Skip to content

PunchOut integration

PunchOut is a protocol through which authenticated users of procurement and purchasing systems are authorized to access resources that reside directly on a supplier's website. These can be products and services that are available to purchase on the open internet as well as customized products, or more often a customized pricing policy, defined through a supplier contract. This eliminates the necessity to repeatedly transfer whole product catalogs between suppliers and purchasing organizations since the whole catalog's content, inventory and pricing are maintained by the supplier.

IFS Cloud offers both procurement capabilities as well as webstore/supplier capabilities and it offers the possibility to integrate both sides with commercial partners using PunchOut.

PunchOut setup endpoint

Significant when starting a PunchOut transaction is the endpoint punchOutSetUp. This new endpoint is available at:


This is a POST endpoint that takes an XML document as a parameter: the so called PunchOutSetupRequest sent by the Procurement side of the transaction. This request is, to be precise, a cXML document that contains several parameters, among which:

  • Sender Identity
  • SenderMACExpiration
  • SenderMAC
  • RedirectUrl
  • FromDomain
  • FromIdentity
  • SenderDomain
  • SenderMACCreation

A crucial part in this process, when it comes to achieving a successful authentication, is the validation of the MAC.

If the validation is successful, the result is a PunchOutSetupResponse cXML document. This document, sent from the Web Store / Supplier side to the Procurement, contains a one-time link that allows a Procurement system's user to login as an authenticated user in the Web Store of the supplier, accessing products and contractually defined pricing policies.

For more information about IFS Procurement capabilities, refer to the User documentation.

MAC validation

MAC stands for message authentication code and it is created by encrypting the message described above with the HMAC-SHA1-96 algorithm using a 96-bit shared secret known by both sides.

In IFS Cloud, administrators are able to connect a user with a shared secret from the Shared Secret tab under

Solution Manager -> Users and Permissions -> Users -> User

End users are allowed to change their own shared secret from the page:

My Administration -> Shared Secret

The MAC validation is executed on the supplier / web store side. What practically happens is that the supplier re-creates the MAC using the parameters named above, the shared secret and the HMAC-SHA1-96 algorithm; then this newly created MAC is compared to the MAC received from the procurement side. If and only if the two MACs are exactly the same, the validation is successful and the one-time login link is sent back to the procurement.