Authentication between SAP Cloud Integration and SAP SuccessFactors using oAuth
Basic authentication has been the way of communication between SAP Cloud Integration and SAP SuccessFactors. However, progessing to more secure ways of authentication mechanisms both SAP SuccessFactors and SAP Cloud Integration have enhanced capabilities to support oAuth based mechanisms.
In this blog, the primary focus is on configuring connectivity between SAP SuccessFactors and SAP Cloud Integration using oAuth. For both the scenarios, the steps provided will describe in detail on the necessary configurations in SAP SuccessFactors and SAP Cloud Integration.
Scenario 1: Connectivity from SAP Cloud Integration to SAP SuccessFactors
SAP Cloud Integeration has enhanced SAP SuccessFactors oData V2 outbound connector with oAuth2 SAML Bearer authentication. With enhanced SAP SuccessFactors oData V2 outound connector, it’s possible to configure oAuth SAML Bearer in context of an API user for SAP SuccessFactors system. Amidst retirement of basic authentication for SAP SuccessFactors oData services, oAuth SAML Bearer authentication is the new alternative.
Below steps provide details for creating an oAuth SAML Bearer credential for SAP Cloud Integration to SAP SuccessFactors connectivity:
- Acess “Keystore ” through Manage Security -> Keystore under the “Monitoring” section of SAP Cloud Integration
- In the “Keystore” tab , select Create->Key Pair
- For Creating “Key pair”, fill in the necessary fields. “Common Name” should be a valid user in SAP SuccessFactors.
- Download certificate for the “Key Pair” to the local system.
- Logon to SAP SuccessFactors Instance and goto “Manage OAuth2 Client Applications”. Click “Register a new oAuth Client Applicaiton”
- To Register, fill in the shown fields, and copy paste the downloaded certificate from the local system in the field X.509 Certificate, copy the contents of the certificate between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“.
- After registration, API key gets generated for the applicattion.
- Go back to “Monitoring” section in SAP Cloud Integration. Choose Manage Security->Security Material
- Create OAuth2 SAML Bearer Assertion credential.
Fill the values for the fields:
- Name: Credential names
- Description: Appropriate description
- Audience: www.successfactors.com
- Client Key: Copy and paste the API key generate in SAP SuccessFactors instance
- Token URL: Corresponding token url for the SAP SuccessFactors instance
- Comapy ID: SAP SuccessFactors instance company id
- User ID: Select “Key Pair Common Name(CN)”
- Key Pair Alias: Provide the SAP SuccessFactors instance API user id used earlier in configuration
Once deployed, the security credential is ready to be used in iFlow.
Scenario 2: Connectivity from SAP SuccessFactors to SAP Cloud Integration
SAP SuccessFactors provides multiple ways of authentication for outbound connectivity. However, oAuth is one of the secure ways to handle outbound communication.
Below steps provide details for creating an oAuth SAML credential in SAP SuccessFactors to connect to SAP Cloud Integration:
- Logon to SAP BTP cockpit. Select the appropriate account and navigate to your sub account. On the sub account page, navigate to Security-> oAuth.
- Under oAuth, select “Clients” tab and click “Register New Client”
- Further, detail screen gets populated with “ID”. Enter other details as below:
- Name and description
- Select “Subscription” as “iflmap” node of the subaccount
- Select “Authorization Grant” as “ Client Credentials”
- Enter “Secret”. Note:This would be the client secret.
- Finally, click “Save”. Make a note of the “ID” and “Secret” provided in this step. The token URL will be displayed under the first tab “Branding”. This would be used in further configuration
- The client id created needs appropriate authorization to invoke SAP Cloud Integration. To assign the role, goto Security->Authorizations.
- In the below shown screen, search for the user. The user would be “oauth_client_<ID>”. “ID” would be client id generated in the previous step.
- Select the subaccount and application. Assign appropriate role and hit “Save”.
- Logon to SAP SuccessFactors Instance and goto “Security Center” and select “X509 Certificate”.
- In below shown screen, provide the following details:
- Name and description
- Certificate authority as “Self Signed”
- Enter validity end date as per security needs
- Select an algorithm
- Enter issued by
- Click “Generate and Save”
- Make note of the “Common Name”
- Return to “Security Center” and select “oAuth Configurations”
- In the below shown screen, enter:
- Name and Description
- Select oAuth type as “OAuth 2.0 with SAML Flow”
- Enter the client and client secret generated on the SAP Cloud Integration
- Provide the Token URL after adding “?grant_type=client_credentials” at the end of URL. For example: https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token?grant_type=client_credentials
- Provide the SAP Cloud Integration endpoint URL. This would be endpoint generated by the SAP Cloud Integration iFlow
- Enter issuer and select subject name id format as “X509 Subject Name”
- Enter the subject name similar to the “Common Name” generated in the certificate
- Select the “X509 Certificate” from the dropdown
- Click “Save”. The configuration can be used in a “Destination” to trigger the endpoint on SAP Cloud Integration.
SAP SuccessFactors and SAP Cloud Integration, provide support to oAuth based authentication. In SAP Cloud Integration, oAuth SAML Bearer support with technical user/API user, it is feasible to move from basic to oAuth authentication mechanism. Whereas, in SAP SuccessFactors using the client credentials SAML authentication is possible.
Thanks Mithun for the detail.
we are trying to establish the connection but getting error.
in Scenario1 -
in SF Admin console, "Application url" can be anything ?
used similar url as token url in Security materail section while creating credentials https://xxxx.successfactors.xx/oauth/token. is this correct?
when trying to connect to SF from CPI (processing tab), getting error "Failed to connect to system".
Token URL for the instance would be the base API url plus "/oauth/token". Below is an example:
Base API URL of the instance: https://apisalesdemo.successfactors.com
Token path : /oauth/token
Token URL: https://apisalesdemo.successfactors.com/oauth/token
This URL would need to be configured. Hope this helps!
yes. mentioned token url in similar fashion
Cred in Secure paramter
but still getting "Failed to connect to system" error.
SF Connector in IFLow
please let me know if I am doing some mistake.
also note that I am trying it from CF tenant.
Make sure that the client key that you have used is the key generated from SAP SuccessFactors instance once you register you oAuth application. And the "Key Pair Alias" that you are using i.e. "successfactorsoauth" in this case should be a valid user that exisits in SAP SuccessFactors which should have authorization to invoke API's. If the user is not valid on SAP SuccessFactors then you will the issue.
Thanks for correcting me.
I given Valid API user ID as CN while creating Keypair also in security parameter mentioned same API User ID.
but still getting same error ' Failed to Connect to system'.
in Application URL, in "Manage OAuth2 Client Applications" in SuccessFactors, you should put your CPI tenant URL, like this: https://your_CPI_URL.com
In Token Service URL, you should put the API endpoint like this:
Application url is like https://xxxxx.it-cpi00x-rt.cfapps.euxx.hana.ondemand.com ?
what is API endpoint?
adding /oauth/token to to CPI url correct?
but Mithun mentioned to use sf instance API detail in Token url like https://apisalesdemo.successfactors.com/oauth/token bit confused here.
In Application URL you don't have to add oauth/token, you have only to put your CPI url as you have done before.
In Token URL you have to add "oauth/token" to your API endpoint.
So, it is like this:
tried same but still not able to connect.
Here is the Key pair generated with Valid API user as CN.
oAuth key settings from SF. Certificate detail is from key pair.
and Security parameter entry. Keypair Alias with same API Username.
Still getting the error
When you create the key pair in SAP CPI -> Manage Security -> Keystore, inside field "Common Name (CN)", have you used a SuccessFactors user?
Yes. used SF User in CPI only.
Yes its a good blog
Can we do it with SF trail account user id and password
Yes, its possible.
Hi thanks for your tutorial,
I tried it from my Trial Account to Preview System, I followed all passaged and when I do an OData request to Successfactors I receive this error:
com.sap.gateway.core.ip.component.odata.exception.OsciException: while trying to invoke the method com.sap.it.nm.types.security.CredentialTraits.getTagsAsMap() of a null object loaded from local variable 'credentialTraits', cause: java.lang.NullPointerException: while trying to invoke the method com.sap.it.nm.types.security.CredentialTraits.getTagsAsMap() of a null object loaded from local variable 'credentialTraits'
there is something wrong I did?
This seems to be configuration issue. The oAuth credential configured on the iflow is "successfactorsoauth " where as the credential name that is deployed is "successfactorsoAuth". Once this is corrected it should work as expected.
I started all process again from scratch and now it works, probably case sensitive key is the problem: thx for advice.
this is not the problem, I already tried too much time, now trial environment (like every monday) is half down, but I can configure it and show the same result.
That's very strange
Can we connect multiple user from CPI to SuccessFactors using one oath connection.?