SAP Cloud Platform API Management : Secure connectivity (OAuth) to SAP SuccessFactors Employee Central APIs
SAP SuccessFactors Employee Central OData APIs provides two types of authentications:-
- Basic Authentication
- OAuth 2.0 Authentication.
Using OAuth authentication, users can securely consume Employee central OData API using a registered OAuth client id and valid OAuth token. This concept can then be extended to provide single sign on features while consuming the SAP SuccessFactors Employee Central OData APIs.
SAP SuccessFactors Connectivity policy templates available in SAP API Business Hub facilitates easy and secure consumption of SAP SuccessFactors APIs. In this blog, the usage of SAP SuccessFactors Connectivity policy templates for User Management from SAP SuccessFactors is covered in detailed.
- SAP Cloud Platform API Management ( ref link for trial access)
- SAP SuccessFactors tenant
Registration of OAuth Client in SAP SuccessFactors
In the blog How to initiate an OAuth connection to SuccessFactors Employee central the concept of OAuth has been explained by Arijit Das along with the detailed steps for setting up OAuth in SAP SuccessFactors.
- Logon to SAP SuccessFactors and go to Admin Center
- Search for OAuth in Tools and then select Manage OAuth2 Client Applications
- Click on Register Client application to register a new OAuth client
- Enter an application name, application URL ( any dummy URL can be provided here).
- Click on Generate X.509 Certificate to generate a certificate signed by SAP SuccessFactors.
- Click on Register to register OAuth client.
- After registration, an OAuth key is generated. Generated X509 certificate and API Key would be required while applying the SAP SuccessFactors Connectivity policy template to SAP SuccessFactors OData APIs.
Discover and Copy SAP SuccessFactors Connectivity policy template
From SAP Cloud Platform API Management, all the APIs and policy templates available in SAP API Business Hub can be discovered via the Discover tab.
- Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).
- Navigate to the Services tab, search for API Management service tile and click to open SAP API Management service.
- Click on the link Access API Portal to open API Portal.
- Navigate to the Discover from the hamburger icon
- SAP API Business Hub is integrated into SAP Cloud Platform API Management and therefore all the APIs and Policy templates available in SAP API Business Hub can be easily discovered and consumed in SAP Cloud Platform API Management.
- Navigate to the All tab, search and select SuccessFactors Connectivity.
- Navigate to the Artifacts tab and select SuccessFactors_OAuth2SAMLAssertion policy template.
- Click on Copy to copy the SAP SuccessFactors Connectivity policy template into SAP Cloud Platform API Management tenant.
- Copied metadata cache policy templates would be available under POLICY TEMPLATES tab of Develop view.
Apply SAP SuccessFactors Connectivity policy template to SAP SuccessFactors Employee Central OData APIs
In the blog series Discover, Consume and Manage SAP SuccessFactors APIs the detailed steps to access the User Management OData API and the management of the User Management API via SAP Cloud Platform API Management is covered. In this section steps to apply SAP SuccessFactors connectivity cache to the PLTUserManagement API Proxy is covered in detail.
- Click on APIs tab and select PLTUserManagement SAP SuccessFactors OData API.
- Click on Policies to navigate to the Policy designer view.
- Click on Edit to switch to the editable mode.
- Select Apply from the Policy Template.
- Select the newly copied SuccessFactors_OAuth2SAMLAssertion template from Apply Template dialog.
- Select the config.js file Scripts region and enter details like your SAP SuccessFactors user Id, OAuth Client Id or API Key which was generated during OAuth client registration steps, SAP SuccessFactors company id, X509 Certificate generated during OAuth client registrations.
- From the Target endpoint preflow, select the policy getSAMLAssertion and in HTTPTargetConnection->URL provide your SAP SuccessFactors data centers.
- Select the policy getOAuthAccessToken and in HTTPTargetConnection->URL provide your SAP SuccessFactors data centers.
- Click on Update to save changes in the policy designer.
- Click on Save to apply the changes to the PLTUserManagement API Proxy.
Finally testing the flow
- Select the RESOURCES tab and click on GET operation view all Users from SAP SuccessFactors.
- This would open up the Test Console. Click on Url Params and then user $top value to limit the number of user records returned by SAP SuccessFactors OData API and Click on Send.
- API Security Best Practices blog series.
- Monitor and Analytics blog.
- Enchanced developer experience blog.
For more blogs on SAP Cloud Platform API Management visit us at SAP Community