Skip to Content
Technical Articles
Author's profile photo Gerald Reinhard

Introducing SAP SuccessFactors API Calls using OAuth 2.0 with SAML

Background on API Security

In the meantime everybody should know that security is one of the most important aspects when it comes to run software in the cloud and that security is never something which is “done”. It’s a constant process of adjusting the existing security concepts to newest attack vectors and apply state of the art responses to those. This is even more true for integrations and API based communication.

In 2021 a set of new and more secure authentications mechanisms have been released for SAP SuccessFactors OData and SOAP APIs as well as for the corresponding SAP Integration Suite and Boomi connectors. The new authentication mechanism is oAuth2.0 with SAML Bearer Assertion.

Why is oAuth2 with SAML more secure than the existing Basic Authentication used so far? There are two major answers to this questions:

  1. SAML Assertions as well as the Access Tokens have a short living validity, hence even if they are exposed they can not be used at all or not for long.
  2. If a secure connector is used, like the SuccessFactors Connector in SAP Integration Suite, there is no point in time where any person would have access to the secret (private key) used to generate the SAML assertion.

Both are not true for Basic Authentication when API users and passwords are being used. Passwords are long living and everybody who knows it can access the system. The same is true for the visibility of the password. In order to configure it in a connector, at least one person has to enter it and is aware of it.

What can you do to make APIs calls more secure?

For a more secure communication oAuth with SAML Bearer Assertion was introduced in SAP SuccessFactors and in the SAP Integration Suite Connector for OData and SOAP APIs. While the two blogs linked before are describing this step by step for SAP Integration Suite, you can find here an example flow and the video below. They demonstrate the configuration in SAP Integration Suite and SAP SuccessFactors.

In addition you will also find there a postman collection demonstrating the oAuth flow in case you do have to call the SAP SuccessFactors APIs from your own code not using SAP Integration Suite. This postman collection is making use of the oauth/idp call which shall not be used in a productive setup but is just used for demonstration reasons to simplify the overall setup. To make this secure in your own code you have to replace this oauth/idp call and generate the SAML assertion by yourself or with the help of a third party SAML generation tool. It is up to you to establish a secure communication to such a tool and to store securely the private keys for signing the SAML assertion.  See also this blog and the documentation one to get more insights into how to use a java example program offered by SAP to generate a SAML assertion using opensaml.

Using the above resources helps customers and partners to improve the overall security of integrations running on SAP Integrations Suite when accessing SAP SuccessFactors APIs. Migrating existing integrations from Basic Authentication to oAuth2 based flows should be part of every integration project. Similar additional security measure can be applied to SFTP servers (using certificates instead of user and passwords) and custom code or 3rd party middleware, e.g. Boomi.

You want to learn more? Listen here to our webinar and subscribe for more information!

In case you are a SAP partner or customer you can listen to myself and Karthick Chandrasekaran in this webinar to get more information about the migration from Basic Authentication to OAuth 2.0. Slides are available here.

We will share more information in future with our customers and partners through webinars and this customer community blog. As always you can ask your integration related questions in our customer or partner community for “APIs and integrations”.





Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Bhaskar Joardar
      Bhaskar Joardar

      Great explanation on how to allow OAuth authentication in SF. Can you please share a video on how to use SAML assertion in postman to connect the SF APIs from client's point of view. A code snippet on connecting the SF API with SAML assertion from .Net or Python will also help.

      Author's profile photo Gerald Reinhard
      Gerald Reinhard
      Blog Post Author

      Hi Joardar,

      after the initial configuring the oAuth client registration  in SuccessFactors (see also video above for CPI as client) the runtime flow has three steps:

      1. Generating a SAML assertion (Best Practice for SAML Offline generator and local keystore with SAP SuccessFactors | SAP Blogs  a Java example how to do this you find in this blog).
      2. Exchanging the SAML assertion for an Access Token in postman (How to initiate an OAuth connection to SuccessFactors Employee Central? | SAP Blogs)
      3. Calling the API with the Access Token in postman (same blog as above)

      It is important to notice the the SAML assertion has to be generated by the client or a trusted Identity Provider. The public key of this trusted identity provider has to be uploaded into the oAuth client registration at the beginning. It is up to the consumer to ensure that this trusted identity provider is handling the private key in a secure way.

      Two important notes:

      • Do not use the oauth/idp call for SuccessFactors in production to get a SAML assertion. This approach is not secure and should never be used. We will disable this call in future.
      • In case you generate you own SAML assertion ensure that this happens on a server in a secure environment. Doing this on the client would be a severe security risk and would expose the private key.

      Best regards


      PS: I don't have Python examples but found a few pages like this one: SAP SuccessFactors SAML Authentication in Python | News | MTR Design (

      Author's profile photo Pieter Janssens
      Pieter Janssens

      Hi myself

      You might be interested in the cli utility I created, which could help the community a lot (spoiler alert: it solves the Postman compatibility issue in the post /oauth/ipd era). Read more in the blog post:

      Testing SAP SuccessFactors’ API’s: sf-oauth utility to automate the generation of SAML Assertions with support for Postman | SAP Blogs

      Best regards,


      Author's profile photo Ambika Potharaju
      Ambika Potharaju

      Hi Gerald,

      Our third party vendor is not able to support Oauth2 with SAML assertion. Kindly advise without SAML Assertion how to implement Oauth2 to receive the data from Vendor using REST API call Background Check Result portlet update.

      Thank you!

      Author's profile photo Gerald Reinhard
      Gerald Reinhard
      Blog Post Author

      Hi Ambika,

      if you use a third party tool for integration which is not supporting oAuth2 with SAML or mTLS, see this blog, than your third party vendor has to offer this authentication to allow a secure communication without additional effort on your side. If he doesn't your only options are:

      • Switch to a tool which supports oAuth2 with SAML or mTLS, e.g. SAP Integration Suite or
      • Stick to unsecure authentications such as basic authentication or
      • Create a bridge between that vendor and SuccessFactors APIs which support an secure authentication supported by that tool and use either oAuth2 with SAML or mTLS with SF inside this bridge. For such a bridge someone can use again SAP Integration Suite - Cloud Integration or API Management but also a simple application running on BTP which exposes an endpoint.

      Best regards