Skip to Content
Technical Articles
Author's profile photo Sriprasad S Bhat

SuccessFactors Integration For Beginners – Connecting With OAuth

Introduction:

Recently SuccessFactors released Note # 2970369 stating its going to sunset Basic Authentication ( starting from 2022 ) for API usage.Below blog will show how we can connect using existing OAuth2 authentication method to fetch the data from SuccessFactors using SAP Integration Suite.

Disclaimer:

This blog is just to explain technically how OAuth based authentication can be achieved in SAP CPI for SuccessFactors Based integrations. SAP may release any further update to existing adapter to ease out connectivity which would make the below approach much easier.

Whats the issue with existing SuccessFactors – OData Adapter of SAP CPI:

SuccessFactors OData V2 adapter have OAuth SAML based authentication supported but it doesnt suffice to achieve the end to end scenario of authentication process to get the data from SuccessFactors OData V2 ( Refer Limitation KBA-2986720 ) using SAP CPI.

We will create a small demo to see how we can leverage HTTP and OData adapter to achive the same.

Current Process to get the data from SuccessFactors Employee Central using OAuth ( using Postman ).

 

SuccessFactors Settings:

Navigate to Admin Center->Manage OAuth2 Client Applications-> Register

Fill the mandatory details as shown below.

 

Click on Generate X.509 certificate and fill out the details as shown below and then “Generate

 

Once you click on Generate Screen Automatically goes back to previous one giving option to download the Private Keys and Certificates. 

Download the .pem file. It contains private key and certificate. (Can be seen in notepad++).Take a copy of private key to be used further in our integrations.

 

Save the configuration to capture API key associated with your OAuth Application for further usage in your integration.

SAP Integration Service Settings:

Login in to your SAP CPI tenant and create a new iflow with below design.

If you are very much new to SAP CPI then follow below Tutorial to get familiarized with.

Developer Tutorial – SAP CPI

Block 1:

Its main Integration Process and configure like below.

Step a:

Add Content Modifier and add all your parameters ( like you want to control logging ).Its optional for you in above design.

Step b:

Add Process Call to make a call to Local Integration Process – GetSAMLAssertion ( covered in Block – 2 )

Step c:

Add Process Call to make a call to Local Integration Process – GetAuthToken( covered in Block – 3 )

Step d:

Add Process Call to make a call to Local Integration Process – GetUserData( covered in Block – 4 )

Block 2:

Local Integration Process which is used to get SAML Assertion from SuccessFactors.

Step a:

Add Content Modifier with below details in Body section. Refer the above OAuth Application for all the details.

client_id=<client_id>&user_id=<technicaluser>&token_url=https://apisalesdemo4.successfactors.com/outh/token&private_key=<private_key>

Step b:

Add Request-Reply with HTTP receiver adapter with configuration ( API server depends on your SF instance ).

Step c:

Add Script to log the assertion code ( just for your reference ).

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;

def Message processData(Message message) {

	def body = message.getBody(java.lang.String) as String;
	def messageLog = messageLogFactory.getMessageLog(message);	
        messageLog.addAttachmentAsString("SAML_Assertion:", body, "text/xml");
        return message;
}

Block 3:

Local Integration Process for getting Bearer Token from SuccessFactors .

Step a:

Add Content Modifier with below details.

Message Header should have constant with below value.

Name Value
Content-Type application/x-www-form-urlencoded

Body section of your content modifier should have below values ( replaced with your SuccessFactors details like company id and client id ).

company_id=<COMPANY_ID>&client_id=<CLIENT_ID>&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=${in.body}

Step b:

Add HTTP receiver adapter to get the Bearer Token from SuccessFactors.

Step c:

Add Script step to parse the bearer token and set it as header for subsequent call.

import groovy.json.*;
import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message) {
    //Body 
       def body = message.getBody(String.class);
       def jsonSlurper = new JsonSlurper()
       def list = jsonSlurper.parseText(body)
       def token="Bearer "+list.access_token.toString();
       //Headers 
       def map = message.getHeaders();
       message.setHeader("Authorization", token);
      
       return message;
}

Step d:

Optional Script step to log your payload.

Block 4:

Locat Integration Process call to get User data from SuccessFactors.

Step a:

Add a  Request-Reply step to make OData call to get User data from SuccessFactors with below configuration.

Step b:

Log your payload to see the user details from SuccessFactors.

 

Deploy your IFlow to see end to end result.

 

Hope this helps to understand step by step details to achieve the connectivity.

Regards,

Sriprasad Shivaram Bhat

Assigned Tags

      16 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Hari Sonnenahalli
      Hari Sonnenahalli

      Very nice blog. I hope SAP will further ease out the connectivity.

      Author's profile photo Syambabu Allu
      Syambabu Allu

      Easy to understand and Thanks for sharing in detailed on new connectivity approache in SuccessFactors.

       

      Thank you,

      Syam

      Author's profile photo Souvik Sinha
      Souvik Sinha

      Thanks Sriprasad Shivaram Bhat for sharing the step by step details of Oauth Authentication to Successfactor using existing functionality.

      Does SAP has road map to upgrade the Successfactor Odata standard adapter to accept the same or enhance functionality of oauth?

       

      Regards,

      Souvik

      Author's profile photo Sriprasad Shivaram Bhat
      Sriprasad Shivaram Bhat
      Blog Post Author

      Hello Souvik,

      It should be available over the time but not sure about exact time frame of release.

      Regards,

      Sriprasad Shivaram Bhat

      Author's profile photo Souvik Sinha
      Souvik Sinha

      That's great !!! will look forward to the announcement.

       

      Regards,

      Souvik

      Author's profile photo Antonio Ferreira Vicente
      Antonio Ferreira Vicente

      Very important and Clear for beginners. Thank you, Bhat !!

      Author's profile photo Vivek Jain
      Vivek Jain

      Hi Sriprasad,

       

      I have successfully got the Assertion through POSTMAN as well as CPI. But , while getting Token I am getting '401' error (in both CPI as well as POSTMAN). Please advise .

       

       

      Thanks and Regards,

      Vivek Jain

      Author's profile photo Vivek Jain
      Vivek Jain

      Hi Sriprasad,

       

      PFA the error from CPI.

       

      Thanks and Regards,

      Vivek Jain

      Author's profile photo Sriprasad Shivaram Bhat
      Sriprasad Shivaram Bhat
      Blog Post Author

      Hello Vivek,

      Could you please share screenshot of the OAUTH details screen and also the user you are using is having all the required access ( API user ).

      Regards,

      Sriprasad Shivaram Bhat

      Author's profile photo Jayasuryavathi Tadikonda
      Jayasuryavathi Tadikonda

      Hi Sriprasad,

       

      Thank you for the informative blog.

      I'm able to test the OAuth SAML Bearer Assertion through Postman successfully.

      We have an Artifact type OAuth SAML Bearer Assertion in SAP CPI Security material. I tried to use the Artifact in the CPI flow. But the flow failed with the below error.

      com.sap.gateway.core.ip.component.odata.exception.OsciException: while trying to invoke the method com.sap.it.rt.scc.connectivity.security.IToken.getSAMLToken(java.lang.String) of a null object loaded from local variable 'principalToken', cause: java.lang.NullPointerException: while trying to invoke the method com.sap.it.rt.scc.connectivity.security.IToken.getSAMLToken(java.lang.String) of a null object loaded from local variable 'principalToken'

      I want to understand that-  Is the process explained in the blog is different from the SAP CPI Artifact OAuth2 SAML Bearer Assertion (SuccessFactors)?

       

      Thank you.

       

      Regards,

      Jaya

      Author's profile photo Sriprasad Shivaram Bhat
      Sriprasad Shivaram Bhat
      Blog Post Author

      Hello Jaya,

      Appreciate if you go through the complete blog reason for above issue is mentioned in couple of KBAs.

      Regards,

      Sripraad Shivaram Bhat

      Author's profile photo Terry Eisenmenger
      Terry Eisenmenger

      Thank you for this we have some who are just getting their feet in the water on integrations and this will certainly help jump start them.

      Author's profile photo Piotr Tesny
      Piotr Tesny

      Hello Sriprasad Shivaram Bhat,

      I have bookmarked your blog when I was doing research on OAuth2SAMLBearerAssertion flow with different LOB applications.

      I do really appreciate the clarity of the solution you describe that leverages the SFSF OAuth client idp endpoint to generate the saml bearer assertion. (On a side note your blog is also a quite nice introduction into CPI part of Integration Suite).

      Long story short.

      As a result of my own research I had come up with the following blog post that describes other ways to implement OAuth2SAMLBearerAssertion with SuccessFactors (both with SAP BTP and without BTP tie-in), namely SAP SuccessFactors Integration with OAuth2SAMLBearerAssertion flow.

      kind regards

      Piotr

       

      Author's profile photo Prasenjit Sarkar
      Prasenjit Sarkar

      Hey Sriprasad,

      Firstly thanks for the blog, I tried it and it worked well.

      What is SAP's guidance on instance refreshes and creating a back up of the OAuth clients created in lower Dev and QA systems? Is there a way to download a back up so that the same certificate and Key can be added back?

      Regards

      Prasenjit

      Author's profile photo Naresh Dasika
      Naresh Dasika

      Hello Sriprasad,

      Any update on the "OAuth" mode availability in SFSF sender adapter on SAP PO and SAP CPI?

      Per KBA note-3061465 - Support for OAUTH in SFSF adapter in SAP Process Orchestration (PO), this should be available by the end of 2021

      This Info is required for preparation of the changes, testing and timelines etc. from customer side

      Regards,

      Naresh

       

      Author's profile photo Sriprasad S Bhat
      Sriprasad S Bhat
      Blog Post Author

      Hello Naresh,

      OAuth is already available in SAP CPI sender & receiver SFSF Adapter.

      https://blogs.sap.com/2021/03/26/sap-cloud-integration-oauth2-saml-bearer-x.509-certificate-authentication-support-in-successfactors-connector/

      Regards,

      Sriprasad Shivaram Bhat