Human Capital Management Blogs by SAP
Get insider info on SAP SuccessFactors HCM suite for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authentication between SAP Cloud Integration and SAP SuccessFactors using oAuth

I066175
Advisor
Advisor
‎01-17-2022 5:25 PM
Introduction

Basic authentication has been the way of communication between SAP Cloud Integration and SAP SuccessFactors. However, progessing to more secure ways of authentication mechanisms both SAP SuccessFactors and SAP Cloud Integration have enhanced capabilities to support oAuth based mechanisms.

In this blog, the primary focus is on configuring connectivity between SAP SuccessFactors and SAP Cloud Integration using oAuth. For both the scenarios, the steps provided will describe in detail on the necessary configurations in SAP SuccessFactors and SAP Cloud Integration.

Scenario 1: Connectivity from SAP Cloud Integration to SAP SuccessFactors

SAP Cloud Integeration has enhanced SAP SuccessFactors oData V2 outbound connector with oAuth2 SAML Bearer authentication. With enhanced SAP SuccessFactors oData V2 outound connector, it's possible to configure oAuth SAML Bearer in context of an API user for SAP SuccessFactors system. Amidst retirement of basic authentication for SAP SuccessFactors oData services, oAuth SAML Bearer authentication is the new alternative.

Below steps provide details for creating an oAuth SAML Bearer credential for SAP Cloud Integration to SAP SuccessFactors connectivity:

  • Acess  "Keystore " through Manage Security -> Keystore under the "Monitoring" section of SAP Cloud Integration





  • In the "Keystore" tab , select Create->Key Pair






  • For Creating "Key pair", fill in the necessary fields. "Common Name" should be a valid user in SAP SuccessFactors.

  • Download certificate for the "Key Pair" to the local system.





  • Logon to SAP SuccessFactors Instance and goto "Manage OAuth2 Client Applications". Click "Register a new oAuth Client Applicaiton"





  • To Register, fill in the shown fields, and copy paste the downloaded certificate from the local system in the field X.509 Certificate, copy the contents of the certificate between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".

  • After registration, API key gets generated for the applicattion.





  • Go back to "Monitoring" section in SAP Cloud Integration. Choose Manage Security->Security Material





  • Create OAuth2 SAML Bearer Assertion credential.




Fill the values for the fields:

  • Name: Credential names

  • Description: Appropriate description

  • Audience: www.successfactors.com

  • Client Key: Copy and paste the API key generate in SAP SuccessFactors instance

  • Token URL: Corresponding token url for the SAP SuccessFactors instance

  • Comapy ID: SAP SuccessFactors instance company id

  • User ID: Select "Key Pair Common Name(CN)"

  • Key Pair Alias: Provide the SAP SuccessFactors instance API user id used earlier in configuration



Once deployed, the security credential is ready to be used in iFlow.

Scenario 2: Connectivity from SAP SuccessFactors to SAP Cloud Integration

SAP SuccessFactors provides multiple ways of authentication for outbound connectivity. However, oAuth is one of the secure ways to handle outbound communication.

Below steps provide details for creating an oAuth SAML credential in SAP SuccessFactors to connect to SAP Cloud Integration:

  • Logon to SAP BTP cockpit. Select the appropriate account and navigate to your sub account. On the sub account page, navigate to Security-> oAuth.





  • Under oAuth, select “Clients” tab and click “Register New Client”





  • Further, detail screen gets populated with “ID”. Enter other details as below:

    • Name and description

    • Select “Subscription” as “iflmap” node of the subaccount

    • Select “Authorization Grant” as “ Client Credentials”

    • Enter “Secret”. Note:This would be the client secret.

    • Finally, click “Save”. Make a note of the “ID” and “Secret” provided in this step. The token URL will be displayed under the first tab “Branding”. This would be used in further configuration







  • The client id created needs appropriate authorization to invoke SAP Cloud Integration. To assign the role, goto Security->Authorizations.





  • In the below shown screen, search for the user. The user would be “oauth_client_<ID>”. “ID” would be client id generated in the previous step.





  • Select the subaccount and application. Assign appropriate role and hit “Save”.





  •  Logon to SAP SuccessFactors Instance and goto “Security Center” and select “X509 Certificate”.





  •  In below shown screen, provide the following details:

    • Name and description

    • Certificate authority as “Self Signed”

    • Enter validity end date as per security needs

    • Select an algorithm

    • Enter issued by

    • Click “Generate and Save”







  • Make note of the “Common Name”





  • Return to “Security Center” and select “oAuth Configurations”





  • In the below shown screen, enter:

    • Name and Description

    • Select oAuth type as “OAuth 2.0 with SAML Flow”

    • Enter the client and client secret generated on the SAP Cloud Integration

    • Provide the Token URL after adding “?grant_type=client_credentials” at the end of URL. For example: https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token?grant_type=client_credentials

    • Provide the SAP Cloud Integration endpoint URL. This would be endpoint generated by the SAP Cloud Integration iFlow

    • Enter issuer and select subject name id format as “X509 Subject Name”

    • Enter the subject name similar to the “Common Name” generated in the certificate

    • Select the “X509 Certificate” from the dropdown







  • Click “Save”. The configuration can be used in a “Destination” to trigger the endpoint on SAP Cloud Integration.



 

Summary

SAP SuccessFactors and SAP Cloud Integration, provide support to oAuth based authentication. In SAP Cloud Integration, oAuth SAML Bearer support with technical user/API user, it is feasible to move from basic to oAuth authentication mechanism. Whereas, in SAP SuccessFactors using the client credentials SAML authentication is possible.

 

 
19 Comments
former_member83362
Explorer
‎01-18-2022 10:36 AM
0 Kudos

Thanks Mithun for the detail.

we are trying to establish the connection but getting error.

in Scenario1 -

in SF Admin console, "Application url" can be anything ?

used similar url as token url in Security materail section while creating credentials https://xxxx.successfactors.xx/oauth/token. is this correct?

when trying to connect to SF from CPI (processing tab), getting error "Failed to connect to system".

 

Suresh

I066175
Advisor
Advisor
‎01-18-2022 12:21 PM
0 Kudos
Hi Suresh,

Token URL for the instance would be the base API url plus "/oauth/token". Below is an example:

Base API URL of the instance: https://apisalesdemo.successfactors.com

Token path : /oauth/token

Token URL: https://apisalesdemo.successfactors.com/oauth/token

This URL would need to be configured. Hope this helps!

Thanks!

Mithun
former_member83362
Explorer
‎01-18-2022 1:01 PM
0 Kudos
Hi Mithun,

yes. mentioned token url in similar fashion


Cred in Secure paramter


but  still getting "Failed to connect to system" error.


SF Connector in IFLow


 

please let me know if I am doing some mistake.

also note that I am trying it from CF tenant.

 

Suresh
S0020020673
Explorer
‎01-19-2022 1:44 PM
Hi Suresh,

in Application URL, in "Manage OAuth2 Client Applications" in SuccessFactors,  you should put your CPI tenant URL, like this:    https://your_CPI_URL.com

In Token Service URL, you should put the API endpoint like this:

https://your_API_endpoint/oauth/token

Regards,

Giacomo.
I066175
Advisor
Advisor
‎01-19-2022 5:40 PM
Hi Suresh,

Make sure that the client key that you have used is the key generated from SAP SuccessFactors instance once you register you oAuth application. And the "Key Pair Alias" that you are using i.e. "successfactorsoauth" in this case should be a valid user that exisits in SAP SuccessFactors which should have authorization to invoke API's. If the user is not valid on SAP SuccessFactors then you will the issue.

Thanks!

Mithun
former_member83362
Explorer
‎01-20-2022 6:09 AM
0 Kudos
Hi Mithun,

Thanks for correcting me.

I given Valid API user ID as CN while creating Keypair also in security parameter mentioned same API User ID.

but still getting same error ' Failed to Connect to system'.

 

Regds,

Suresh
former_member83362
Explorer
‎01-20-2022 6:15 AM
0 Kudos

Application url is like https://xxxxx.it-cpi00x-rt.cfapps.euxx.hana.ondemand.com ?

what is API endpoint?

adding /oauth/token to to CPI url correct?

but Mithun mentioned to use sf instance API detail in Token url like https://apisalesdemo.successfactors.com/oauth/token bit confused here.

 

S0020020673
Explorer
‎01-20-2022 8:10 AM
0 Kudos
Hi Suresh,

In Application URL you don't have to add oauth/token, you have only to put your CPI url as you have done before.

In Token URL you have to add "oauth/token" to your API endpoint.

So, it is like this:

Application URL:

https://xxxxx.it-cpi00x-rt.cfapps.euxx.hana.ondemand.com

Token URL:

https://apisalesdemo.successfactors.com/oauth/token

Regards.
former_member83362
Explorer
‎01-21-2022 6:26 AM
0 Kudos
Hi Sangiuliano,

tried same but still not able to connect.

Here is the Key pair generated with Valid API user as CN.


oAuth key settings from SF. Certificate detail is from key pair.


 

and Security parameter entry. Keypair Alias with same API Username.


 

Still getting the error


 

Regds,

Suresh

 
S0020020673
Explorer
‎01-21-2022 1:44 PM
0 Kudos
When you create the key pair in SAP CPI -> Manage Security -> Keystore, inside field "Common Name (CN)", have you used a SuccessFactors user?

 
former_member83362
Explorer
‎01-27-2022 7:32 AM

Yes. used SF User in CPI only.

 

Regds,

Suresh.

pallavi_chaudhry
Explorer
‎06-03-2022 2:39 PM
0 Kudos
Yes its a good blog
pallavi_chaudhry
Explorer
‎06-03-2022 2:40 PM
0 Kudos
Can we do it with SF trail account user id and password
bellizia_pwc
Explorer
‎09-07-2022 12:18 PM
0 Kudos

Hi thanks for your tutorial,

I tried it from my Trial Account to Preview System, I followed all passaged and when I do an OData request to Successfactors I receive this error:

 

com.sap.gateway.core.ip.component.odata.exception.OsciException: while trying to invoke the method com.sap.it.nm.types.security.CredentialTraits.getTagsAsMap() of a null object loaded from local variable 'credentialTraits', cause: java.lang.NullPointerException: while trying to invoke the method com.sap.it.nm.types.security.CredentialTraits.getTagsAsMap() of a null object loaded from local variable 'credentialTraits'

there is something wrong I did?

 

 

F.B.

I066175
Advisor
Advisor
‎09-12-2022 7:05 AM
Hello Federico,

This seems to be configuration issue. The oAuth credential configured on the iflow is "successfactorsoauth " where as the credential name that is deployed is "successfactorsoAuth". Once this is corrected it should work as expected.

Thanks!

Mithun
I066175
Advisor
Advisor
‎09-12-2022 7:06 AM
0 Kudos
Hi Pallavi,

Yes, its possible.

Thanks!

Mithun
bellizia_pwc
Explorer
‎09-12-2022 9:04 AM
0 Kudos
Hi Mithun,

this is not the problem, I already tried too much time, now trial environment (like every monday) is half down, but I can configure it and show the same result.

 



 

That's very strange

 

 
bellizia_pwc
Explorer
‎09-15-2022 1:39 PM
0 Kudos
Hi Mithun,

I started all process again from scratch and now it works, probably case sensitive key is the problem: thx for advice.

 

Federico Bellizia

 
former_member829810
Discoverer
‎12-26-2022 12:11 PM
0 Kudos
Hello Mithun

Can we connect multiple user from CPI to SuccessFactors using one oath connection.?

Regards,

Subhadeep Ganguly
Popular Blog Posts