Configuring OAuth 2.0 with SAML Bearer in SAP Process Orchestration SFSF adapter
SAP SuccessFactors announced some time back the sunset of HTTP Basic Authentication for API calls. The sunset, which was planned for 2H 2022, was postponed until further notice. Nevertheless, SAP Process Orchestration SFSF adapter was enhanced to support OAuth 2.0 with SAML Bearer Assertion flow for OData API and SFAPI (see SAP Note 3111868 for more information). In this blog, we are going to see how we can configure a SAP Process Orchestration SFSF channel with OAuth 2.0.
Before configuring the SFSF channel, you must register an OAuth client application in SAP SuccessFactors. The registration requires you to create a public and private key for the client and import the client’s public certificate in SAP SuccessFactors. There are various ways for generating the key pair – using a trusted service provider, using a third-party tool to create a self-signed certificate, generating the key pair directly in SAP SuccessFactors (not recommended). We’ll see how we can generate the key pair directly on the SAP Process Orchestration system and how to import the certificate in SAP SuccessFactors.
Generate the client key pair in SAP Process Orchestration
To generate public and private key in SAP Process Orchestration, open NetWeaver Administrator and navigate to Configuration – Security – Certificates and Keys.
1. (Optional) Add a new keystore view to hold the private key
2. Select the keystore view and press the “Create” button
3. Type a name for the entry and select the option “Store Certificate”
4. Fill in the Subject properties
5. (Optional) Select a signing key pair
6. Review the information and press “Finish”
7. Select the generated certificate and press “Export Entry”
8. Set the export format to Base64 X.509
9. Download the certificate to a file
Register the OAuth client in SAP SuccessFactors
1. Log on to SAP SuccessFactors Admin Center and open “Manage OAuth2 Client Applications”
2. Press “Register Client Application”
3. Enter the OAuth client details
Note: The Application URL is a unique URL of the page the client wants to show to the end user. This is used for 3-legged OAuth, however, it isn’t currently supported
4. Open the downloaded certificate (Step 8 above) with a text editor and copy everything between the first and the last lines
5. Paste the copied content in the “X.509 Certificate” field on the OAuth client registration screen and press “Register”
6. Press the “View” button to view the registered OAuth client
7. Copy the API Key, which is used as Client ID
Configuring the SFSF channel
Open the SFSF channel configuration and set the Authentication Method to “OAuth 2.0”
Fill in the properties:
- Company – your SAP SuccessFactors Company ID (used as company_id in the Access Token request)
- Username – the username you are using to access SAP SuccessFactors (used as Subject/NameID in the SAML Assertion)
- Client ID – the API Key generated during OAuth client registration (Step 7) (used as client_id in the Access Token request and as api_key Attribute in the SAML Assertion)
- SAML Issuer – issuer information of the SAML Assertion
- SAML Issuer Key Store – the key store view that holds the OAuth client private key
- SAML Issuer Key Alias – the OAuth client private key entry (used to sign the SAML Assertion)
Note: If you are changing the authentication method of an existing channel from Basic Authentication to OAuth 2.0, the username and company will be pre-filled.
In this blog we saw how to generate private key and certificate in SAP Process Orchestration to use in OAuth 2.0 with SAML Assertion flow. Then we saw how to register an OAuth2 client application in SAP SuccessFactors. Finally, having completed these prerequisites, we configured a SAP Process Orchestration SFSF channel using OAuth 2.0 with SAML Assertions as the authentication method.
Feel free to ask any questions or share your feedback in the comments. Follow SAP Process Integration and SAP Process Orchestration tags for updates.