Skip to Content
Technical Articles
Author's profile photo Gerald Reinhard

Introducing SAP SuccessFactors API Calls using OAuth 2.0 with SAML

Background on API Security

In the meantime everybody should know that security is one of the most important aspects when it comes to run software in the cloud and that security is never something which is “done”. It’s a constant process of adjusting the existing security concepts to newest attack vectors and apply state of the art responses to those. This is even more true for integrations and API based communication.

In 2021 a set of new and more secure authentications mechanisms have been released for SAP SuccessFactors OData and SOAP APIs as well as for the corresponding SAP Integration Suite and Boomi connectors. The new authentication mechanism is oAuth2.0 with SAML Bearer Assertion.

Why is oAuth2 with SAML more secure than the existing Basic Authentication used so far? There are two major answers to this questions:

  1. SAML Assertions as well as the Access Tokens have a short living validity, hence even if they are exposed they can not be used at all or not for long.
  2. If a secure connector is used, like the SuccessFactors Connector in SAP Integration Suite, there is no point in time where any person would have access to the secret (private key) used to generate the SAML assertion.

Both are not true for Basic Authentication when API users and passwords are being used. Passwords are long living and everybody who knows it can access the system. The same is true for the visibility of the password. In order to configure it in a connector, at least one person has to enter it and is aware of it.

What can you do to make APIs calls more secure?

For a more secure communication oAuth with SAML Bearer Assertion was introduced in SAP SuccessFactors and in the SAP Integration Suite Connector for OData and SOAP APIs. While the two blogs linked before are describing this step by step for SAP Integration Suite, you can find here an example flow and the video below. They demonstrate the configuration in SAP Integration Suite and SAP SuccessFactors.

In addition you will also find there a postman collection demonstrating the oAuth flow in case you do have to call the SAP SuccessFactors APIs from your own code not using SAP Integration Suite. This postman collection is making use of the oauth/idp call which shall not be used in a productive setup but is just used for demonstration reasons to simplify the overall setup. To make this secure in your own code you have to replace this oauth/idp call and generate the SAML assertion by yourself or with the help of a third party SAML generation tool. It is up to you to establish a secure communication to such a tool and to store securely the private keys for signing the SAML assertion.  See also this blog and the documentation one help.sap.com to get more insights into how to use a java example program offered by SAP to generate a SAML assertion using opensaml.

Using the above resources helps customers and partners to improve the overall security of integrations running on SAP Integrations Suite when accessing SAP SuccessFactors APIs. Migrating existing integrations from Basic Authentication to oAuth2 based flows should be part of every integration project. Similar additional security measure can be applied to SFTP servers (using certificates instead of user and passwords) and custom code or 3rd party middleware, e.g. Boomi.

You want to learn more? Listen here to our webinar and subscribe for more information!

In case you are a SAP partner or customer you can listen to myself and Karthick Chandrasekaran in this webinar to get more information about the migration from Basic Authentication to OAuth 2.0. Slides are available here.

We will share more information in future with our customers and partners through webinars and this customer community blog. As always you can ask your integration related questions in our customer or partner community for “APIs and integrations”.

 

 

 

 

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Bhaskar Joardar
      Bhaskar Joardar

      Great explanation on how to allow OAuth authentication in SF. Can you please share a video on how to use SAML assertion in postman to connect the SF APIs from client's point of view. A code snippet on connecting the SF API with SAML assertion from .Net or Python will also help.

      Author's profile photo Gerald Reinhard
      Gerald Reinhard
      Blog Post Author

      Hi Joardar,

      after the initial configuring the oAuth client registration  in SuccessFactors (see also video above for CPI as client) the runtime flow has three steps:

      1. Generating a SAML assertion (Best Practice for SAML Offline generator and local keystore with SAP SuccessFactors | SAP Blogs  a Java example how to do this you find in this blog).
      2. Exchanging the SAML assertion for an Access Token in postman (How to initiate an OAuth connection to SuccessFactors Employee Central? | SAP Blogs)
      3. Calling the API with the Access Token in postman (same blog as above)

      It is important to notice the the SAML assertion has to be generated by the client or a trusted Identity Provider. The public key of this trusted identity provider has to be uploaded into the oAuth client registration at the beginning. It is up to the consumer to ensure that this trusted identity provider is handling the private key in a secure way.

      Two important notes:

      • Do not use the oauth/idp call for SuccessFactors in production to get a SAML assertion. This approach is not secure and should never be used. We will disable this call in future.
      • In case you generate you own SAML assertion ensure that this happens on a server in a secure environment. Doing this on the client would be a severe security risk and would expose the private key.

      Best regards

      Gerald

      PS: I don't have Python examples but found a few pages like this one: SAP SuccessFactors SAML Authentication in Python | News | MTR Design (mtr-design.com)