Magento 2 ExtensionPunchout

Control SAP Ariba, Coupa, and Oracle Procurement integrations with OCI and cXML, tokenized session flow, mapping profiles, and security validation.

Punchout connects Magento 2 to procurement platforms such as SAP Ariba, Coupa, and Oracle Procurement via standardized OCI and cXML flows. The module controls login, cart transfer, and document feedback exchange in one end-to-end process.

OCI and cXML onboarding: Inbound setup and login requests are validated per buyer profile and started as context-bound sessions. This provides a stable entry point for procurement systems.

Tokenized session lifecycle: Every Punchout process runs with its own context token and correlation. This separates Punchout from regular storefront sessions and improves operational safety.

Cart API for external cart control: Items can be added, updated, removed, and retrieved through tokenized endpoints. Procurement platforms can synchronize cart content with Magento in a controlled way.

Idempotent transfer handling: Retry calls are processed deterministically through idempotency keys. This prevents duplicate processing and stabilizes integrations under network stress.

Mapping profiles instead of custom code: Field mapping rules, transformers, and value maps are managed in admin per protocol and direction. This accelerates partner-specific rollout.

Template-driven setup: Mapping profiles can start from templates and then be adapted. This reduces onboarding effort for new procurement connections.

Multi-layer security validation: IP allowlist, signature checks, buyer authentication, and hook URL validation work together. Invalid or unsafe requests are blocked early.

Traceability for support teams: Relevant steps are logged with correlation, status, and sanitized payload data. This speeds up troubleshooting and acceptance phases.

Admin simulator for integration tests: The simulator generates reproducible OCI and cXML requests including signature and cURL output. This shortens coordination with partner systems.

Compatibility scope: Built for SAP OCI environments and cXML procurement platforms such as SAP Ariba, Coupa, and Oracle Procurement, including buyer-specific mapping paths and controlled cart-to-transfer processes.

OCI and cXML endpoints

Process Punchout setup and transfer through dedicated OCI and cXML routes for standardized procurement integration.

Buyer profiles in admin

Manage buyer profiles with protocol assignment, active status, and encrypted credentials in one backend workflow.

Context token lifecycle

Control Punchout sessions via token, correlation, and lifecycle states for reproducible runtime behavior.

Tokenized cart API

Use add, update, remove, and get endpoints for external cart operations per Punchout context.

Mapping profiles with transformers

Configure field mapping, required rules, and transformer logic per protocol without partner-specific code forks.

Template-based rollout

Start mapping profiles from templates to accelerate onboarding and reduce setup risk.

Multi-layer security validation

Combine IP checks, signature validation, buyer auth, and hook URL controls for secure endpoint operation.

Idempotency and retry control

Handle repeated requests deterministically to avoid duplicate processing and unstable transfer behavior.

Trace viewer with export

Analyze Punchout traffic using trace listing, detail view, and JSON export with correlation data.

Simulator for integration acceptance

Generate reproducible test requests with signature and cURL output to speed up technical validation.

Standards and integration keywords

Fits SAP OCI scenarios and cXML flows with SAP Ariba, Coupa, and Oracle Procurement, plus buyer-profile governance and mapping control.

  • Current Version1.0.5
  • Compatible with Magento 2.4.6 - 2.4.8
  • Compatible with PHP 8.1 - 8.5

If your environment differs from the listed requirements, we can check compatibility in advance. Please contact us via our contact form.

punchout

Version 1.0.5 - 2026-03-07

Changed
  • Improved admin buyer credential UX for stored OCI and cXML secrets
  • Added explicit change toggles for secret replacement in buyer edit forms

Version 1.0.4 - 2026-03-06

Added
  • Improve admin mapping template loading feedback when template data is invalid
Fixed
  • Resolve Punchout request security against the active context store for cart, transfer, and logout endpoints
  • Compare Punchout context expiration timestamps in UTC to avoid timezone-dependent session handling

Version 1.0.3 - 2026-03-05

Fixed
  • Skip queue processing if Punchout is not enabled on specific store

Version 1.0.2 - 2026-03-02

Fixed
  • Fixed admin mapping profile editing so existing Punchout target keys stay populated after reload instead of appearing empty

Version 1.0.1 - 2026-02-27

Added
  • Admin document queue management with dedicated queue grid/actions and cron processing support
  • Operation policy enforcement for storefront punchout operations and simulator endpoint probing tools
  • Extended mapping/profile administration with reusable template copy flow and richer simulator controls
Fixed
  • Buyer save handling now normalizes nested admin form payloads consistently
  • OCI and cXML transfer endpoints now return explicit HTTP `200` for successful and idempotent replay responses
  • cXML PO cancel processing and integration flow coverage were stabilized

Version 1.0.0 - 2026-02-26

Added
  • Initial release
Module-Specific Questions
Which Punchout standards are supported in core?

The module supports OCI and cXML setup, login, and transfer flows as the core integration standards for procurement platforms.

How are buyers and credentials managed?

Buyer profiles are managed in admin and credentials are stored encrypted, keeping operations and security in one controlled workflow.

How does the module prevent duplicate processing on retries?

Transfers use idempotency keys with deterministic replay behavior, preventing duplicate execution during repeated calls.

Can procurement systems control the Magento cart directly?

Tokenized cart endpoints support add, update, remove, and get operations, enabling controlled external cart synchronization.

How flexible is partner-specific field mapping?

Mapping profiles provide protocol-specific rules, transformers, and value maps so partner requirements can be implemented without custom forks.

How does the module support technical acceptance testing?

The admin simulator generates reproducible OCI and cXML requests including signature and cURL output for faster partner validation.

Which security checks are active in the request flow?

IP allowlist, signature validation, buyer authentication, and hook URL validation are combined to block invalid or unsafe calls early.

How quickly can support teams isolate integration issues?

Trace logs with correlation, status details, and export capability make runtime issues transparent and reduce troubleshooting time.

Is Punchout only for B2B scenarios?

The module is designed for B2B procurement workflows while also fitting other structured external cart and transfer integrations.

Is Magento 2 Punchout compatible with SAP Ariba?

SAP Ariba projects are supported through the cXML punchout flow with buyer profiles, mapping control, and secure transfer handling in Magento 2.

How can Coupa Punchout be connected to Magento 2?

Coupa integrations run through cXML setup and transfer flows while mapping profiles align payload fields and cart behavior to your procurement process.

What is the practical difference between OCI and cXML in Magento 2 Punchout?

OCI is typically chosen for SAP-oriented browser punchout scenarios, while cXML is common for broader enterprise procurement ecosystems and richer message structures.

General Questions
How many Magento installations is the license valid for?

The license is valid for one Magento installation, including multi-website operation. In addition, the module may be installed on any number of development or staging servers. You can find further details in our license terms.

Is installation included in the price?

Installation and configuration are not included in the price. On request, we can support you with a smooth integration into your system.

What payment methods are available?

You can pay by credit card (Stripe) or bank transfer (prepayment). For credit card payments, the order is processed immediately and the access credentials are provided directly in a separate follow-up email.

What does the order process look like?

After credit card payment, you immediately receive access credentials to obtain the module via Composer. For bank transfer, access is granted once the invoice is paid.

I need a custom modification of the module. Is that possible?

Custom requests are no problem. We tailor our Magento 2 modules to your project and maintain a dedicated internal version so we always know exactly what runs on your system for support.

Can I install a demo version locally?

On each module detail page, you can request your own demo instance and test the module intensively for 7 days. However, we do not provide a local demo version.

Is the source code encrypted?

No, the source code of our modules is not encrypted. If you need a customization, feel free to send us a request. We will get back to you promptly with a non-binding quote.

What is the update policy and support?

You can add a support package to your order. It includes assistance as well as updates and upgrades related to the module. No continuous subscription is required.

I already have a license. How can I perform an update?

You can complete the license update here. If you have an active support package, you receive updates automatically via Composer. If your support package has expired, you can renew your license here or in your account.

I have another question — how can I contact you?

You can reach us anytime via eMail.

Punchout

×

Ideal for these industries & use cases

ERP and procurement integration

Connect procurement systems via OCI or cXML directly to your Magento 2 catalog and cart.

Buyer-specific Punchout flows

Control access, profile settings, and field mapping per buyer for clean integration ownership.

Retry-safe integrations

Stabilize transfers under network issues with idempotent request processing.

Multiple partners with dedicated mappings

Maintain partner-specific field rules per protocol without parallel code branches.

Support and incident analysis with trace

Resolve integration issues faster using correlation, trace details, and export data.

Technical validation before go-live

Validate endpoints and payload behavior through the admin simulator before production rollout.

Try it without risk

Request a personal demo instance and evaluate the module directly in backend and frontend under real conditions — without local installation.

For developers

Practical Magento 2 guides, technical developer documentation, and API references (REST, SOAP, GraphQL) for installation, configuration, and troubleshooting.

Go to Knowledge Base