SuccessFactors Employee Central to SAP Cloud Platform Integration (CPI) using OAuth Authentication
Here, I have explained how to connect from SuccessFactors Employee Central to SAP Cloud Platform Integration which is an inbound to SAP Cloud Platform Integration using OAuth 2.0 with SAML OAuth Type.
In this blog, I have taken an example of employee push replication which is a standard package iflow for employee master data replication that triggers immediately from Employee Central to SAP ERP HCM using SAP Cloud Platform Integration as the middleware, regardless of when the next regular replication is scheduled.
I have provided the step by step description on what all configurations required from SAP Cloud Platform Integration (CPI) and SuccessFactors Employee Central side to trigger employee push replication to CPI using OAuth authentication.
Configurations in CPI:
- First create OAuth client id under Security in SAP Cloud platform cockpit.
CPI Cockpit configurations
ID: Keep same as name.
Subscription: Choose the one ending with iflmap.
Secret: Keep a password.
- Provide role ESBMessaging.send to client id:
In cockpit go to subscriptions -> iflmap application ->Roles->click on Assign
Add user id as “oauth_client_<client id> (client id is the one which is created in step 1) .
Configurations in SuccessFactors Employee Central:
- In integration center for push replication event below is the destination setting using OAuth authentication type:
2. Provide below details for OAuth configuration:
- Configuration name: Any name of your choice.
- OAuth Type: OAuth 2.0 with SAML Flow.
- Get Client ID and Client secret from CPI cockpit as explained in CPI configuration.
- Token URL: Get it from CPI cockpit, Security->OAuth->OAuth Setting->Token endpoint URL and add “?grant_type=client_credentials” towards end.
e.g. – https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token?grant_type=client_credentials
- Token Method: Post
- Audience: Push replication endpoint URL which you get from CPI.
- Recipient: Same as Token URL
- Issuer: successfactors.com
- Subject Name id: Any email id
- Subject Name ID Format: X509 Subject Name
- X509 Key: Create X509 certificate with CN as *.successfactors.com
So, whenever there is any hire/rehire/termination event or any other configured event is created for any employee then push replication is triggered to CPI using OAuth authentication.
In this blog I demonstrated on how to connect from SuccessFactors integration center job to SAP Cloud Platform Integration without using basic authentication (User Id/Password). I have explained in detail on what all information for OAuth authentication is required from SAP CPI cockpit side and explained on what all details has to be provided in SuccessFactors Integration Center job for successful OAuth authentication from SuccessFactors to CPI.
OAuth Client Credentials Grant (SAP help document related to OAuth Credential)
Hi rupalita patnaik ,
Thanks for the detailed article.
I am trying to replicate same steps in my trial account.
Please help with step 1 in configuration in CPI, Under security I can see Users, Role collection, roles and trust configurations. How do I create OAuth client id under Security in SAP Cloud platform cockpit?
This is visible in the Neo factory accounts. Using Integration Suite trial account, you can directly go to Services->Instances and create a key which contains client id and secret key. Please check the screen shot attached.
You can also refer to the blog: https://blogs.sap.com/2020/10/01/oauth-setup-for-cloud-integration-in-cloud-foundry-environment/