Authentication between SAP Cloud Integration and SAP SuccessFactors using oAuth
Basic authentication has been the way of communication between SAP Cloud Integration and SAP SuccessFactors. However, progessing to more secure ways of authentication mechanisms both SAP SuccessFactors and SAP Cloud Integration have enhanced capabilities to support oAuth based mechanisms.
In this blog, the primary focus is on configuring connectivity between SAP SuccessFactors and SAP Cloud Integration using oAuth. For both the scenarios, the steps provided will describe in detail on the necessary configurations in SAP SuccessFactors and SAP Cloud Integration.
Scenario 1: Connectivity from SAP Cloud Integration to SAP SuccessFactors
SAP Cloud Integeration has enhanced SAP SuccessFactors oData V2 outbound connector with oAuth2 SAML Bearer authentication. With enhanced SAP SuccessFactors oData V2 outound connector, it’s possible to configure oAuth SAML Bearer in context of an API user for SAP SuccessFactors system. Amidst retirement of basic authentication for SAP SuccessFactors oData services, oAuth SAML Bearer authentication is the new alternative.
Below steps provide details for creating an oAuth SAML Bearer credential for SAP Cloud Integration to SAP SuccessFactors connectivity:
- Acess “Keystore ” through Manage Security -> Keystore under the “Monitoring” section of SAP Cloud Integration
- In the “Keystore” tab , select Create->Key Pair
- For Creating “Key pair”, fill in the necessary fields. “Common Name” should be a valid user in SAP SuccessFactors.
- Download certificate for the “Key Pair” to the local system.
- Logon to SAP SuccessFactors Instance and goto “Manage OAuth2 Client Applications”. Click “Register a new oAuth Client Applicaiton”
- To Register, fill in the shown fields, and copy paste the downloaded certificate from the local system in the field X.509 Certificate, copy the contents of the certificate between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“.
- After registration, API key gets generated for the applicattion.
- Go back to “Monitoring” section in SAP Cloud Integration. Choose Manage Security->Security Material
- Create OAuth2 SAML Bearer Assertion credential.
Fill the values for the fields:
- Name: Credential names
- Description: Appropriate description
- Audience: www.successfactors.com
- Client Key: Copy and paste the API key generate in SAP SuccessFactors instance
- Token URL: Corresponding token url for the SAP SuccessFactors instance
- Comapy ID: SAP SuccessFactors instance company id
- User ID: Select “Key Pair Common Name(CN)”
- Key Pair Alias: Provide the SAP SuccessFactors instance API user id used earlier in configuration
Once deployed, the security credential is ready to be used in iFlow.
Scenario 2: Connectivity from SAP SuccessFactors to SAP Cloud Integration
SAP SuccessFactors provides multiple ways of authentication for outbound connectivity. However, oAuth is one of the secure ways to handle outbound communication.
Below steps provide details for creating an oAuth SAML credential in SAP SuccessFactors to connect to SAP Cloud Integration:
- Logon to SAP BTP cockpit. Select the appropriate account and navigate to your sub account. On the sub account page, navigate to Security-> oAuth.
- Under oAuth, select “Clients” tab and click “Register New Client”
- Further, detail screen gets populated with “ID”. Enter other details as below:
- Name and description
- Select “Subscription” as “iflmap” node of the subaccount
- Select “Authorization Grant” as “ Client Credentials”
- Enter “Secret”. Note:This would be the client secret.
- Finally, click “Save”. Make a note of the “ID” and “Secret” provided in this step. The token URL will be displayed under the first tab “Branding”. This would be used in further configuration
- The client id created needs appropriate authorization to invoke SAP Cloud Integration. To assign the role, goto Security->Authorizations.
- In the below shown screen, search for the user. The user would be “oauth_client_<ID>”. “ID” would be client id generated in the previous step.
- Select the subaccount and application. Assign appropriate role and hit “Save”.
- Logon to SAP SuccessFactors Instance and goto “Security Center” and select “X509 Certificate”.
- In below shown screen, provide the following details:
- Name and description
- Certificate authority as “Self Signed”
- Enter validity end date as per security needs
- Select an algorithm
- Enter issued by
- Click “Generate and Save”
- Make note of the “Common Name”
- Return to “Security Center” and select “oAuth Configurations”
- In the below shown screen, enter:
- Name and Description
- Select oAuth type as “OAuth 2.0 with SAML Flow”
- Enter the client and client secret generated on the SAP Cloud Integration
- Provide the Token URL after adding “?grant_type=client_credentials” at the end of URL. For example: https://oauthasservices-<consumer-account>.<landscape host name>/oauth2/api/v1/token?grant_type=client_credentials
- Provide the SAP Cloud Integration endpoint URL. This would be endpoint generated by the SAP Cloud Integration iFlow
- Enter issuer and select subject name id format as “X509 Subject Name”
- Enter the subject name similar to the “Common Name” generated in the certificate
- Select the “X509 Certificate” from the dropdown
- Click “Save”. The configuration can be used in a “Destination” to trigger the endpoint on SAP Cloud Integration.
SAP SuccessFactors and SAP Cloud Integration, provide support to oAuth based authentication. In SAP Cloud Integration, oAuth SAML Bearer support with technical user/API user, it is feasible to move from basic to oAuth authentication mechanism. Whereas, in SAP SuccessFactors using the client credentials SAML authentication is possible.