Setting up the connection, when the automatic binding didn’t work
Large corporate enterprise typically span the globe with offices in multiple locations. Therefore, It is not unusual to find, that your cloud tenants are also scattered around the world. Perhaps with a SuccessFactors license based in the US, and your HANA Cloud Platform based in Europe.
In this case, what happens when you want to perform an automatic binding?
Automatic binding will result in you receiving a new tenant, based on a SuccessFactors trial license.
Annoying, right? So, what do we do now? How do we start consuming Data from our SuccessFactors installation when the 2 systems are standing in separate corners of the room, with their arms crossed – occasionally sending each other angry stares?
I myself have been struggling with this, and am here today to share my experience with setting up the connection, so Data can be consumed from SuccessFactors, in your HANA Cloud Platform. It’s not simple, but it can be done for sure!
For this guide, you will need:
- The URL to your SuccessFactors tenant
- Provisioning access to your SuccessFactors tenant
- A HANA Cloud platform tenant of your own (not HANA Trial)
- An SAP Cloud Identity with access to configure and administrate your HANA Cloud Platform
In this guide, we will focus on pulling data from SuccessFactors through a technical user, since we won’t do the integration in the other direction just yet (See a later guide for this). To keep the integration as simple as possible, we shall do it this way for now.
Setting up Successfactors to trust your HANA Cloud Platform
First we must prepare SuccessFactors to share its data with HANA Cloud platform.
This consists of 2 steps:
- Creating an Admin user, and setting some basic properties.
- Preparing the trust relationship with your HANA Cloud Platform.
Create Admin user, and setting some basic properties
Firstly, log on to your SuccessFactors Provisioning section and go to the company you wish to connect to. Note down the Company ID (in the second column on the Provisioning overview page) – you will need it a lot for this configuration guide.
Also, note down the URL to the SuccessFactors tenant you are connecting to. This could be (for example) https://performancemanager5.successfactors.eu – or any of the other tenants in the Successfactors cloud.
Firstly, (under the company which you want to connect to) go to Company Settings, and create yourself an Administrative User (Search for “Create Admin”).
While here, you can also enable the “SF Web service” service as well.
Next, log into the SuccessFactors tenant as the Admin user you created, and assign roles to yourself. The more roles, the more data you can access in SuccessFactors.
- Your complete list of OData Services can be found in SuccessFactors admin center, under Company Settings à OData API Data Dictionary. Keep this list for later, you will need it once you start developing.
Prepare trust relationship with HANA Cloud Platform
In order to initiate the trust with HANA Cloud Platform, the individual apps under HCP must be trusted. This is accomplished in SuccessFactors Provisioning, under the menu link “Authorized SP Assertion Consumer Service Settings”.
Click on “Add another Service Provide ACS” – and add the following information:
Assertion Consumer Service: https://webide-<your HCP Tenant ID>.hana.ondemand.com/portal/extensions/sfsf/index.html
Logout URL: https://authn.hana.ondemand.com/saml2/sp/slo/<your HCP Tenant ID>/<your HCP Tenant ID> – (yes, it must be there twice)
Audience URL: https://hana.ondemand.com/<your HCP Tenant ID>
This information, can also be found by logging on to your HANA Cloud Platform, and selecting “Trust” on the left-hand navigation. Under Local Service Provider, you can download the Metadata file, and the paths can be found under the properties ns3:SingleLogoutService and ns3:AssertionConsumerService.
- The URL to your webide, can be found by going to HANA Cloud Platform, and clicking Subscriptions à sapwebide (under Subscribed HTML5 Applications), then the URL is at the top of the screen, under “Application URL”.
Now that you are here (Successfactors Provisioning / Service Provider ACS) – You can prepare your SucccessFactors tenant for consuming apps from your HANA Cloud platform, by adding another Service Provider ACS, with the URL: https://cloudnwcportal-<your HCP Tenant ID>.hana.ondemand.com/portal/extensions/sfsf/index.html for Assertion Consumer Service – as this will allow calls from HANA Cloud Portal, which is used to connect to apps from Successfactors.
Setting up HANA Cloud Platform to consume data from Successfactors
Next, We must set up HANA Cloud Platform so it will trust SuccessFactors to send Data to it. This consists of 2 steps:
- Establishing trust
- Setting up the destination
Firstly, download the SAML 2.0 Metadata file from this URL:
https://<SF URL>/idp/samlmetadata?company=<company ID>
From your HANA Cloud Cockpit, Click Trust, and then click “Add Trusted Identity Provider”.
In the screen that pops up, upload the Metadata file you downloaded before, and the result should look somewhat like this:
Name: https://<SF URL>/sf/idp/SAML2/company/<company ID>
Description: Successfactors IDP
Assertion Consumer Service: Application Root (default)
Single Sign-on URL: https://<SF URL>/sf/idp/SAML2/SSO/POST/company/<company ID>
Single Sign-on Binding: HTTP-POST
Single Logout URL: https://<SF URL>/sf/idp/SAML2/slo/POST
Single Logout Binding: HTTP-POST
Signature Algorithm: SHA-1
Signing Certificate: <a long incomprehensible string of scrambled encryption key>
User-ID Source: Subject
Source Value: <blank>
User ID Prefix: <blank>
User ID Suffix: <blank>
Only for IDP-Initiated SSO: <blank>
Remember to save the results.
Setting up the destination
From your HANA Cloud Cockpit, click Destinations, and then click “New Destination”, then fill out the parameters as follows:
Description: SuccessFactors Core OData API
URL: https://<SF API URL>/odata/v2/ – You can find the corresponding API URL to your Successfactors tenant, by going here: http://help.sap.com/saphelpiis_cloud4hr/EN/SuccessFactors_HCM_Suite_OData_API_Reference_en/frameset.htm?03e1fc3791684367a6a76a614a2916de.html
Proxy Type: Internet
Authentication: (For this simple development scenario, we shall choose) BasicAuthentication
User: <the user you set up in successfactors>
Password: <Password of the user you set up in successfactors>
TrustAll = true
WebIDEEnabled = true
WebIDESystem = sap_hcmcloud_core_odata
WebIDEUsage = odata_abap,dev_abap,ui5_execute_abap
Then click save, and your destination will be ready to be consumed from HTML5 and Java Apps.
So, there you have it – the trial account you received, while trying to do the automatic configuration, can be safely ignored!
In the next part (Part 4) of the series, I will explain how to start consuming data from Successfactors, by creating your first Hello World Application, which will be showing data from Successfactors.
You can go back to part 3 of my series here: