Skip to Content
Technical Articles
Author's profile photo Rashmi Joshi

How to use OAuth2 SAML Bearer Assertion to Integrate SFSF Applications With SAP PO/ CPI

Hello SAPiens,

SAP has announced to sunset the use of HTTP Basic Authentication for APIs (SFAPI and OData).

New feature of Oauth2.0 will be provided for SFSF Adapters of SAP PO 7.5 SP23+ and SAP CPI/CI.

In this document, I will demonstrate the step required to generate OData API Application with OAuth2.0 authentication and later stage this blog will be updated with SAP PO 7.5 and SAP CPI communication channel configuration step.

Successfactors Steps :-

Create Interface User ID in provisioning e.g. SFADMIN

Login to Successfactors –> Admin Center –> Tools –> Manage Permission Group –> Create New –> Give Group name and in People Pool select user created in previous step e.g. SFADMIN


Admin Center –> Tools –> Manage Permission Roles –> User needs to have admin access rights to Odata API (Under Manage Integration Tools) –> click Done

Now grant this role to the group which was crated in earlier step –>


Select target population and done


After creating permission group and role, time to register OAuth2.0 Client.

Search for manager OAuth2.0 Client Applications in search bar –> click on Register Client Application

Fill the mandatory details and click on generate X.509 Certificate

Download generated certificate and then click on Register

Once application is registered it shows API Key value. This will be used in later steps for authentication.

Now to generate SAML Assertion, we will use postman.

Required details are :-

URL can be found from the shared references document, based on your data centers select the URL.

Client ID = API Key; user_id = user created in first step of blog; token_url = <as per data center>/oauth/token; private_key = can be found in downloaded certificate from previous step

If call is successful, it gives response in base64 coded format. Any online tool can be used to decode and read it.

Now we can request for token, below are the required details –

grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer

Postman trigger result will give access token –

Access can be validated using URL in postman –>

Headers :- Authorization Bearer eyJ0b2tlbkNvbnRxxxxxxxxxxx <Bearer [Access_Token]]>

Expiry can be noted down.

Using token, Odata access Odata resources can be accessed –


Error Faced:-

errorHttpCode: 401

errorMessage: Unable to validate \”Recipient\” in the SAML assertion

Solution :-

2240462 – SAML Token Assertion for ODATA API call to SF fails with an error: Unable to validate \”Recipient\” in the SAML

I will update this blog as soon as possible with the SAP PO and SAP CPI configurations.

***Happy Learning***

– Rashmi

References :-

2215682 – Successfactors API URLs for different Data Centers

2089448 – Successfactors Datacenter Name, Location, Production Login URL, Production Domain Name, External mail Server details and External mail Server IPs

3061465 – Support for OAuth in SFSF adapter in SAP Process Orchestration (PO)

2850646 – How to register for OAuth 2.0 authentication – SuccessFactors Integrations

3111868 – New Feature: Support for OAuth 2.0 with SAML Assertions in SFSF adapter


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Avinash Paul
      Avinash Paul

      Thank You for the great info

      Waiting for the CPI Configuration Blog

      Author's profile photo Amrish Patel
      Amrish Patel

      Rashmi Joshi

      Thanks for your information.

      Author's profile photo Kevin Hu
      Kevin Hu

      Hi Rashmi, I think as a best practice of security, you should try generating the key pair from CPI side, instead of SF side. There are a few blogs such as this one, which is describing the similar scenario

      Author's profile photo Kris Chau
      Kris Chau

      Hello Kevin,

      Thanks for sharing the blog.

      Rashmi's blog might be relevant for cases when third party is directly trying to access the SuccessFactors APIs (without any middleware in between).



      Author's profile photo Tilo Sönnichsen
      Tilo Sönnichsen

      how about that statement?

      Do not use the /oauth/idp API to generate SAML assertions. This approach is unsecure and has been deprecated. For more information, see the Related Information section.


      appreciate any suggestion in context of this great blog. Thanks.