Skip to Content
Product Information
Author's profile photo Deepak G Deshpande

SAP Cloud Integration – OAuth2 SAML Bearer/X.509 Certificate Authentication Support in SuccessFactors Connector

Introduction

SAP Cloud Integration version 3.36.**/5.20.**/6.12.** comes with enhancement on SuccessFactors OData V2 outbound connector with OAuth2 SAML Bearer/X.509 Certificate authentication.

Note: The forecasted SAP Cloud Integration customer tenant updates/availability of this version is planned on or after 3rd/10th April 2021 as per the phased tenant update procedures, which may be subjected to change.

OAuth2 SAML Bearer /X.509 Certificate authentication is not new to SuccessFactors OData V2 outbound connector in SAP Cloud Integration, because it has been used in the context of principal propagation as described in the blog https://blogs.sap.com/2018/07/30/sap-cloud-platform-integration-principal-propagation-with-successfactors-odata-v2/ , but here in this blog, the support of OAuth2 SAML Bearer in the context of a dedicated/technical user has been described to support planned retirement of Basic Authentication in SAP SuccessFactors system as per the plan https://help.sap.com/viewer/62b1a0b4b34c4c36869e21c8db128e49/latest/en-US/a2f874d8f3194cc5adba237d00c134ac.html.

Setup

To consume this new feature, below steps have to be followed.

Step 1: Creating a key pair in SAP Cloud Integration (or you can also upload one if you have)

Step 2: Registering an OAuth2 client in SAP SuccessFactors System

Step 3: Deploying OAuth2 SAML Bearer credentials in SAP Cloud Integration

Step 4: Designing Integration Flow with SuccessFactors OData V2 outbound connector

 

Step 1: Creating a Key Pair in SAP Cloud Integration

In this example, a new key pair creation is considered, if you have a valid key pair, you can re-use it by uploading the same.

In SAP Cloud Integration Web UI Monitoring section, click on Keystore tile

Keystore%20UI%20Tile

Keystore UI Tile

 

Click on the Create -> Key Pair

Create%20Key%20Pair

Create Key Pair

 

Provide the relevant details. The value for Common Name (CN) should be the user name exists in your SAP SuccessFactors instance who has the access/authority to invoke the SuccessFactors API through OAuth2 token.

Key%20Pair%20Details.%20CN%20value%20should%20be%20of%20a%20user%20at%20SAP%20SuccessFactors%20system

Key Pair details. CN value should be of a user at SAP SuccessFactors system

Click on Create button once finished providing details. Copy (or remember) the Alias name for further use. In this example, the alias is “samplekeypair1”.

After creation, download the certificate part of it. The public key of this file will be used while registering the OAuth2 client in SAP SuccessFactors system.

Download%20Certificate%20file

Download Certificate

 

 

Step 2: Registering an OAuth2 client in SAP SuccessFactors System

Login to your SAP SuccessFactors system as administrator and then create a new OAuth2 Client in ‘Manage OAuth2 Client Applications” section. .

Click%20on%20Register%20Client%20Application

Click on Register Client Application

 

Open the certificate file you have downloaded in Step 1 in text editor.

Certificate%20File%20in%20text%20editor

Certificate File in text editor

In creating OAuth2 Client Application, provide relevant details, copy the certificate part (the content between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–) and add/paste that into X.509 Certificate place. Click on Register, and get hold of API Key (which will be treated as Client Key when deploying OAuth2 SAML Bearer credentials in SAP Cloud Integration)

Manage%20OAuth2%20Client%20Application%20in%20SAP%20SuccessFactors%20system

Click on Register button

 

 

Click%20on%20View%20button%20of%20your%20OAuth2%20client%20application

Click on View button of your OAuth2 client application

Copy the API Key value, which will be treated as Client Key while deploying OAuth2 SAML Bearer credentials in SAP Cloud Integration

 

Step 3: Deploying OAuth2 SAML Bearer credentials

In the Monitoring Section of SAP Cloud Integration, click on the ‘Security Material’ UI tile, and then click on Create -> OAuth2 SAML Bearer Assertion. Provide the relevant details, and select User ID as Key Pair Common Name (CN) and provide the alias of Key Pair created in step 1, in this case, samplekeypair1.

Monitoring%20Security%20Materials%20tile

Monitoring Security Material UI tile

 

Create%20-%20OAuth2%20SAML%20Bearer%20credentials

Create – OAuth2 SAML Bearer Assertion credentials

 

While creating the credentials,

Name, allowed name of your choice, ‘sampleOAuth2Alias’ in this example

Client Key will be the API Key received after registering the OAuth2 client in SAP SuccessFactors system.

Token Service URL is the URL of SAP SuccessFactors OAuth2 token server.

User ID select Key Pair Common Name(CN) in the drop down control.

Select%20User%20ID%20as%20Key%20Pair%20Common%20Name%20%28CN%29

Select User ID as Key Pair Common Name (CN)

 

Provide%20the%20Key%20Pair%20Alias

Provide the Key Pair Alias, and click on Deploy

 

Step 4: Designing Integration Flow

In SAP Cloud Integration, create an integration flow with SuccessFactors OData V2 outbound adapter and select the authentication as OAuth2 SAML Bearer, and provide the credential alias created in step 3, in this example, it is ‘sampleOAuth2Alias’

 

Note: A side remark; the Accept-Encoding GZIP configuration has been provided for the newer SuccessFactors OData V2 connector version 1.18, which is aimed to reduce the time taken between SAP Cloud Integration and SAP SuccessFactors endpoint HTTP communication through zip stream over the network.

 

Using%20the%20User%20API/Entity%20as%20an%20example

Querying User API/Entity as an example under Processing tab

 

In this Integration Flow example, I am using HTTP sender adapter, which will provide an HTTP endpoint after deployment. After invoking that HTTP endpoint, the integration flow message executes, the OAuth2 token is fetched by the SAP SuccessFactors OData V2 outbound connector and further invokes the SAP SuccessFactors system endpoint to fetch all the User records with OAuth2 SAML Bearer authentication.

The token caching is also handled as well.

 

Result%20of%20invoking%20HTTP%20endpiont%20of%20Integration%20Flow%20in%20this%20example

Result of invoking HTTP endpiont of Integration Flow in this example

Next Steps

As you might have observed, currently, the SuccessFactors OData V2 outbound connector has got the OAuth2 SAML Bearer assertion for a dedicated/technical user.

As next steps, the same support for

  1. SuccessFactors SOAP outbound connector : Update : The support for OAuth2 SAML Bearer/x.509 authentication has been enabled for SuccessFactors SOAP outbound connector with SAP Cloud Integration version 5.23.**/6.15.**. You can refer the blog post https://blogs.sap.com/2021/07/29/how-to-use-oauth2-saml-bearer-assertion-in-sap-cloud-platform-integration-connecting-with-sap-successfactors-sfapi-soap/ for more details. 
  2. SuccessFactors OData V2 Query Wizard and SuccessFactors SOAP Query Wizard : Update : The support for OAuth2 SAML Bearer/x.509 authentication has been enabled for SuccessFactors OData V2 Query Wizard and SuccessFactors SOAP Query Wizard with SAP Cloud Integration version 5.24.**/6.16.**

will be provided in next increments, for which the blog shall be updated.

 

Summary

The support for OAuth2 SAML Bearer assertion/X.509 Certificate authentication has now been enabled for SuccessFactors OData V2 for a dedicated/technical user to support the planned retirement activities of Basic Authentication in SAP SuccessFactors. Now, the OAuth2 SAML Bearer can be used in the context of principal propagation as well as in the context of a dedicated/technical user.

Assigned Tags

      46 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Souvik Sinha
      Souvik Sinha

      Thanks Deepak G Deshpande for sharing the upcoming most waited features for connecting to Successfactor from SAP CPI using Oauth Authentication after the announcement of retirement of basic Authentication 🙂

      Below features will be also get updated with Oauth right while connecting to Successfactor in Adapter level to generate Query?

       

      Regards,

      Souvik

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Souvik,

      Thanks for the feedback.

      What you ask is the Query Wizard of SuccessFactors OData V2 outbound connector, and as I  mentioned in the Next Steps section of my blog, OAuth2 SAML Bearer connectivity will also be enabled in next release.

       

      -Thanks

      Deepak

      Author's profile photo Vijayaprabakaran S
      Vijayaprabakaran S

      Hi Deepak G Deshpande

      Much awaited one 😊.

      Thanks for the informative blog with detailed configuration info.

      Regards,

      Vijay

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Vijay,

      Thank you 🙂

       

      -Deepak

      Author's profile photo Suman Lakkimsetty
      Suman Lakkimsetty

      Hi Deepak G Deshpande

      Thanks for your blog, this helps in configuring "OAuth2 SAML Bearer authentication”, this helps me to refer E2E steps at one place 🙂 .

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi,

      Thanks for the response 🙂

       

      Thanks

      Deepak

      Author's profile photo Ayub Ahmed
      Ayub Ahmed

      Dear Deepak G Deshpande

      Thanks for the informative blog with detailed configuration steps.
      We follow the steps and achieved ODATA - OAUTH SAML authentication.

      we have tried for the SuccessFactors - Compound Employee API authentication but we didn't achieve it. May I know for the SuccessFactors - Compound Employee API authentication.

      Is there any update for the SuccessFactors - Compound Employee API authentication?

      Regards,
      Ayub Ahmed.

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Ayub Ahmed,

      SuccessFactors - Compound Employee API is part of the SOAP APIs, for which we in SAP Cloud Integration, need to enable it for SuccessFactors SOAP outbound connector, as mentioned in the "Next Steps" section of my blog here.

       

      Thanks

      Deepak

      Author's profile photo Guilherme Soliman
      Guilherme Soliman

      Great info Deepak. Congrats!

      Author's profile photo Piotr Tesny
      Piotr Tesny

      Hello Deepak,

      Looking at the publication date of your blog I happened to publish roughly at the same time a mini series of blogs under one common title, namely SAP SuccessFactors Integration with OAuth2SAMLBearerAssertion flow.

      Happy reading; best regards; Piotr;

      Author's profile photo Yves Pittino
      Yves Pittino

      Hello Deepak,

      We tried using your blog, but did not succeed. Question is also for CN (Common Name) - should we use it with company behind it? Like username@C0000123456T4 or just as username... The mandatory country (C) we have set to DE. We tried both options but got this error:

      Error Details
      com.sap.gateway.core.ip.component.odata.exception.OsciException: Error in retrieving Authorization header, cause: com.google.common.cache.CacheLoader$InvalidCacheLoadException: CacheLoader returned null for key com.sap.it.rt.adapter.odata.oauth.cache.key.SFSAMLKey@3528ff02.
      There is not much tracing info what is wrong with the definitions.
      Can you help us here - thanks in advance, Yves Pittino
      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Yves,

      As mentioned in the blog, the value for Common Name (CN) should be the username that exists in your SAP SuccessFactors instance who has the access/authority to invoke the SuccessFactors API through OAuth2 token, don't append the company ID.

      For example, your SAP SuccessFactors instance may be having a username as sfadmin, you can try sfadmin as value of the CN.

       

      Thanks

      Deepak

      Author's profile photo Sam Hepworth
      Sam Hepworth

      Hi Yves,

      Did you find out what caused this error?

      Thanks,

      Sam

      Author's profile photo Yves Pittino
      Yves Pittino

      Hi Sam,

      Not yet - just discovered some more info in the system trace files, but could not yet resolve the case... latest error I see in this trace is Status code:401; Reason:{"errorHttpCode":"401","errorMessage":"Unable to validate \\"Audience\\" in the SAML assertion"}|

      It was the Audience in the CPI definition of the credentials - it was missing www for www.successfactors.com

      Regards, Yves

      Author's profile photo Shaik Imran
      Shaik Imran

      Hi Yves,

      I am also facing the same error as below. Can you please let me know what is the resolution for this.

       

      Error Details

      com.sap.gateway.core.ip.component.odata.exception.OsciException: Error in retrieving Authorization header, cause: com.google.common.cache.CacheLoader$InvalidCacheLoadException: CacheLoader returned null for key com.sap.it.rt.adapter.oauth.token.core.SFSAMLKey@eb7b9f65.
      Thanks,
      Imran
      Author's profile photo Yves Pittino
      Yves Pittino

      As already mentioned for me:

      It was the Audience in the CPI definition of the credentials - it was missing www for www.successfactors.com

      Regards, Yves

      Author's profile photo Dyanxela Almenario
      Dyanxela Almenario

      Hello Deepak,

       

      Great blog!

      One question, for the  Token Service URL, is it the api endpoint with append /oaut/token? like this one? https://apisalesdemo4.successfactors.com/oauth/token

      If not, can you give an example?

       

      Thank you,

      Dy

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Dyanxela Almenario ,

      Yes, your example https://apisalesdemo4.successfactors.com/oauth/token is correct.

       

      Thanks

      Deepak

      Author's profile photo Avinash Aallashetty
      Avinash Aallashetty

      Hello Deepak, Hope you could help me here. Referring to below image, though Technical User id is a Technical user still I get below error.

      could you help me to get rid of this error.

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Avinash,

      If you observe my screen of the blog for creating OAuth2 client, I have left the "Technical User ID" field empty. This is something that SAP SuccessFactors yet to consider technically.

      But as of now, please don't provide any value for Technical User ID, keep it blank.

      Hope this helps 🙂

       

      Thanks

      Deepak

      Author's profile photo Avinash Aallashetty
      Avinash Aallashetty

      Hello Deepak, Thanks for the reply.

      There is a business requirement so I tried that option. It would be great help if you could help me to find about release time line of this feature from SF team.

      Reg, Avinash

      Author's profile photo Deepa Kumari
      Deepa Kumari

      Hi Avinash Aallashetty :

      Currently, external OAUTH does not support technical user ID binding with API key. Option you see on SF UI is for internal OAUTH only.

      Guide URL: https://help.sap.com/viewer/d599f15995d348a1b45ba5603e2aba9b/2105/en-US/6b3c741483de47b290d075d798163bc1.html

      However, our Engineering colleagues are already working on this feature. If all goes well as planned, tentative date of release would be 2111.

      We also have KBA on this: https://launchpad.support.sap.com/#/notes/3046598

      Author's profile photo Avinash Aallashetty
      Avinash Aallashetty

      Hello Deepa, Thanks for the information.

      reg, Avinash

      Author's profile photo Kurapati Kusuma
      Kurapati Kusuma

      Hi Deepak,

      I am getting the below error when I try to use this configuration. Could you please confirm if I can use this SAML credentials with HTTP adaptor instead of SuccessFactors oData adapter. I mean HTTP adaptor will call the SF oData V2 API URL.

      Error Details
      java.lang.IllegalArgumentException: Unexpected response code from OAuth token service 'https://api10preview.sapsf.com/oauth/token' Response code: 401 Content Type: application/json Response Body: {"errorHttpCode":"401","errorMessage":"Unable to verify the signature of the SAML assertion"}, cause: com.sap.core.connectivity.apiext.impl.authentication.assertion.oauth.OAuthServerResponseCodeException: Unexpected Token Service response code. No response body was returned by Token Service

      Regards,

      Kusuma K.

       

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Kusuma,

      The offering of x.509 certificate/oAuth2 SAML bearer for dedicated/technical user (as explained in the above blog post) only supported for SuccessFactors OData Adapter, and not for HTTP adapter.

      OAuth2 SAML Bearer authentication can still be used in the context of principal propagation for HTTP outbound adapter.

       

      Thanks

      Deepak

      Author's profile photo Kurapati Kusuma
      Kurapati Kusuma

      Thank you Deepak for your response.

      in HTTP adapter, principal propogartion option for authentication is disabled, I cannot choose it.

      Is there any documentation how this can be done or used in HTTP outbound adapter?

       

      Regards,

      Kusuma K.

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Kusuma,

      For principal propagation scenarios via/from SAP Cloud Integration to any cloud application, one should use OAuth2 SAML Bearer authentication with proxy type "Internet" in connector properties UI and for principal propagation scenarios via/from SAP Cloud Integration to on-premise application through cloud connector, one should be using Principal Propagation authentication with proxy type "On Premise" in in connector properties UI. So, principal propagation authentication will be enabled for proxy type on premise.

       

      Thanks

      Deepak

      Author's profile photo Sudip Banerjee
      Sudip Banerjee

      Hi Deepak,

      Many thanks for this detailed blog.

      We have a requirement to extract SuccessFactors Metadata ODATA API information (PerPerson, PerPersonal, EmpJob etc. entities) through CPI and we followed the steps you have explained here. But we are unable to select columns from these entities with OAUTH authentication, however it is working fine while we switched back to BASIC authentication. Can you please help me on this? Thanks again.

       

       

      Regards,

      Sudip Banerjee

      Author's profile photo Deepak G Deshpande
      Deepak G Deshpande
      Blog Post Author

      Hi Sudip,

      What is the exact issue/error you are facing? Can you share more details? Or you can also raise a support ticket with all relevant information such that team can analyse it and respond you.

       

      Thanks

      Deepak

      Author's profile photo Souvik Sinha
      Souvik Sinha

      Hi Deepak G Deshpande ,

      HTTP session reuse "On Integration Flow" is not supported when we use OAuth authentication. Should we go ahead and configure "On Exchange" http session reuse for this case.

      What is you suggestion on HTTP session reuse?

       

      Regards,

      Souvik

      Author's profile photo Deepak MP
      Deepak MP

      Hi Souvik,

      You can set session reuse to Exchange Scope.

      Regards,

      Deepak

       

      Author's profile photo Souvik Sinha
      Souvik Sinha

      Thanks Deepak MP for the response.

      Regards,

      Souvik

      Author's profile photo Marco Laurenza
      Marco Laurenza

      Hi Deepak MP,

      we have a large number of integrations that use HTTP Adapter for Upsert Operation. We have to use HTTP Adapter due to the fact that SuccessFactors Adapter does some useless checks that with HTTP Adapter are not done, for example: seqNumber mandatory field (HTTP Adapter doesn't give us an error, SF Adapter yes), AutoNumber fields (HTTP Adpater doesn't give us an error, SF Adapter yes).

      We are trying to use OAuth2 SAML Bearer with HTTP Adapter, but we have the error "java.lang.IllegalArgumentException: Authorization Header not present for given expression constant{*****}".

      Is in plan to fix the HTTP Adapter or we should change all integrations done in all clients?

      Thanks in advance

      Regards
      Marco

      Author's profile photo Deepak MP
      Deepak MP

      Hi Marco,

      Oauth SAMLbearer Assertion Authentication is used in 2 different scenarios.

      1. When passing Principal of a logged-in user to the target system refer to this blog  
      2. When the passing principal of a technical user to the target system refer to this blog

      In your case, the second use case is what you are trying to achieve.

      unfortunately, this feature is not supported in the HTTP adapter and is only supported in the Successfactors adapter.

      Regards,

      Deepak

      Author's profile photo Gurdev Singh
      Gurdev Singh

      Hey Marco,

      I came across a similar situation where I had to use HTTP adapter along wioth SuccessFactors OData API. Turns out, once I had finished following the steps mentioned in this blog to generate OAuth2 credentials and configuring them on SAP Cloud Integration end, I had to configure my HTTP adapter as follows (please see attachment).

      http_oauth2

      http_oauth2

      Hope this helps.

       

      Cheers

      Gurdev

      Author's profile photo Vijay Konam
      Vijay Konam

      Did you guys find a solution for this? We are in the same boat. The HTTP POST operation that we need to use to generate the nextPersonID is not in the OData services and we are getting 401 when we use HTTP adapter.

       

      Thanks,

      VJ

      Author's profile photo Abby Odsinada
      Abby Odsinada

      Hello Deepak MP ,

      Can you confirm this is available for SF REST adapter ? (Need to query TimeEvents API of SF Time Tracking).

      I am getting an error

      If you could give some guidance on this.

      "Message processing failed.

      Processing Time: 340 ms
      Error Details
      com.google.common.cache.CacheLoader$InvalidCacheLoadException: CacheLoader returned null for key Alias : cico_oauth_dev, Audience: www.successfactors.com, Tokenservice Url: https://api10preview.sapsf.com/oauth/token, Target System: SuccessFactors, Company Id: xxxxxxxx, KayPair Alias : cico_oauth."
      Author's profile photo Deepak MP
      Deepak MP

      Hi Abby,

      The error indicates that there was a failure in fetching the Oauth token from the Successfactors system. To figure out the exact reason for the failure you need to check the LJS logs from your tenant.

      Go to the Monitoring page and select System logs here filter out the name with the prefix ljs_trace. now download the latest log files and look for more detailed error logs.

      Regards,

      Deepak

      Author's profile photo Nancy Ho
      Nancy Ho

      Hi Deepak MP,

      Thanks for your article, I am able to complete all the integration flows successfully. Question: when the Certificate expires in 2 years, how do I renew the Cert? Below is my guess. Appreciate your advice. Thx

      1. Create a new 'Key Pair', Register new client application in SF, then update OAuth2 Credential with new Client Key and Key Pair alias?
      2. somehow able to renew the Cert inside the existing 'Key Pair'?
      Author's profile photo Deepak MP
      Deepak MP

      Hi Nancy,

      After the certificate expires you have to choose option 1. we don't have an option to renew the existing certificate.

      Regards,

      Deepak

      Author's profile photo Subhadeep Ganguly
      Subhadeep Ganguly

      Hello Deepak G Deshpande

      I have followed your blog and have configured the OATH connection successfully.

      However, when I am trying to create the same connection with a new user,  then I cannot register a new entry in SF with the same application URL.

      What needs to be done in case we want multiple users to be connected using OATH?

      Regards,

      Subhadeep Ganguly

      Author's profile photo Souvik Sinha
      Souvik Sinha

      Subhadeep Ganguly You can't use same url while registering multiple OAUTH setup. I think application url is not mandatory field. You can use alternative urls to do the registrations for new users.

       

      Regards,

      Souvik

      Author's profile photo Hector Pascual Haba
      Hector Pascual Haba

      Hello!

       

      I am getting the following error after finishing all the steps, I reviewed 3 to 4 times and all the steps appear to be OK.

       

      Error is thrown by the SF adapter, I am using SAML bearer authentication

       

       

      Error Details
      com.sap.gateway.core.ip.component.odata.exception.OsciException: Error in retrieving Authorization header, cause: org.apache.http.client.HttpResponseException: status code: 401, reason phrase: Authentication credentials are required. Please provide a valid username, password and company id
      Any ideas why this might be happening?
      Author's profile photo Souvik Sinha
      Souvik Sinha

      Hector Pascual Haba ,

      Have you verified the Company Id, Username for which SF system you are connecting in ?

      For technical API user, make sure that UserId and Username fields value should be always same in SF to avoid any issue.

       

      Regards,

      Souvik

      Author's profile photo Hector Pascual Haba
      Hector Pascual Haba

      Dear Souvik Sinha ,

       

      Thanks for the quick reply. Yes, I double checked this and it's correct apparently. Any other thing that could be causing this?

       

      Company ID is correct, username is also correct.

       

      I am a bit unsure about which Country/Region to specify while creating the key pair, I am placing 'EU' but not sure if this would be causing the error?

       

      BR

      Author's profile photo Hector Pascual Haba
      Hector Pascual Haba

      Hello,

       

      I found the solution, it was a wrong token URL causing everything, I was using /odata/token instead of /oauth/token.

       

      Thanks!