Technical Articles
2H 2020 announcement: Planned Retirement of HTTP Basic Authentication (SFAPI/ODATA API)
Hello SAP community,
With the 2H 2020 Release of SAP SuccessFactors application, we are announcing the sunset (planned retirement) of HTTP Basic Authentication for API calls (both SFAPI & OData).
Objective:
Share the information with customers and partners, so new custom development integrations can already starting use OAuth instead of HTTP Basic Authentication (username/password).
Key Dates for Replacement
-
End of Development Phase: As of the 2H 2020 release, no enhancement will be made for HTTP Basic Authentication.
-
End of Maintenance: By 2H 2021, we’ll stop the maintenance for HTTP Basic Authentication.
-
Replacement Date: Please note the 2H 2022 decommissioning date has been postponed until further notice. SAP SuccessFactors still advise customers to switch to more secure methods of authentication where possible. Any updates on this topic/dates will be communicated and this blog post and on the regular channels.
Migrating to OAuth
We recommend that you use OAuth to authenticate API users for better security.
For more information, see the Authentication Using OAuth 2.0 topic under SAP SuccessFactors HXM Suite OData API: Developer Guide.
Please check out more details like overview, Frequently asked questions FAQ in the Customer Community blog or the Partner Delivery Community blog.
The SAP SuccessFactors support and engineering team will be answering questions in these communities above.
Thank you!
Thank you for the great blog post.
Is this change limited to SuccessFactors’ API or sooner or later other solutions’ API will be changed in the same way?
Hello Kimiyoshi Okubo
This change announced is only for SuccessFactors APIs. Other SAP solutions may have different timelines and different communications too.
Thanks!
Great news, since 2010 OAuth is growing every years, Successfactors API Access leaks this authentication and we asked a lot of time.
Now question is, how about old implementation of Integrations, we must to migrate all them on new version of CPI because Eclipse version is unsupported?
Thank you
Hello Federico Bellizia
Thanks for your comments 🙂
For the custom SF integrations, customers and partners will have until 2nd half of year 2022 to migrate to OAuth. Please notice that we still do not have solution ready in SFAPI too.
For more questions and direct contact with SF engineering, kindly use the Customer Community blog or the Partner Delivery Community blog.
Hi Guilherme Soliman ,
Currently all outbound integration(with Timer event) from Success factor EC to 3rd party, there is only option to use Basic Authentication in standard Success factor Odata adapter in SAP CPI.
We can’t use OAuth SAML Bearer assertion there because it is only working with Principal Propagation.
Is there any plan add any other authentication type in SAP CPI standard adapter like Oauth Client Credential etc. rather than only OAuth SAML Bearer assertion??
Also I have checked the updated Odata API developer guide found that for Integration Purpose Basic Auth is the good option. So basic authentication will be there for Integration purpose?
Regards,
Souvik
Dear Souvik Sinha
Thanks for your message.
During this release 2nd Half year 2020, only this announcement was made. All the CPI standard packages delivered by SAP from EC to 3rd party integration will be adapted and published before the replacement date (2nd Half of year 2022).
If you are using standard packages in CPI you do not need to be worried now. CPI standard packages upgrades will be avaliable in future and prior the replacement date.
If you are using custom developed artifacts in CPI or Boomi, please evaluate to migrate to OAuth during these 2 next years.
Soliman
Thanks Guilherme Soliman for the update.
Currently only OAuth SAML Bearer assertion authentication is supported in standard Successfactor Odata api adapter in CPI other than basic Auth. It will not cover all type of scenario like if the integration is starting with Time based Event and sending data to 3rd party etc.
My concern is whether is SAP is going to release any other OAuth authentication type like Oauth Client credential etc for Employee Central?
Regards,
Souvik
Hello Souvik Sinha
Thank you! Your question was more clear to me now. The SAP engineering will provide changes in CPI and Boomi to consider OAuth in all places we used to have Basic Auth. We still do not have the timelines for these planned changes, as soon we know, we will publish in the frequently asked questions FAQ under Customer Community blog or the Partner Delivery Community blog.
I hope this could help you 🙂
Best Regards
Thanks.. Looking for the details update/release from SAP.
Regards,
Souvik
Hello Souvik Sinha
SAP Integration Suite (SAP Cloud Integration) supports OAuth 2.0 (grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer) which is accepted by SAP SuccessFactors OAuth 2.0 server (out of the box support from SuccessFactors connector). Please refer to this SAP blog - OAuth2 SAML Bearer/X.509 Certificate Authentication Support in SuccessFactors Connector which explains the step by step process.
Regards,
KC
SAP SuccessFactors Product Advisory and Partner Success
Hi Guilherme Soliman,
We are working with SuccessFactors on NS2 and are already dealing with some headaches because of the lack of support for SuccessFactors connector to OData/v2.
We are getting this error.
[LGN0030]HTTP Basic Authentication (Basic Auth) is no longer supported in OData. Please choose OAuth 2.0 to authenticate users. For more information, see https://help.sap.com/viewer/d599f15995d348a1b45ba5603e2aba9b/latest/en-US/d9a9545305004187986c866de2b66987.html.
SFAPI connection for CompoundEmployee was not affected and we can use basic authentication. However, is there a way to enable basic authentication for OData/v2 connections until the CPI connector changes are ready?
P.S. I responded on another post from Souvik with some details on my current work-around, but this is going to be challenging without the CPI support for OAuth2 connections.
https://answers.sap.com/answers/13238378/view.html
Hi Chris,
From SuccessFactors side, Basic Auth for ODATA API call is still supported.
Error message looks like API specific. Would you let us know what API endpoint URL you are using?
Hi Deepa,
Thanks for looking into this. It was on all OData/v2 endpoints. For example,
https://{{domain}}/odata/v2/EmpEmployment
After a few weeks of calls with NS2/SAP, they found a database setting to enable basic authentication yesterday. This setting was updated for us to be able to use Basic Auth.
NS2 stands for National Security Services, so it is a more secure cloud for SF.
I’m trying to use this option and we are blocked with this error:
Can you explain us how it works?
We tried to fill the fields with values coming from same connection in SCP but it doesn't work.
We need more documentation about this auth method.
- Audience: www.successfactors.com
- Client Key: <API Key> (generated after OAuth2 credential save and viewed)
- Token Service URL: https://api2preview.sapsf.eu:443/oauth/token (datacenter of your SF)
- Target System Type: SuccessFactors
- Company ID: <your company id>
Addition Parameters
- SystemUser: ALS_ADMIN (userid of your SSFF)
- nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
We removed default information because they are not present on scp connection information.
Could you create a good tutorial to make it works?
Hello Federico Bellizia
Thanks for your question with sample and error.
As of now, we need to use the instructions of the blog:
https://blogs.sap.com/2018/07/30/sap-cloud-platform-integration-principal-propagation-with-successfactors-odata-v2/
We are checking with CPI dev team if they will enhance the SF Connector in the CPI to make this simpler.
Thank you!
Soliman
On OData Successfactors Adapter wizard you can't choise OAuth2 authorization to discovery API.
Hello Federico Bellizia Thank you! I just shared this point above with the CPI dev colleagues, so they can consider in future CPI enhancements too.
Could you ask them a wizard to import OAuth2 directly from Successfactors with normal Admin Login with a listbox and import buttom? 🙂
On adapter we want an: "Import authorization from Successfactors"
Or in the cockpit as you wish.
OT: We have about 62 requests asked to CPI Developers from Novembre 2018 (date of webUI dictature (LOL)), some of there are resolved other are open (Copy&Paste&Undo..., scheduling outside workflow)... if you want.we can discuss about them on skype, hangouts, telegram or discord.
Hi we are trying to check Boomi Successfactors Adapter and OAuth 2.0 from Successfactors.
We have all information and authentication is working by Postman, question is, there is a note-tutorial to connect Boomi with Successfactors by OAuth 2 and make a simple request ?
We have this error:
Test execution of OAuth2 Example completed with errors.
Embedded message:
Unexpected error occurred while initializing a shape.;
Caused by: org.xml.sax.SAXNotRecognizedException:
Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.;
Caused by: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
We filled all field without problem, only one is not clear for us:
OAuth2 SAML Assertion Field: ????
What is this field ?
Dear Federico Bellizia
Thanks for your question. We tried to cover all the steps needed to use OAuth in Boomi (SFAPI or OData) under the following KBA created:
2978172 - OAUTH authentication mode in DELL boomi for SuccessFactors Connector (SuccessFactors-Partner Connector) - SAP ONE Support Launchpad
If you still faces issues after reading the KBA and trying the same steps, please let us know.
Thank you!
Hi Guilherme Soliman,
I studied and used your documentation but when I try to test connection:
But when I press Import and connect with OAuth 2.0 it's working, I have list of entities and it create the Operation.
Any advice?
We used first method to generate it's working on Connection creation phase but when I try to use this connection on test enviornment it fault.
Thank you in advance
Federico Bellizia
Other info:
Connector setting:
Import
Hello Federico
I did one research about the error Caused by: org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized
and I found one old incident reported by other customer with same issue.
The colleagues shared the following Dell Boomi link with this customer to resolve this error.
Article: Incompatible JAR files - Boomi Community
If you cannot bypass these errors, kindly raise one incident do LOD-SF-INT-BPI and we will check together looking your Boomi account and details.
Thanks!
I found same article, so it's probably an external jar that now is incompatible.
I will check on Boomi setting if there are some lib installed.
Hello Guilherme Soliman,
I have one question.
> With the 2H 2020 Release of SAP SuccessFactors application, we are announcing the sunset (planned retirement) of HTTP Basic Authentication for API calls (both SFAPI & OData).
> As mentioned earlier, no action is required from you before 2H 2020 release. However, we encourage you to plan early for the migration. After the announcement, you have until the 2H 2022 Release to move all your custom integration from Basic Authentication to OAuth ..
Does this also apply to basic authentication for HTTP connections?
(Before)
HTTP Connection for Basic authentication
(After) Do I need to change to OAuth2 authentication after 2022 2H?
HTTP Connection for OAuth2 authentication
Best regards,
Wakuda
Dear Tsutomu Wakuda
For Boomi developments, the recommendation from SAP is to use the SuccessFactors Partner Connector (ready to use OData and SFAPI with OAuth2) and not the HTTP client connector.
Please adapt your custom develop integration processes before 2H year 2022, where Basic Auth will stop working for all kind of connectors.
Best Regards
Dear Guilherme Soliman,
Thank you for your reply.
>For Boomi developments, the recommendation from SAP is to use the SuccessFactors Partner Connector (ready to use OData and SFAPI with OAuth2) and not the HTTP client connector.
Yes. I khow. But "Date Of Birth" is not null possible with the ODATA method. This is as you can see in KBA 2641564 --How to clear the "Date Of Birth" field value by OData API.
Therefore, clearing "Date Of Birth" by JSON method for HTTP connection.
>Please adapt your custom develop integration processes before 2H year 2022, where Basic Auth will stop working for all kind of connectors.
Therefore, the question is whether Basic authentication for HTTP connections will be stopped in 2H year 2022.
I understood in your answer that Basic authentication for HTTP connections will stop at 2H year 2022.
Best regards,
Wakuda
Dear Tsutomu Wakuda
Thanks for sharing the KBA.
Correct. HTTP connections in Boomi with Basic Auth will stop at 2H 2022.
Since you want to use the HTTP connector to fulfill the requirement, kindly evaluate to use HTTP connector in Boomi with OAuth2. In this KBA we have a sample = 2639941 - How to use OAuth 2.0 step by step in Boomi.
Hope this can help you!
Best Regards
Dear Guilherme Soliman,
Thank you very much!!!
Best Regards,
Wakuda
Hi Guilherme,
Could you please help me with the HTTP Connector config. The KBA 2639941 is not opening for me.
Hi Guilherme Soliman ,
I like to spend some of my time developing SAP BTP Extension application that work with SAP SuccessFactors.
Fortunately BTP has had the connectivity service which has been using OAuth2 SAML Bearer Authentication for years. Unfortunately there isn't a locally deployable version of this service that be run when using a local development server. So we have been relying on using basic auth for building and testing our builds locally.
Would you have some recommendations on what we could do to get around this issue?
Thanks,
Chris
Dear Chris Paine
I will extend your question to our colleague Deepak G Deshpande. He is ooo and return in few days, kindly allow some extra days to get this answered.
Cheers
Hi Guilherme,
Thanks for the detailed blog.
We are looking at migrating our integrations to use oAuth 2.0 and following the developer guide provided. However we came across in the document that it is recommended to use a third-party Idp to generate the SAML Assertion. We do have Azure AD as our corporate Idp and have integrated Successfactors with Azure AD. But there isn't much info on how to use Azure AD or any 3rd party Idp for API calls.
Is there any documents or guide provided for this which we can check. I have tried to get more info but reached a dead end at this point.
Thanks,
Madhu
Dear Madhu
Sorry but I wasn't able to find one sample of 3rd Party Idp configuring this end to end with SF OAuth too.
Since you have Azure, I think you can start exploring this KBA and the Microsoft links inside it: 2348735 - [SSO] Single Sign On setup between Microsoft Azure and SuccessFactors - SAP ONE Support Launchpad
I also found this other sample with Azure IAS ans SF, but use Basic Auth still = SSO between Success Factors and Azure through IAS | SAP Blogs
Thanks!
*IMPORTANT ANNOUNCEMENT*
After receiving feedback from our customers, please note the Second Half 2022 decommissioning date has been postponed until further notice.
Please note SAP SuccessFactors still advise customers to switch to more secure methods of authentication where possible. Any updates on this topic/dates will be communicated and this blog post and on the regular channels
Hello Laura,
In our case, we use OAUTH for any new integrations. However, for existing integrations, I would like to ask if a new estimated date for the migration has been provided by SAP.
Thanks.
Hello Javier, the decommissioning date for Basic Authentication has been postponed indefinitely until further notice, I hope this clarifies
hi Guilherme,
Point-to-point integration between ECP and EC still uses basic authentication. Is there any plan to update this to use OAuth?
Regards
Steve
I have found the answer in SAP note 3167173 which is to use mTLS.
Hope this is useful for other people.
Hi Guilherme Soliman,
I referred your blog https://blogs.sap.com/2021/07/29/how-to-use-oauth2-saml-bearer-assertion-in-sap-cloud-platform-integration-connecting-with-sap-successfactors-sfapi-soap while configuring OAuth2.
We have 15 different API users.(To identify using which API User/Integration the SF data got updated- from last modified by API UserName). now do we need to create 15key pair with CN= 15API user? Even if we do that we cannot register same application URL(CPI Tenant URL) in SF Manage OAUTH Client Applications.
Can you please help me to understand how to achieve the authentication as Oauth2 SAML Bearer Assertion using 15 different API Users?
Thanks,
Poushali Bhandari