How to initiate an OAuth connection to SuccessFactors Employee Central?
Intro – What is OAuth?
OAuth 2.0 (or simply put OAuth) is an Authorization framework – when a user requests access to a resource from a Service Provider (without providing their credentials) and is authorized by an Identity Provider (IdP) to access the resource i.e. the user credentials are validated against the IdP – whereby one app acts on behalf of a user to interact with another app.
For example, I would like to subscribe to a news channel – SBS On Demand – using my Google ID – myuser@gmail.com – instead of registering a new profile on SBS. In this instance OAuth lets an IdP – Google – to access a resource from the Service Provider – SBS On Demand. Since I am using my Google ID to access SBS it doesn’t have any knowledge of my password, it just sees me as myuser@gmail.com.
Why (and when) to OAuth?
OAuth underlines the concepts of Principal Propagation – where a user who performs a task in the source system is required to perform the same task in the target system (like a user who creates a Purchase Order in app A, that then gets approved and flows into app B, where it gets amended further by the same user who created it in app A in the first instance).
The below diagram helps illustrate how to arrive at a suitable use case for OAuth
How do we implement a basic OAuth scenario?
The below steps serve as a “how to guide” on how to implement OAuth in SuccessFactors EC, and test it using Postman (you can choose to use any other suitable REST client).
It is based on the official SAP document “SAP SuccessFactors HCM Suite OData API: Developer
Guide – About HCM Suite OData APIs”. This document is meant to complement the official guide.
Step 1 Create an interface User ID
We will start off with creating a user in the Provisioning instance. Typically all activities in Provisioning are performed by a SuccessFactors Certified Consultant.
Login to the Provisioning instance, then go to Company Name, click Company Settings, and fill in the below fields (all are required) and click on Create Admin to create an Admin user for our interfaces. We will call ours apiuser (First Name – API, Last Name – User).
Once we have completed this step we can log out of Provisioning and then log into BizX to execute the remainder of the steps.
Step 2 Grant the necessary permissions to the User ID
We will now grant the apiuser with permissions. We will follow the Role Based Permission (RBP) approach to set up the permissions for our apiuser. This involves creating a Permission Role and a Permission Group.
Go to Admin Centre, click on Set User Permissions, then click on Manage Permission Roles. Alternatively you can access Manage Permission Roles by entering it in the Search for actions or people box.
Create a new Role (click Create New), enter a meaningful Role Name – we will call ours API User (but feel free to use a name that is aligned to your Company’s naming standards). Enter a Description for the Role (we have called ours API User). Under Permission settings click Permission… scroll down to the link Manage Integration Tools, and select the following check boxes – Admin access to OData API and Manage OAuth2 Client Applications and click Finished.
As we have used our Role for a wider range of scenarios (that involve the Employee Central API, Integration Center etc.) you will see that we have activated many more permissions as reflected in the picture below.
Click Save Changes.
Now create a Permission Group.
Go to Admin Centre, click on Set User Permissions, then click on Manage Permission Groups. Alternatively you can access Manage Permission Groups by entering it in the Search for actions or people box.
As we did with the Permission Role call your group API User (to keep it simple), go to the People Pool section and select User Name from the drop down, type in apiuser on the next Search Results screen, select the checkbox next to the name, and click Finished. Click Finished once you return to the previous screen.
Now we shall assign our newly created Permission Group API User to Permission Role API User.
Once in the Permission Role, scroll to Grant this role to… section click Add, enter API User as the Permission Group and click Finished.
You can now navigate back to the Permission Group to confirm the assignment. Once you are in the API User group you will see Granted Permission Roles has an entry API User in the list of Permission Roles.
That takes care of our prerequisite set up of User ID and permissions.
Step 3 Register the OAuth2 Client
Go to Admin Centre, click on Company Settings, you will see a link – Manage OAuth2 Client Applications, click on this link. Click on Register Client Application. This is the easiest step and requires little technical knowledge.
Enter an Application Name – give it an arbitrary but meaningful name – we will call it OAuthtest, provide a Description – Client to test OAuth, enter an Application URL – http://OAuthtest
Click on Generate X.509 Certificate button, enter a Common Name(CN) – Oauth, you may leave the rest of the fields empty as they are.
Note: the X.509 certificate is issued by SuccessFactors.
Click Generate, then Download a copy of the X.509 certificate on your machine.
Open the certificate file using notepad (or any such app). The X.509 certificate has 2 parts – the private key and the certificate. We shall copy and paste the characters between —–BEGIN ENCRYPTED PRIVATE KEY—– and —–END ENCRYPTED PRIVATE KEY—– in the next step
Click Register.
Go into the OAuth application now and take note of the API secret key.
Step 4 Generate a SAML assertion
Open a new window in Postman and enter the following details
Operation POST
URL https://api10preview.sapsf.com/oauth/idp – this is the endpoint URL of the data center where this instance of SuccessFactors is hosted. For a complete list of URLs of other data centers please refer to – http://help.sap.com/saphelpiis_cloud4hr/EN/SF_HCMS_OData_API_User_en/frameset.htm?03e1fc3791684367a6a76a614a2916de.html
Authorization No Auth
Headers
Content-Type application/x-www-form-urlencoded
Body raw
Request payload, formulate the payload as such –
client_id – this is the API Key that was generated earlier
user_id – User ID to call the API
token_url – https://api10preview.sapsf.com/outh/token
private_key – this is the private key from the X.509 certificate
Your request payload should now look like –
client_id=Njk2ZjAzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&user_id=apiuser&token_url=https://api10preview.sapsf.com/outh/token&private_key=<enter the private key from the X.509 certificate here>
Click Send.
You should get back a Base64-encoded response that looks like the below. Note the Status of 200 OK.
The response you will get will be a Base64 encoded SAML assertion. You can use a free online tool – https://www.base64decode.org to decode the response.
Here you see the User ID apiuser being returned in the response (decoded) –
<saml2:NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>apiuser</saml2:NameID>
If you want to use an email address instead of an User ID then mark use_email = true and replace the User ID with the Email ID.
This requires the Email ID to be uniquely mapped to a single user in EC.
client_id=Njk2ZjAzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&user_id=<emailid@company.com>&token_url=https://api10preview.sapsf.com/outh/token&private_key=<enter the private key from the X.509 certificate here>
Click Send.
If the Email ID isn’t uniquely mapped to a user in EC then it will error with – Unable to map \”emailid@company.com\” to a valid BizX User ID.
Once you decode the Base64-encoded response you will see an Email ID in the response (as opposed to the User ID earlier)
<saml2:NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>emailid@company.com</saml2:NameID>
Step 5 Request a User Token using the SAML Assertion
Open a new window in Postman and enter the following details
Operation POST
URL https://api10preview.sapsf.com/oauth/token
Authorization No Auth
Headers
Content-Type application/x-www-form-urlencoded
Body raw
Request payload,
formulate the payload as such –
company_id – SuccessFactors Company ID
client_id – this is the API Key that was generated earlier
grant_type – urn:ietf:params:oauth:grant-type:saml2-bearer
user_id – User ID to call the API
assertion – Base64-coded SAML assertion from the response in the earlier step
Your request payload should now look like –
company_id=MyCompanyDevAu&client_id=AzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<enter the response from the previous step here>
Please note – DO NOT include api_key here in the Request.
Response
This tells us that the token expires in 85114 seconds or close to 24 hours.
Make a note of this Bearer token, we will validate it in the next step.
Step 6 Validate Bearer Token
Open a new session in Postman. We will use the GET operation to validate the Bearer token.
URL https://api10preview.sapsf.com/oauth/validate
Authorization No Auth
Headers
Authorisation Bearer followed by the token string from the earlier step
This ascertains the validity of the token.
Step 7 Use the Bearer Token to Query an OData Entity
Open a new session in Postman.
Authorization No Auth
Headers
Authorisation Bearer followed by the token string from the earlier step
Use the GET operation with the Query –
https://api10preview.sapsf.com:443/odata/v2/Country(code=’AUS’,effectiveStartDate=datetime’1900-01-01T00:00:00′)?
Response
The OData Query will return you with a list of Countries that are configured in your SuccessFactors instance like in the above screenshot.
Conclusion…
So now that we have seen what OAuth is, what its capabilities are, and how it can be easily implemented we must isolate use cases where OAuth is not suited and hence should not be used.
If your integration doesn’t occur in real-time, doesn’t require Principal Propagation and Single Sign-On then it is best to persist with Basic Authentication (using a suitable System ID).
Last but not the least – a word of thanks to my dear friends – Yash Agarwal for his encouragement to write this blog, Neelesh Kamath for his support and Sascha Wenninger for his guidance.
Hi Arijit,
Thanks for sharing your experience on how to make the OAuth 2.0 calls to SAP EC in such a concise step by step approach.
Cheers,
KC
Thank you for reading my blog KC
Cheers
Arijit
Nice One Arijit
Well done mate!
Very good blog. My only comment is that this is not specific to SAP SuccessFactors Employee Central, but to the SAP SuccessFactors Platform.
Hi Luke
Thank you for your compliments, it means a lot to me and all the more so coming from a SuccessFactors Guru, SAP Mentor and SAP Community Moderator like you!
I concur with you that the same overall principles would apply to implement OAuth across the entire SAP SuccessFactors suite or for that matter on any other platform (and not just in SAP SuccessFactors Employee Central). However, the steps (like actions, screenshots, RBP etc.) used for this demo happened to be all out of EC
Regards
Arijit
Hi,
Firstly, a great effort in explaining an incredibly complex topic so well.
Now, let's look at what we are attempting to achieve! The main reason for using OAuth auth is to be able to restrict the scope of access that one grants an application.
However, what SuccessFactors does is use OAuth2 SAML2 Bearer authentication to allow any system to log in with any user's auths. Thus you can set up a trust relationship between two systems and make API calls to SAPSF using the user that is logged into your application.
Note that this is different to OAuth although it shares a common name.
However, what is perhaps what I'd most like to say, is that the SAP Cloud Platform can do all of this for you, automatically ?!
The whole provisioning of OAuth tokens, connection and making connections using OAuth2 SAML Bearer Token is taken care of behind the scenes, leaving us developers to get on with the important task of building cool apps that integrate with SAP SF. ?
Cheers!
Chris
Hi Arijit,
This blog is very good and helpful. We did the same steps from postman, and finally the access token was generated. But when this token is generated it has some time to live. What if i want to reduce that time to live for that token.
Also is there any java code what you can point me to generate the access token based on the api key and token url of the server?
Thanks
Riju Bhasker
Hi Former Member
I believe the validity of the token is controlled by the SuccessFactors application; not sure if it can be controlled or not. Best to raise an incident with SAP on this.
Unfortunately I do not have any Java code to implement this. This exercise was done as a POC.
Regards
Arijit
Arijit Das Awesome blog 🙂
Hi Arijit,
Thanks for the awsome blog (full of information).
I have a question is OAuth & Meta Data both are the same, if yes please let me how to set up the Meta data tag for an Item / curriculum.
Regards,
Pallavi
Hi Pallavi
No OData and Medatdata are not the one and same.
OData is an authentication and authorisation protocol (it identifies you and grants you access to functionality / scope in the target application).
Metadata could be defined as the raw data structure of an object or application with attributes such as mandatory / optional, data type, length, cardinality etc. One way to you could think of it is as data dictionary for a database.
Regards
Arijit
Hi Arijit
Small correction: You meant to write OAuth, not Odata 😉
Br,
Philippe
Hi Arjit,
Thank you for your information. I wonder if it could be possible to create a SSO scenario between SuccessFactors and SAP ERP, without using SAML. Is it possible that SuccessFactors issues a X.509 certificate which can be valid for SAP ERP?
Thanks and Regards
Hi Francisco
SAML is the most common and tested and trusted means to linked SuccessFactors with SAP ERP (using Cloud Connector is one options). Is there any reason why you would not want to use SAML?
Regards
Arijit
Hi Arjit,
Finally we implemented the SSO using SAML. Everything OK
Thank you!
Regards
Francisco
Hi Francisco,
Please do you have a step by step guide or documentation or link on how you implemented your SSO using SAML.
Hope to hear from you soon!
Regards,
Zekeri Zekkerriyya
Hi Francisco,
It will be really nice and helpful if you can share the steps or any doc. As we are looking to authenticate through SSO.
Thanks,
Raj Kumar
Thanks for detailed steps Arijit Das
I want to know like other oAuth2 apps, e.g. Facebook, Gmail etc cant we add “Connect with Success Factor” button and redirect the user to HCM platform to grant permission and get the token?
One of our clients has a requirement to connect to customers HCM and fetch employee data, also we want to fetch it on regular basis like daily or weekly, so what is the best way to handle the same? Any inputs would be really helpful Mr. Arijit.
Also, how we can test oAuth in sandbox?
Great blog. Out of interest how come you have no auth specified in your request to the IDP for the SAML Assertion but in the Success Factors documentation it appears to require a base64 encoded username/password (https://help.sap.com/viewer/b2b06831c2cb4d5facd1dfde49a7aab5/1811/en-US/4e27e8f6ae2748ab9f23228dd6a31b06.html)
Hi Adam Wildash
Good question - the user_id (which is apiuser in this case) is being passed in the Postman header already. We don't provide the email ID or the password as we are doing an OAuth call using the other parameters.
Thanks
Arijit
Hi Arijit Das
Does it mean that once we have the private key, we can connect to API using any userid, without the need for password?
Regards,
Amit.
After generating SAML Assertion when I am trying to generate the token it throws an error message {"errorHttpCode":"401", "errormessage":"unable to generate token. user is not bound to the client application."}. Please let me know if you have any solution for this.
Hi, this error appears because you are using the username of the account to generate the assertion. Check the account's userid and use it instead.
Hi, I am not sure I am following you here what is "Account's" userID. I have created an ID in SF system manually and assigned access to it. I am using the same ID.
Hi,
In step3 where you create the app registration in SuccessFactors admin page, you can bind the app to a user. Bind it to the user account that has access to the API and use the UserID from the field where you specify this user to which the app is bound.
For example, my user's username is apiuser and the userid is 1000. So my assertion payload in step 5 looks like this:
client_id=Njk2ZjAzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&user_id=1000&token_url=https://api10preview.sapsf.com/outh/token&private_key=<enter the private key from the X.509 certificate here>
Best regards,
Dobrin
Thanks for explaining - I did the same setup before as well and getting the error with user (Below), please refer screen shot
Oauth Config in SF
Hi, this is the one, yes. The moment I tried with the User ID from here (what is written in User IDs field), this error was no longer showing. Before that, I was trying to generate the assertion with the user's username and not the user id and I got the same error as you.
Interesting for me even though I am using the same ID , Still getting error.
Is this ID case sensitive? and did you add this User ID in header as well?
I am not sure if it is case-sensitive. The only thing I put in my header is the content type.
Got this message now "