Skip to Content
Technical Articles
Author's profile photo Guilherme Soliman

2H 2020 announcement: Planned Retirement of HTTP Basic Authentication (SFAPI/ODATA API)

Hello SAP community,

With the 2H 2020 Release of SAP SuccessFactors application, we are announcing the sunset (planned retirement) of HTTP Basic Authentication for API calls (both SFAPI & OData).

Objective:

Share the information with customers and partners, so new custom development integrations can already starting use OAuth instead of HTTP Basic Authentication (username/password).

 

Key Dates for Replacement

  • End of Development Phase: As of the 2H 2020 release, no enhancement will be made for HTTP Basic Authentication.

  • End of Maintenance: By 2H 2021, we’ll stop the maintenance for HTTP Basic Authentication.

  • Replacement Date: Please note the 2H 2022 decommissioning date has been postponed until further notice. SAP SuccessFactors still advise customers to switch to more secure methods of authentication where possible. Any updates on this topic/dates will be communicated and this blog post and on the regular channels.

Migrating to OAuth

We recommend that you use OAuth to authenticate API users for better security.

For more information, see the Authentication Using OAuth 2.0 topic under SAP SuccessFactors HXM Suite OData API: Developer Guide.

Please check out more details like overview, Frequently asked questions FAQ in the Customer Community blog or the Partner Delivery Community blog.

The SAP SuccessFactors support and engineering team will be answering questions in these communities above.

 

 

Conclusion:This blog post shared the announcement and the right channels to get more information.

Thank you!

Assigned Tags

      41 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Kimiyoshi Okubo
      Kimiyoshi Okubo

      Thank you for the great blog post.

      Is this change limited to SuccessFactors’ API or sooner or later other solutions’ API will be changed  in the same way?

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Hello Kimiyoshi Okubo

      This change announced is only for SuccessFactors APIs. Other SAP solutions may have different timelines and different communications too.

      Thanks!

      Author's profile photo Federico Bellizia
      Federico Bellizia

      Great news,  since 2010 OAuth is growing every years, Successfactors API Access leaks this authentication and we asked a lot of time.

      Now question is, how about old implementation of Integrations, we must to migrate all them on new version of CPI because Eclipse version is unsupported?

      Thank you

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Hello Federico Bellizia

      Thanks for your comments 🙂

      For the custom SF integrations, customers and partners will have until 2nd half of year 2022 to migrate to OAuth. Please notice that we still do not have solution ready in SFAPI too.

      For more questions and direct contact with SF engineering, kindly use the Customer Community blog or the Partner Delivery Community blog.

      Author's profile photo Souvik Sinha
      Souvik Sinha

      Hi Guilherme Soliman ,

      Currently all outbound integration(with Timer event) from Success factor EC to 3rd party, there is only option to use Basic Authentication in standard Success factor Odata adapter in SAP CPI.

      We can’t use OAuth SAML Bearer assertion there because it is only working with Principal Propagation.

      Is there any plan add any other authentication type in SAP CPI standard adapter like Oauth Client Credential etc. rather than only OAuth SAML Bearer assertion??

       

      Also I have checked the updated Odata API developer guide found that for Integration Purpose Basic Auth is the good option. So basic authentication will be there for Integration purpose?

      Regards,

      Souvik

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Dear Souvik Sinha

      Thanks for your message.

      During this release 2nd Half year 2020, only this announcement was made. All the CPI standard packages delivered by SAP from EC to 3rd party integration will be adapted and published before the replacement date (2nd Half of year 2022).

      If you are using standard packages in CPI you do not need to be worried now. CPI standard packages upgrades will be avaliable in future and prior the replacement date.

      If you are using custom developed artifacts in CPI or Boomi, please evaluate to migrate to OAuth during these 2 next years.

      Soliman

      Author's profile photo Souvik Sinha
      Souvik Sinha

      Thanks Guilherme Soliman for the update.

      Currently only OAuth SAML Bearer assertion authentication is supported in standard Successfactor Odata api adapter in CPI other than basic Auth. It will not cover all type of scenario like if the integration is starting with Time based Event and sending data to 3rd party etc.

      My concern is whether is SAP is going to release any other OAuth authentication type like Oauth Client credential etc for Employee Central?

       

      Regards,

      Souvik

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Hello Souvik Sinha

      Thank you! Your question was more clear to me now. The SAP engineering will provide changes in CPI and Boomi to consider OAuth in all places we used to have Basic Auth. We still do not have the timelines for these planned changes, as soon we know, we will publish in the frequently asked questions FAQ under Customer Community blog or the Partner Delivery Community blog.

      I hope this could help you 🙂

      Best Regards

      Author's profile photo Souvik Sinha
      Souvik Sinha

      Thanks.. Looking for the details update/release from SAP.

       

      Regards,

      Souvik

      Author's profile photo Karthick Chandrasekaran
      Karthick Chandrasekaran

      Hello Souvik Sinha

      SAP Integration Suite (SAP Cloud Integration) supports OAuth 2.0 (grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer) which is accepted by SAP SuccessFactors OAuth 2.0 server (out of the box support from SuccessFactors connector). Please refer to this SAP blog - OAuth2 SAML Bearer/X.509 Certificate Authentication Support in SuccessFactors Connector which explains the step by step process.

      Regards,

      KC

      SAP SuccessFactors Product Advisory and Partner Success

      Author's profile photo Chris Nguyen
      Chris Nguyen

      Hi Guilherme Soliman,

      We are working with SuccessFactors on NS2 and are already dealing with some headaches because of the lack of support for SuccessFactors connector to OData/v2.

      We are getting this error.

      [LGN0030]HTTP Basic Authentication (Basic Auth) is no longer supported in OData. Please choose OAuth 2.0 to authenticate users. For more information, see https://help.sap.com/viewer/d599f15995d348a1b45ba5603e2aba9b/latest/en-US/d9a9545305004187986c866de2b66987.html.

      SFAPI connection for CompoundEmployee was not affected and we can use basic authentication.   However, is there a way to enable basic authentication for OData/v2 connections until the CPI connector changes are ready?

       

      P.S.   I responded on another post from Souvik with some details on my current work-around, but this is going to be challenging without the CPI support for OAuth2 connections.

      https://answers.sap.com/answers/13238378/view.html

      Author's profile photo Deepa Kumari
      Deepa Kumari

      Hi Chris,

       

      From SuccessFactors side, Basic Auth for ODATA API call is still supported.
      Error message looks like API specific. Would you let us know what API endpoint URL you are using?

      Author's profile photo Chris Nguyen
      Chris Nguyen

      Hi Deepa,

      Thanks for looking into this.   It was on all OData/v2 endpoints.  For example,

      https://{{domain}}/odata/v2/EmpEmployment

      After a few weeks of calls with NS2/SAP, they found a database setting to enable basic authentication yesterday.  This setting was updated for us to be able to use Basic Auth.

      NS2 stands for National Security Services, so it is a more secure cloud for SF.

      Author's profile photo Federico Bellizia
      Federico Bellizia

      I’m trying to use this option and we are blocked with this error:

      com.sap.gateway.core.ip.component.odata.exception.OsciException: while trying to invoke the method com.sap.it.rt.scc.connectivity.security.IToken.getSAMLToken(java.lang.String) of a null object loaded from local variable 'principalToken'

       

      Can you explain us how it works?

       

       

       

      We tried to fill the fields with values coming from same connection in SCP but it doesn't work.

      We need more documentation about this auth method.

       

      - Audience: www.successfactors.com
      - Client Key: <API Key>  (generated after OAuth2 credential save and viewed)
      - Token Service URL: https://api2preview.sapsf.eu:443/oauth/token  (datacenter of your SF)
      - Target System Type: SuccessFactors
      - Company ID: <your company id>

      Addition Parameters

      - SystemUser: ALS_ADMIN  (userid of your SSFF)
      - nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

       

      We removed default information because they are not present on scp connection information.

       

      Could you create a good tutorial to make it works?

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Hello Federico Bellizia

      Thanks for your question with sample and error.

      As of now, we need to use the instructions of the blog:

      https://blogs.sap.com/2018/07/30/sap-cloud-platform-integration-principal-propagation-with-successfactors-odata-v2/

      We are checking with CPI dev team if they will enhance the SF Connector in the CPI to make this simpler.

      Thank you!

      Soliman

      Author's profile photo Federico Bellizia
      Federico Bellizia

      On OData Successfactors Adapter wizard you can't choise OAuth2 authorization to discovery API.

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Hello Federico Bellizia  Thank you! I just shared this point above with the CPI dev colleagues, so they can consider in future CPI enhancements too.

      Author's profile photo Federico Bellizia
      Federico Bellizia

      Could you ask them a wizard to import OAuth2 directly from Successfactors with normal Admin Login with a listbox  and import buttom? 🙂

      On adapter we want an:  "Import authorization from Successfactors"

      Or in the cockpit as you wish.

      OT: We have about 62 requests asked to CPI Developers from Novembre 2018 (date of webUI dictature (LOL)), some of there are resolved other are open (Copy&Paste&Undo..., scheduling outside workflow)... if you want.we can discuss about them on skype, hangouts, telegram or discord.

       

       

       

      Author's profile photo Federico Bellizia
      Federico Bellizia

      Hi we are trying to check Boomi Successfactors Adapter and OAuth 2.0 from Successfactors.

      We have all information and authentication is working by Postman, question is, there is a note-tutorial to connect Boomi with Successfactors by OAuth 2 and make a simple request ?

       

      We have this error:


      Test execution of OAuth2 Example completed with errors.
      Embedded message:
      Unexpected error occurred while initializing a shape.;
      Caused by: org.xml.sax.SAXNotRecognizedException:
      Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.;
      Caused by: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.


       

      We filled all field without problem, only one is not clear for us:

      OAuth2 SAML Assertion Field: ????

      What is this field ?

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Dear Federico Bellizia

      Thanks for your question. We tried to cover all the steps needed to use OAuth in Boomi (SFAPI or OData) under the following KBA created:

      2978172 - OAUTH authentication mode in DELL boomi for SuccessFactors Connector (SuccessFactors-Partner Connector) - SAP ONE Support Launchpad

      If you still faces issues after reading the KBA and trying the same steps, please let us know.

      Thank you!

      Author's profile photo Federico Bellizia
      Federico Bellizia

      Hi Guilherme Soliman,

      I studied and used your documentation but when I try to test connection:

       

      Test execution of OAuth2 Esempio completed with errors. Embedded message: Unexpected error occurred while initializing a shape.; Caused by: org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.; Caused by: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.

       

      But when I press Import and connect with OAuth 2.0 it's working, I have list of entities and it create the Operation.

      Any advice?

      We used first method to generate it's working on Connection creation phase but when I try to use this connection on test enviornment it fault.

       

      Thank you in advance

      Federico Bellizia

       

      Author's profile photo Federico Bellizia
      Federico Bellizia

      Other info:

      Connector setting:

      Author's profile photo Federico Bellizia
      Federico Bellizia

      Import

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Hello Federico

      I did one research about the error Caused by: org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized

      and I found one old incident reported by other customer with same issue.

      The colleagues shared the following Dell Boomi link with this customer to resolve this error.

      Article: Incompatible JAR files - Boomi Community

      If you cannot bypass these errors, kindly raise one incident do LOD-SF-INT-BPI and we will check together looking your Boomi account and details.

      Thanks!

      Author's profile photo Federico Bellizia
      Federico Bellizia

      I found same article, so it's probably an external jar that now is incompatible.

      I will check on Boomi setting if there are some lib installed.

      Author's profile photo Tsutomu Wakuda
      Tsutomu Wakuda

      Hello Guilherme Soliman,

      I have one question.

      > With the 2H 2020 Release of SAP SuccessFactors application, we are announcing the sunset (planned retirement) of HTTP Basic Authentication for API calls (both SFAPI & OData).

      > As mentioned earlier, no action is required from you before 2H 2020 release. However, we encourage you to plan early for the migration. After the announcement, you have until the 2H 2022 Release to move all your custom integration from Basic Authentication to OAuth ..

      Does this also apply to basic authentication for HTTP connections?

      (Before)

      HTTP%20Connection%20for%20Basic%20authentication

      HTTP Connection for Basic authentication

      (After) Do I need to change to OAuth2 authentication after 2022 2H?

      HTTP%20Connection%20for%20OAuth2%20authentication

      HTTP Connection for OAuth2 authentication

       

      Best regards,
      Wakuda

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Dear Tsutomu Wakuda

      For Boomi developments, the recommendation from SAP is to use the SuccessFactors Partner Connector (ready to use OData and SFAPI with OAuth2) and not the HTTP client connector.

      Please adapt your custom develop integration processes before 2H year 2022, where Basic Auth will stop working for all kind of connectors.

      Best Regards

      Author's profile photo Tsutomu Wakuda
      Tsutomu Wakuda

      Dear Guilherme Soliman,

      Thank you for your reply.

      >For Boomi developments, the recommendation from SAP is to use the SuccessFactors Partner Connector (ready to use OData and SFAPI with OAuth2) and not the HTTP client connector.

      Yes. I khow. But "Date Of Birth" is not null possible with the ODATA method. This is as you can see in KBA 2641564 --How to clear the "Date Of Birth" field value by OData API.
      Therefore, clearing "Date Of Birth" by JSON method for HTTP connection.

      >Please adapt your custom develop integration processes before 2H year 2022, where Basic Auth will stop working for all kind of connectors.

      Therefore, the question is whether Basic authentication for HTTP connections will be stopped in 2H year 2022.
      I understood in your answer that Basic authentication for HTTP connections will stop at 2H year 2022.

      Best regards,
      Wakuda

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Dear Tsutomu Wakuda

      Thanks for sharing the KBA.

      Correct. HTTP connections in Boomi with Basic Auth will stop at 2H 2022.

      Since you want to use the HTTP connector to fulfill the requirement, kindly evaluate to use HTTP connector in Boomi with OAuth2. In this KBA we have a sample = 2639941 - How to use OAuth 2.0 step by step in Boomi.

      Hope this can help you!

      Best Regards

      Author's profile photo Tsutomu Wakuda
      Tsutomu Wakuda

      Dear Guilherme Soliman,

      Thank you very much!!!

      Best Regards,
      Wakuda

      Author's profile photo Mohd Faiz Hasan
      Mohd Faiz Hasan

      Hi Guilherme,

      Could you please help me with the HTTP Connector config. The KBA 2639941 is not opening for me.

      Author's profile photo Chris Paine
      Chris Paine

      Hi Guilherme Soliman ,

      I like to spend some of my time developing SAP BTP Extension application that work with SAP SuccessFactors.

      Fortunately BTP has had the connectivity service which has been using OAuth2 SAML Bearer Authentication for years. Unfortunately there isn't a locally deployable version of this service that be run when using a local development server. So we have been relying on using basic auth for building and testing our builds locally.

      Would you have some recommendations on what we could do to get around this issue?

      Thanks,

      Chris

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Dear Chris Paine

      I will extend your question to our colleague Deepak G Deshpande. He is ooo and return in few days, kindly allow some extra days to get this answered.

      Cheers

      Author's profile photo Madhu Ng
      Madhu Ng

      Hi Guilherme,

      Thanks for the detailed blog.

      We are looking at migrating our integrations to use oAuth 2.0 and following the developer guide provided. However we came across in the document that it is recommended to use a third-party Idp to generate the SAML Assertion. We do have Azure AD as our corporate Idp and have integrated Successfactors with Azure AD. But there isn't much info on how to use Azure AD or any 3rd party Idp for API calls.

      Is there any documents or guide provided for this which we can check. I have tried to get more info but reached a dead end at this point.

      Thanks,

      Madhu

      Author's profile photo Guilherme Soliman
      Guilherme Soliman
      Blog Post Author

      Dear Madhu

      Sorry but I wasn't able to find one sample of 3rd Party Idp configuring this end to end with SF OAuth too.

      Since you have Azure, I think you can start exploring this KBA and the Microsoft links inside it: 2348735 - [SSO] Single Sign On setup between Microsoft Azure and SuccessFactors - SAP ONE Support Launchpad

      I also found this other sample with Azure IAS ans SF, but use Basic Auth still = SSO between Success Factors and Azure through IAS | SAP Blogs

      Thanks!

      Author's profile photo Laura Valverde Alonso
      Laura Valverde Alonso

      *IMPORTANT ANNOUNCEMENT*
      After receiving feedback from our customers, please note the Second Half 2022 decommissioning date has been postponed until further notice.
      Please note SAP SuccessFactors still advise customers to switch to more secure methods of authentication where possible. Any updates on this topic/dates will be communicated and this blog post and on the regular channels

      Author's profile photo Javier Jodar
      Javier Jodar

      Hello Laura,

      In our case, we use OAUTH for any new integrations. However, for existing integrations, I would like to ask if a new estimated date for the migration has been provided by SAP.

      Thanks.

      Author's profile photo Laura Valverde Alonso
      Laura Valverde Alonso

      Hello Javier, the decommissioning date for Basic Authentication has been postponed indefinitely until further notice, I hope this clarifies

      Author's profile photo Stevanic Artana
      Stevanic Artana

      hi Guilherme,

      Point-to-point integration between ECP and EC still uses basic authentication. Is there any plan to update this to use OAuth?

      Regards

      Steve

      Author's profile photo Stevanic Artana
      Stevanic Artana

      I have found the answer in SAP note 3167173 which is to use mTLS.

      Hope this is useful for other people.

      Author's profile photo Poushali Bhandari
      Poushali Bhandari

      Hi Guilherme Soliman,

      I referred your blog https://blogs.sap.com/2021/07/29/how-to-use-oauth2-saml-bearer-assertion-in-sap-cloud-platform-integration-connecting-with-sap-successfactors-sfapi-soap while configuring OAuth2.

      We have 15 different API users.(To identify using which API User/Integration the SF data got updated- from last modified by API UserName). now do we need to create 15key pair with CN= 15API user? Even if we do that we cannot register same application URL(CPI Tenant URL) in SF Manage OAUTH Client Applications.

      Can you please help me to understand how to achieve the authentication as Oauth2 SAML Bearer Assertion using 15 different API Users?

      Thanks,

      Poushali Bhandari