How to use OAuth2 SAML Bearer Assertion to Integrate SFSF Applications With SAP PO/ CPI
SAP has announced to sunset the use of HTTP Basic Authentication for APIs (SFAPI and OData).
New feature of Oauth2.0 will be provided for SFSF Adapters of SAP PO 7.5 SP23+ and SAP CPI/CI.
In this document, I will demonstrate the step required to generate OData API Application with OAuth2.0 authentication and later stage this blog will be updated with SAP PO 7.5 and SAP CPI communication channel configuration step.
Successfactors Steps :-
Create Interface User ID in provisioning e.g. SFADMIN
Login to Successfactors –> Admin Center –> Tools –> Manage Permission Group –> Create New –> Give Group name and in People Pool select user created in previous step e.g. SFADMIN
Admin Center –> Tools –> Manage Permission Roles –> User needs to have admin access rights to Odata API (Under Manage Integration Tools) –> click Done
Now grant this role to the group which was crated in earlier step –>
Select target population and done
After creating permission group and role, time to register OAuth2.0 Client.
Search for manager OAuth2.0 Client Applications in search bar –> click on Register Client Application
Fill the mandatory details and click on generate X.509 Certificate
Download generated certificate and then click on Register
Once application is registered it shows API Key value. This will be used in later steps for authentication.
Now to generate SAML Assertion, we will use postman.
Required details are :-
URL can be found from the shared references document, based on your data centers select the URL.
Client ID = API Key; user_id = user created in first step of blog; token_url = <as per data center>/oauth/token; private_key = can be found in downloaded certificate from previous step
If call is successful, it gives response in base64 coded format. Any online tool can be used to decode and read it.
Now we can request for token, below are the required details –
grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer
Postman trigger result will give access token –
Access can be validated using URL in postman –> https://salesdemo.successfactors.eu/oauth/validate
Headers :- Authorization Bearer eyJ0b2tlbkNvbnRxxxxxxxxxxx <Bearer [Access_Token]]>
Expiry can be noted down.
Using token, Odata access Odata resources can be accessed –
errorMessage: Unable to validate \”Recipient\” in the SAML assertion
2240462 – SAML Token Assertion for ODATA API call to SF fails with an error: Unable to validate \”Recipient\” in the SAML
I will update this blog as soon as possible with the SAP PO and SAP CPI configurations.
2215682 – Successfactors API URLs for different Data Centers
2089448 – Successfactors Datacenter Name, Location, Production Login URL, Production Domain Name, External mail Server details and External mail Server IPs
3061465 – Support for OAuth in SFSF adapter in SAP Process Orchestration (PO)
2850646 – How to register for OAuth 2.0 authentication – SuccessFactors Integrations
3111868 – New Feature: Support for OAuth 2.0 with SAML Assertions in SFSF adapter