Introducing SAP SuccessFactors API Calls using OAuth 2.0 with SAML
Background on API Security
In the meantime everybody should know that security is one of the most important aspects when it comes to run software in the cloud and that security is never something which is “done”. It’s a constant process of adjusting the existing security concepts to newest attack vectors and apply state of the art responses to those. This is even more true for integrations and API based communication.
In 2021 a set of new and more secure authentications mechanisms have been released for SAP SuccessFactors OData and SOAP APIs as well as for the corresponding SAP Integration Suite and Boomi connectors. The new authentication mechanism is oAuth2.0 with SAML Bearer Assertion.
Why is oAuth2 with SAML more secure than the existing Basic Authentication used so far? There are two major answers to this questions:
- SAML Assertions as well as the Access Tokens have a short living validity, hence even if they are exposed they can not be used at all or not for long.
- If a secure connector is used, like the SuccessFactors Connector in SAP Integration Suite, there is no point in time where any person would have access to the secret (private key) used to generate the SAML assertion.
Both are not true for Basic Authentication when API users and passwords are being used. Passwords are long living and everybody who knows it can access the system. The same is true for the visibility of the password. In order to configure it in a connector, at least one person has to enter it and is aware of it.
What can you do to make APIs calls more secure?
For a more secure communication oAuth with SAML Bearer Assertion was introduced in SAP SuccessFactors and in the SAP Integration Suite Connector for OData and SOAP APIs. While the two blogs linked before are describing this step by step for SAP Integration Suite, you can find here an example flow and the video below. They demonstrate the configuration in SAP Integration Suite and SAP SuccessFactors.
In addition you will also find there a postman collection demonstrating the oAuth flow in case you do have to call the SAP SuccessFactors APIs from your own code not using SAP Integration Suite. This postman collection is making use of the oauth/idp call which shall not be used in a productive setup but is just used for demonstration reasons to simplify the overall setup. To make this secure in your own code you have to replace this oauth/idp call and generate the SAML assertion by yourself or with the help of a third party SAML generation tool. It is up to you to establish a secure communication to such a tool and to store securely the private keys for signing the SAML assertion. See also this blog and the documentation one help.sap.com to get more insights into how to use a java example program offered by SAP to generate a SAML assertion using opensaml.
Using the above resources helps customers and partners to improve the overall security of integrations running on SAP Integrations Suite when accessing SAP SuccessFactors APIs. Migrating existing integrations from Basic Authentication to oAuth2 based flows should be part of every integration project. Similar additional security measure can be applied to SFTP servers (using certificates instead of user and passwords) and custom code or 3rd party middleware, e.g. Boomi.
You want to learn more? Listen here to our webinar and subscribe for more information!
In case you are a SAP partner or customer you can listen to myself and Karthick Chandrasekaran in this webinar to get more information about the migration from Basic Authentication to OAuth 2.0. Slides are available here.
We will share more information in future with our customers and partners through webinars and this customer community blog. As always you can ask your integration related questions in our customer or partner community for “APIs and integrations”.
Great explanation on how to allow OAuth authentication in SF. Can you please share a video on how to use SAML assertion in postman to connect the SF APIs from client's point of view. A code snippet on connecting the SF API with SAML assertion from .Net or Python will also help.
after the initial configuring the oAuth client registration in SuccessFactors (see also video above for CPI as client) the runtime flow has three steps:
It is important to notice the the SAML assertion has to be generated by the client or a trusted Identity Provider. The public key of this trusted identity provider has to be uploaded into the oAuth client registration at the beginning. It is up to the consumer to ensure that this trusted identity provider is handling the private key in a secure way.
Two important notes:
PS: I don't have Python examples but found a few pages like this one: SAP SuccessFactors SAML Authentication in Python | News | MTR Design (mtr-design.com)
You might be interested in the cli utility I created, which could help the community a lot (spoiler alert: it solves the Postman compatibility issue in the post /oauth/ipd era). Read more in the blog post:
Testing SAP SuccessFactors’ API’s: sf-oauth utility to automate the generation of SAML Assertions with support for Postman | SAP Blogs
Our third party vendor is not able to support Oauth2 with SAML assertion. Kindly advise without SAML Assertion how to implement Oauth2 to receive the data from Vendor using REST API call Background Check Result portlet update.
if you use a third party tool for integration which is not supporting oAuth2 with SAML or mTLS, see this blog https://blogs.sap.com/2023/03/08/mtls-integration-with-sap-successfactors-and-sap-btp/, than your third party vendor has to offer this authentication to allow a secure communication without additional effort on your side. If he doesn't your only options are: