How to use OAuth2 SAML Bearer Assertion to Integrate SFSF Applications With SAP PO/ CPI

Hello SAPiens,

SAP has announced to sunset the use of HTTP Basic Authentication for APIs (SFAPI and OData).

New feature of Oauth2.0 will be provided for SFSF Adapters of SAP PO 7.5 SP23+ and SAP CPI/CI.

In this document, I will demonstrate the step required to generate OData API Application with OAuth2.0 authentication and later stage this blog will be updated with SAP PO 7.5 and SAP CPI communication channel configuration step.

Successfactors Steps :-

Create Interface User ID in provisioning e.g. SFADMIN

Login to Successfactors –> Admin Center –> Tools –> Manage Permission Group –> Create New –> Give Group name and in People Pool select user created in previous step e.g. SFADMIN

Admin Center –> Tools –> Manage Permission Roles –> User needs to have admin access rights to Odata API (Under Manage Integration Tools) –> click Done

Now grant this role to the group which was crated in earlier step –>

Select target population and done

After creating permission group and role, time to register OAuth2.0 Client.

Search for manager OAuth2.0 Client Applications in search bar –> click on Register Client Application

Fill the mandatory details and click on generate X.509 Certificate

Download generated certificate and then click on Register

Once application is registered it shows API Key value. This will be used in later steps for authentication.

Now to generate SAML Assertion, we will use postman.

Required details are :-

URL can be found from the shared references document, based on your data centers select the URL.

Client ID = API Key; user_id = user created in first step of blog; token_url = <as per data center>/oauth/token; private_key = can be found in downloaded certificate from previous step

If call is successful, it gives response in base64 coded format. Any online tool can be used to decode and read it.

Now we can request for token, below are the required details –

grant_type = urn:ietf:params:oauth:grant-type:saml2-bearer

Postman trigger result will give access token –

Access can be validated using URL in postman –> https://salesdemo.successfactors.eu/oauth/validate

Headers :- Authorization Bearer eyJ0b2tlbkNvbnRxxxxxxxxxxx <Bearer [Access_Token]]>

Expiry can be noted down.

Using token, Odata access Odata resources can be accessed –

Error Faced:-

errorHttpCode: 401

errorMessage: Unable to validate \”Recipient\” in the SAML assertion

Solution :-

2240462 – SAML Token Assertion for ODATA API call to SF fails with an error: Unable to validate \”Recipient\” in the SAML

I will update this blog as soon as possible with the SAP PO and SAP CPI configurations.

***Happy Learning***

– Rashmi

References :-

2215682 – Successfactors API URLs for different Data Centers

2089448 – Successfactors Datacenter Name, Location, Production Login URL, Production Domain Name, External mail Server details and External mail Server IPs

https://blogs.sap.com/2017/03/05/how-to-initiate-an-oauth-connection-to-successfactors-employee-central/

3061465 – Support for OAuth in SFSF adapter in SAP Process Orchestration (PO)

https://blogs.sap.com/2020/10/08/2h-2020-announcement-planned-retirement-of-http-basic-authentication-sfapi-odata-api/

2850646 – How to register for OAuth 2.0 authentication – SuccessFactors Integrations

3111868 – New Feature: Support for OAuth 2.0 with SAML Assertions in SFSF adapter