nope… It’s such a shame, and such an obvious need. you may want to ping the folks at as they might be a good alternative to roll your own & even if you do roll their own they might help.

      Dave Stephens

      02/25/10 5:25 PM at 5:25 pm

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: