Skip to Content
Technical Articles
Author's profile photo Martin Frick

[SAP & MS Teams] 5 – SAP SuccessFactors instance setup

Welcome back to the blog post series about how to create your own Microsoft Teams extension using SAP BTP and Microsoft Azure. In today’s fifth blog post I will provide you all relevant details to configure the integration between SAP SuccessFactors & SAP Cloud Integration and vice versa.

As explained in the first blog post (click here), this sample Microsoft Teams extension for SAP SuccessFactors will allow you to create leave requests right from within Microsoft Teams. It also provides features for managers to approve or reject leave requests. As explained in the preface, this blog post series has a special focus on those customers interested in or already using the SAP Business Technology Platform and corresponding integration services.

The series will be published in multiple editions which are structured the following.

  1. Preface and scenario introduction (click here)
  2. Target application features (click here)
  3. Requirements and application architecture (click here)
  4. SAP BTP subaccount configuration and test users (click here)
  5. SAP SuccessFactors instance setup (this blog post)
    • Set up OAuth clients for Principal Propagation and technical API access
    • Configure the Intelligent Services Center for notification handling
  6. Set up your SAP Cloud Integration instance (click here)
  7. Get your Microsoft Azure settings ready (click here)
  8. Deploy your Microsoft Teams extension (click here)
  9. Improvement ideas and further topics (click here)

A quick reminder for your convenience – Feel free to check out the GitHub repository provided in the SAP-samples organization. Please be aware that the repository is still being updated, so make sure you’re pulling on a regular basis.

https://github.com/SAP-samples/btp-extend-workflow-cai-msteams/tree/full-scope

So, let’s get started with today’s edition and check out which steps need to be taken, to establish an integration between SAP SuccessFactors and your SAP BTP integration layer also known as SAP Cloud Integration.

SAP SuccessFactors

As this blog post series has been developed on a SAP SuccessFactors Salesdemo instance, we assume that your SAP SuccessFactors instance also contains some basic customizing and demo content. This includes, but is not limited to:

  • test users for the leave request scenario
  • a hierarchical organizational structure with employees and managers
  • approval workflows for leave request scenarios
  • available balances in the test user’s time accounts
  • the availability of Employee Central for API access
  • the access to the Intelligent Services Center

Furthermore, we assume that you’ve got administrative access to your SAP SuccessFactors instance to configure integration settings like OAuth clients, the Intelligent Services Center, roles & permissions as well as a new technical API user (if required).

Please understand that this blog post series cannot cover further details on SAP SuccessFactors configuration and customizing aside from the integration settings for this sample scenario. So, have you made sure the SAP SuccessFactors instance fulfills the above requirements? Well then let’s get started.

OAuth clients

In SAP SuccessFactors, two OAuth clients need to be configured. This allows a fixed API user and Principal Propagation connection between SAP Cloud Integration and SAP SuccessFactors.

The fixed user connection will be required for API calls, in which no user context is available to make use of Principal Propagation. This is the case when notifications need to be enriched with further SAP SuccessFactors data, before being sent to Microsoft Teams.

The Principal Propagation connection will be required for all other SAP SuccessFactors API calls from SAP Cloud Integration. As these API calls will be triggered by an active Microsoft Teams session, it allows the usage of Principal Propagation. Let’s get started with the configuration required for Principal Propagation.

Principal Propagation

First, we will configure the Principal Propagation between SAP Cloud Integration (SAP BTP environment) and SAP SuccessFactors.

1) Download your SAP BTP subaccount Private Key/Trust, to configure the OAuth client used for Principal Propagation within SAP SuccessFactors. Make sure you’re using the SAP BTP subaccount which will later host your Microsoft Teams extension application.

Download%20BTP%20trust

Download your SAP BTP subaccount trust

2) Create a new OAuth Client application in SAP SuccessFactors.

SAP%20SuccessFactors%20-%20OAuth%20clients

Create new OAuth Client

3) Configure your OAuth Client application.

Company Your SAP SuccessFactors Company ID (pre-filled automatically)
➤ Please note down this value
Application Name SAP BTP PP (or can be freely chosen by you)
Description Can be freely chosen by you
Application URL https://api.cf.<Your BTP region like eu10>.hana.ondemand.com
(or can be freely chosen by you)
➤ The value does not influence the functionality of the scenario
Bind to Users Not required / Unchecked
X.509 Certificate The Private Key/Trust which you just downloaded from SAP BTP
➤ Hint – Open the downloaded file using a text editor like Notepad
Important – Only copy and paste the values between (see screenshot)

—–BEGIN CERTIFICATE—–
                  and
—–END CERTIFICATE—–

 

SAP%20SuccessFactors%20-%20Create%20OAuth%20Client
SAP SuccessFactors – OAuth Client for Principal Propagation

4) Once the OAuth Client is registered (by clicking the respective button), open the client once again by clicking on View in the client list. From the read-only details, copy and note down the API Key. You will need it in the next step.

5) Switch over to your SAP Cloud Integration tenant. Create a new OAuth2 SAML Bearer credential configuration. You can find the credential configuration in the Monitoring area of your SAP Cloud Integration tenant (Manage Security – Security Material).

Configure%20a%20new%20OAuth2%20SAML%20Bearer%20Assertion

Configure a new OAuth2 SAML Bearer Assertion

Name SFSF_PP (or any other name of your choice)
➤ Please note down this value
Audience www.successfactors.com
Client Key API key (of the SAP SuccessFactors OAuth Client you defined)
Token Service URL https://<Your SAP SuccessFactors API endpoint>/oauth/token
➤ Find SAP SuccessFactors API endpoints in SAP Help (click here)
You should be able to identify your environment and numeric name by checking your SAP SuccessFactors URL. If unsure, please ask your SAP SuccessFactors admin.Sample
salesdemo4.successfactors.com

Environment:
Salesdemo
Data center: DC4
Company ID Company field (of the SAP SuccessFactors OAuth Client you defined)
User ID Principal Propagation
Add. Properties userIdSource
email (please make sure you use email (CF) and not mail (Neo))nameIdFormat
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress➤ Hint – As you’ve learned in the previous blog posts, the mapping between the Azure Active Directory and SAP SuccessFactors users is done via their email addresses.

These settings allow you to make use of Principal Propagation between SAP Cloud Integration and SAP SuccessFactors. A sample of the credential configuration (in this case for an SAP SuccessFactors tenant in DC4) could look similar to this.

SAP%20Cloud%20Integration%20-%20Principal%20propagation%20configuration

SAP Cloud Integration – Principal Propagation configuration

6) Once the configuration is finished and deployed, (if not yet done) please note down the name which you’ve given your credential configuration (in the screenshot e.g.,SFSF_DC4_PP). You will need it when deploying your integration flows.

Fixed User

The fixed technical user connection will allow access to SAP SuccessFactors for scenarios in which no user context is available for Principal Propagation. The required configuration will make use of an existing blog post by my SAP colleague Deepak G Deshpande, who describes the setup in great detail (click here).

1) Follow step 1 of the provided blog post, to create a Key-Pair in SAP Cloud Integration for your corresponding SAP SuccessFactors technical user and give it a speaking name (e.g. the name of your technical user).

Important – If your technical user in SAP SuccessFactors is for example sfadmin, you need to provide sfadmin as the Common Name (CN) when creating the Key-Pair. Make sure your technical SAP SuccessFactors user has permissions to call the following OData APIs without filter limitations!

  • EmployeeTime (GET)
  • WfRequest (GET)
  • PerEmail (GET)

As described in the provided blog post, please download the certificate of the Key-Pair to your local device. You will need it when configuring the second OAuth Client within SAP SuccessFactors. Also note down the name of your Key-Pair.

2) Follow step 2 of the provided blog post, to create another OAuth Client within SAP SuccessFactors, in which you store the certificate, you just downloaded. Please be aware of the following hints when configuring your OAuth Client.

Company Your SAP SuccessFactors Company ID (pre-filled automatically)
➤ Please note down this value
Application Name SAP CI – Fixed User (or can be freely chosen by you)
Description Can be freely chosen by you
Application URL https://api.cf.<your BTP region like eu10, us20>.hana.ondemand.com
(or can be freely chosen by you)
➤ The value does not influence the functionality of the scenario
Bind to Users Not required / Unchecked
X.509 Certificate The value of the Key-Pair certificate which you downloaded
➤ Hint – Open the downloaded file using a text editor like Notepad
➤ Important – Make sure you only insert the certificate value between

—–BEGIN CERTIFICATE—–
                  and
—–END CERTIFICATE—–

Important – Don’t forget to also note down the API key of this OAuth Client. You will need it in the next step. The API key is generated, after you save your OAuth Client configuration. Just click on View in the OAuth Client overview.

3) Follow step 3 of the provided blog post, to create the second OAuth2 SAML Bearer credential configuration within your SAP Cloud Integration instance. A screenshot of the respective SAP Cloud Integration UI location can be found in the previous part of the current blog post.

Name SFSF (or can be freely chosen by you)
Description Can be freely chosen by you
Audience www.successfactors.com
Client Key API key (of the SAP SuccessFactors OAuth Client you defined)
Token Service URL https://<Your SAP SuccessFactors API endpoint>/oauth/token
Find SAP SuccessFactors API endpoints in SAP Help (click here)
For more details check the previous chapter
Target System Type SuccessFactors
Company ID Company field (of the SAP SuccessFactors OAuth Client you defined)
User ID Key Pair Common Name (CN)
Key-Pair Alias Use the name of the Key-Pair which you created in step 1
Probably similar to your technical API user name (e.g., sfadmin)

A credential configuration sample (in this case for an SAP SuccessFactors tenant in DC4) could look similar to this.

SAP%20Cloud%20Integration%20-%20Fixed%20User%20configuration

SAP Cloud Integration – Fixed User configuration

4) Once the configuration is finished and deployed (by clicking the respective button), please note down the Name which you’ve assigned to your credential configuration (in the screenshot above e.g., SFSF_DC4). You will need it when deploying your integration flows.

That’s it for the communication from SAP Cloud Integration to SAP SuccessFactors! Well done! In the next step, you will configure the notification handling between SAP SuccessFactors and SAP Cloud Integration using the Intelligent Services Center.

Intelligent Services Center

In the target application, notifications (triggered when a Leave Request is created, approved, or changed) are sent from SAP SuccessFactors to SAP Cloud Integration via SOAP messages. SAP Cloud Integration will transform and enrich the notification content before sending it to the Microsoft Teams extension application. To enable the first half of this integration between SAP SuccessFactors and SAP Cloud Integration, you have to configure the relevant settings in the Intelligent Services Center of SAP SuccessFactors.

1) Please go to the Intelligent Services Center (ISC) within your SAP SuccessFactors instance. Make sure your user has the required permissions to access the ISC.

SAP SuccessFactors – Intelligent Services Center

2) In the list of available events select the Employee Time Off event.

ISC – Event Types

3) Create a new Event Connector for this event type.

ISC%20-%20Create%20Event%20Connector
ISC – Create Event Connector

Hint – In a future release of SAP SuccessFactors, Event Connectors will not be the preferred notification approach anymore. The current solution needs to be updated to an Integration Scenario then. Integration Scenarios offer a much higher flexibility when it comes to notification requirements. For the sake of simplicity, in this sample use case the Event Connectors are sufficient.

Use%20a%20custom%20event%20connector

Use a custom Event Connector

4) Configure your Event Connector settings as follows, by providing the url and client credential information of your Process Runtime Integration Service Key named successfactors (part of fourth blog post – click here).

Name Microsoft Teams – Cloud Integration (or can be freely chosen by you)
EndPoint URL <url>/cxf/sfsf/timeOff/processNotification (see details below)
➤ A sample URL could look the following
https://teams.it-cpi001-rt.cfapps.eu20.hana.ondemand.com/
cxf/sfsf/timeOff/processNotification
Authentication Basic (make sure you select Basic here)
Username <clientid> (see details below)
Password <clientsecret> (see details below)

Hint – You’ve noted down the url and client credential information during the initial configuration of your SAP BTP subaccount when creating the Process Integration Runtime (click here).

Process%20Integration%20Runtime%20Service%20Key

Process Integration Runtime Service Key

Hint – The usage of the client credentials provided by the Service Key of your Process Integration Runtime, allows SAP SuccessFactors to send notifications to the processNotification endpoint. This endpoint is provided by one of the integration flows within SAP Cloud Integration (which will be deployed in one of the next blog posts). As the OAuth2 Client Credentials Grant authentication is currently not working properly (which would have been the best choice), Basic Authentication is used.

The following screenshot shows a Event Connector sample configuration.

Event%20Connector%20sample%20configuration

Event Connector sample configuration

Important – If you change the endpoint of the Process Notification integration flow at a later point in time, the EndPoint URL in the Intelligent Services Center also needs to be updated!

5) Once you finished and Added the custom Event Connector, please make sure you save the new flow configuration as you can see in the following screenshot. Otherwise, your settings will be lost.

Save%20your%20changes

Save your changes

What’s next?

That’s it for today! Well done, you’ve successfully configured your SAP SuccessFactors instance and the relevant security settings to allow communication between SAP Cloud Integration and SAP SuccessFactors. As there is no counterpart (integration flows) on the SAP Cloud Integration side yet, in the next blog post you will deploy the required integration flows.

Stay curious!

Assigned Tags

      2 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Eleodora Lima
      Eleodora Lima

      Great Post! Thank you and keep the good Job!

      Author's profile photo Martin Frick
      Martin Frick
      Blog Post Author

      Thank you 🙂 It's a pleasure!