Skip to Content
Technical Articles

2H 2020 announcement: Planned Retirement of HTTP Basic Authentication (SFAPI/ODATA API)

Hello SAP community,

With the 2H 2020 Release of SAP SuccessFactors application, we are announcing the sunset (planned retirement) of HTTP Basic Authentication for API calls (both SFAPI & OData).

Objective:

Share the information with customers and partners, so new custom development integrations can already starting use OAuth instead of HTTP Basic Authentication (username/password).

 

Key Dates for Replacement

  • End of Development Phase: As of the 2H 2020 release, no enhancement will be made for HTTP Basic Authentication.

  • End of Maintenance: By 2H 2021, we’ll stop the maintenance for HTTP Basic Authentication.

  • Replacement Date: By 2H 2022, you’ll no longer be able to use HTTP Basic Authentication to access APIs.

Migrating to OAuth

We recommend that you use OAuth to authenticate API users for better security.

For more information, see the Authentication Using OAuth 2.0 topic under SAP SuccessFactors HXM Suite OData API: Developer Guide.

Please check out more details like overview, Frequently asked questions FAQ in the Customer Community blog or the Partner Delivery Community blog.

The SAP SuccessFactors support and engineering team will be answering questions in these communities above.

 

NOTE: Existing customers consuming APIs prior to 1H 2021 release will be able to use Basic Authentication for SFAPI & OData API till 2H 2022. However, post 2H 2022, basic auth would no longer be supported. However, new customers who are going to start consuming SFAPI or OData API post 1H 2022 release, can only use OAuth for SFAPI and OData API calls.

 

 

Conclusion:

This blog post shared the announcement and the right channels to get more information.

Thank you!

17 Comments
You must be Logged on to comment or reply to a post.
  • Thank you for the great blog post.

    Is this change limited to SuccessFactors’ API or sooner or later other solutions’ API will be changed  in the same way?

  • Great news,  since 2010 OAuth is growing every years, Successfactors API Access leaks this authentication and we asked a lot of time.

    Now question is, how about old implementation of Integrations, we must to migrate all them on new version of CPI because Eclipse version is unsupported?

    Thank you

  • Hi Guilherme Soliman ,

    Currently all outbound integration(with Timer event) from Success factor EC to 3rd party, there is only option to use Basic Authentication in standard Success factor Odata adapter in SAP CPI.

    We can’t use OAuth SAML Bearer assertion there because it is only working with Principal Propagation.

    Is there any plan add any other authentication type in SAP CPI standard adapter like Oauth Client Credential etc. rather than only OAuth SAML Bearer assertion??

     

    Also I have checked the updated Odata API developer guide found that for Integration Purpose Basic Auth is the good option. So basic authentication will be there for Integration purpose?

    Regards,

    Souvik

    /
    • Dear Souvik Sinha

      Thanks for your message.

      During this release 2nd Half year 2020, only this announcement was made. All the CPI standard packages delivered by SAP from EC to 3rd party integration will be adapted and published before the replacement date (2nd Half of year 2022).

      If you are using standard packages in CPI you do not need to be worried now. CPI standard packages upgrades will be avaliable in future and prior the replacement date.

      If you are using custom developed artifacts in CPI or Boomi, please evaluate to migrate to OAuth during these 2 next years.

      Soliman

      • Thanks Guilherme Soliman for the update.

        Currently only OAuth SAML Bearer assertion authentication is supported in standard Successfactor Odata api adapter in CPI other than basic Auth. It will not cover all type of scenario like if the integration is starting with Time based Event and sending data to 3rd party etc.

        My concern is whether is SAP is going to release any other OAuth authentication type like Oauth Client credential etc for Employee Central?

         

        Regards,

        Souvik

        • Hello Souvik Sinha

          Thank you! Your question was more clear to me now. The SAP engineering will provide changes in CPI and Boomi to consider OAuth in all places we used to have Basic Auth. We still do not have the timelines for these planned changes, as soon we know, we will publish in the frequently asked questions FAQ under Customer Community blog or the Partner Delivery Community blog.

          I hope this could help you 🙂

          Best Regards

          • Hi Guilherme Soliman,

            We are working with SuccessFactors on NS2 and are already dealing with some headaches because of the lack of support for SuccessFactors connector to OData/v2.

            We are getting this error.

            [LGN0030]HTTP Basic Authentication (Basic Auth) is no longer supported in OData. Please choose OAuth 2.0 to authenticate users. For more information, see https://help.sap.com/viewer/d599f15995d348a1b45ba5603e2aba9b/latest/en-US/d9a9545305004187986c866de2b66987.html.

            SFAPI connection for CompoundEmployee was not affected and we can use basic authentication.   However, is there a way to enable basic authentication for OData/v2 connections until the CPI connector changes are ready?

             

            P.S.   I responded on another post from Souvik with some details on my current work-around, but this is going to be challenging without the CPI support for OAuth2 connections.

            https://answers.sap.com/answers/13238378/view.html

          • Hi Chris,

             

            From SuccessFactors side, Basic Auth for ODATA API call is still supported.
            Error message looks like API specific. Would you let us know what API endpoint URL you are using?

          • Hi Deepa,

            Thanks for looking into this.   It was on all OData/v2 endpoints.  For example,

            https://{{domain}}/odata/v2/EmpEmployment

            After a few weeks of calls with NS2/SAP, they found a database setting to enable basic authentication yesterday.  This setting was updated for us to be able to use Basic Auth.

            NS2 stands for National Security Services, so it is a more secure cloud for SF.

      • I’m trying to use this option and we are blocked with this error:

        com.sap.gateway.core.ip.component.odata.exception.OsciException: while trying to invoke the method com.sap.it.rt.scc.connectivity.security.IToken.getSAMLToken(java.lang.String) of a null object loaded from local variable 'principalToken'

         

        Can you explain us how it works?

         

         

         

        We tried to fill the fields with values coming from same connection in SCP but it doesn't work.

        We need more documentation about this auth method.

         

        - Audience: www.successfactors.com
        - Client Key: <API Key>  (generated after OAuth2 credential save and viewed)
        - Token Service URL: https://api2preview.sapsf.eu:443/oauth/token  (datacenter of your SF)
        - Target System Type: SuccessFactors
        - Company ID: <your company id>

        Addition Parameters

        - SystemUser: ALS_ADMIN  (userid of your SSFF)
        - nameIdFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

         

        We removed default information because they are not present on scp connection information.

         

        Could you create a good tutorial to make it works?

        • Hello Federico Bellizia

          Thanks for your question with sample and error.

          As of now, we need to use the instructions of the blog:

          https://blogs.sap.com/2018/07/30/sap-cloud-platform-integration-principal-propagation-with-successfactors-odata-v2/

          We are checking with CPI dev team if they will enhance the SF Connector in the CPI to make this simpler.

          Thank you!

          Soliman

          • /
          • Could you ask them a wizard to import OAuth2 directly from Successfactors with normal Admin Login with a listbox  and import buttom? 🙂

            On adapter we want an:  "Import authorization from Successfactors"

            Or in the cockpit as you wish.

            OT: We have about 62 requests asked to CPI Developers from Novembre 2018 (date of webUI dictature (LOL)), some of there are resolved other are open (Copy&Paste&Undo..., scheduling outside workflow)... if you want.we can discuss about them on skype, hangouts, telegram or discord.