OAuth connection to SuccessFactors Employee Central

OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password. This minimizes risk in a major way: In the event ESPN suffers a breach, your Facebook password remains safe.

OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

Prerequisite: We need to have an Interface User with all the necessary permissions as below:

Step 1: Register the OAuth2 Client:

• Go to Admin Centre, click on Company Settings.
• Click on Manage OAuth2 Client Applications and then click on Register Client Application

1. Enter an Application Name
2. Provide a Description
3. Input an Application URL, let’s say http://OAuthtest

Click on Generate X.509 Certificate button, enter a Common Name (CN) – let’s say Oauth, you may leave the rest of the fields empty as they are and then click on Generate.

**Kindly Note: We need to download the generated X.509 Certificate as we need this certificate in our further steps.

Now click on Register.

Now open the application by clicking View and take a note of the API Key.

Step 2: Generate a SAML assertion:

Open a new window in Postman and enter the following details:

Operation: POST

URL: https://api10preview.sapsf.com/oauth/idp

Authorization: No Auth

Headers:

Content-Type: application/x-www-form-urlencoded

Body: raw

Request payload: formulate the payload as such –

client_id – this is the API Key that was generated earlier

user_id – Interface User ID to call the API

token_url – https://api10preview.sapsf.com/outh/token

private_key – this is the private key from the X.509 certificate

** Open the downloaded certificate file using notepad++ (or any such app). The X.509 certificate has 2 parts – the private key and the certificate. We shall copy and paste the characters between —–BEGIN ENCRYPTED PRIVATE KEY—– and —–END ENCRYPTED PRIVATE KEY

Your request payload should now look like –

client_id=Njk2ZjAzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&user_id=APIUSER&token_url=https://api10preview.sapsf.com/outh/token&private_key=<enter the extracted private key from the generated certificate in the previous step>

Click Send.

You should get back a Base64-encoded response that looks like the below. Response status code will be 200 OK.

Step3:  Request a User Token using the SAML Assertion:

Open a new window in Postman and enter the following details

Operation: POST

URL: https://api10preview.sapsf.com/oauth/token

Authorization: No Auth

Headers:

Content-Type: application/x-www-form-urlencoded

Body: raw

Request payload:

formulate the payload as such –

company_id – SuccessFactors Company ID

client_id – this is the API Key that was generated in earlier step

grant_type – urn:ietf:params:oauth:grant-type:saml2-bearer

assertion – Base64-coded SAML assertion from the response in the earlier step

Your request payload should now look like –

company_id=<CompanyID>&client_id=AzNjY5MDVlZGVlMWU3NzFmMWQ3NzgwYg&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<enter the response from the previous step here>

Response:

Step4: Use the Bearer Token to Query an OData Entity:

Open a new session in Postman.

Authorization: No Auth

Headers:

Authorization: Bearer followed by the token string from the earlier step

Token string for this case:

eyJ0b2tlbkNvbnRlbnQiOnsiYXBpS2V5IjoiTWpobU5UYzVObVF4TVdFNE16UTFNakkzWmpFeFpHWTVZMlF3TlEiLCJzZlByaW5jaXBsZSI6ImFkbWluU0FQI0RJViMxMDgwMDMwVDQiLCJpc3N1ZWRGb3IiOiJPQXV0aHRlc3QtIEVDLUlETSBDb25uZWN0b3IiLCJzY29wZSI6IiIsImlzc3VlZEF0IjoxNTYzOTQ5MzA3NjMzLCJleHBpcmVzQXQiOjE1NjQwMzU3MDc2MzN9LCJzaWduYXR1cmUiOiJaTjUyL2hWd2NhS3N0Z2VvMzBrWVNEZnY0dWl6dUlUUEdhODQyZzBiMEo2dGdqNnBMTDFnK1BTU0lHVGtlL2NSai8vaXJrNlhZS1pzMDBJQnQ5VWthb0N6bDBZczVPZTJ6WGZrcFh4aUQxQllJWGhuWXlIOVlDc2l5c3Z0c1BPK3k3VHF1MjVSVmcyeUNvdnErYUFZNHJ1NVRtb3ZMNm13MzB2Z3hHMS9ydEU9In0=

Use the GET operation with the Query –

https://api10preview.sapsf.com:443/odata/v2/User?$format=json

Response:

So, this query returns the list of users created and maintained in your successFactors instance.

—

Within this article, we saw how we can implement OAuth connection by following these simple steps.One thing to keep in mind OAuth is not the same as SSO (Single sign-on).OAuth  is an authorization protocol and SSO on the other hand is an authentication / authorization flow through which a user can log into multiple services using the same credentials.

Thanks 🙂