Testing SAP SuccessFactors’ API’s: sf-oauth utility to automate the generation of SAML Assertions with support for Postman

SuccessFactors consultants and developers are often using the /oauth/idp endpoint the generate the assertion and consequently use the assertion in an additional request to obtain an access token.

This endpoint is now deprecated and will be removed in the near future. It’s good to point out that although Postman supports many flavours of OAuth, it does not support the OAuth 2.0 SAML bearer assertion flow that is used by SAP SuccessFactors HXM Suite.

Let’s look at some alternatives:

• Use basic authentication
  • should not even be considered as an option
• Use an offline assertion generator
  • cumbersome to switch between instances/identities
• Swap out Postman for to a different API testing tool, like Insomnia for which there exists a plugin developed by Eder Torres de Souza
  • might a big ask to step away from a tool that is already familiar for many

I decided to find and eventually develop a solution that could work for Postman and in general help me to manage the required SAML assertion keys.

Let me introduce you to ‘sf-oauth‘ 🪄

It’s a cross-platform cli utility featuring:

• Generate a new key pair
• Check certificate validity
• Generate assertion (and validate)
• Run a local web service to generate an assertion and provide access tokens
• Integrate with a Postman OAuth flow to obtain an access token
  • Indirect: Automatically opening your browser to enter a user ID and returning to Postman
  • Direct: when a userId is provided in the request to the local web service, a valid access token is immediately returned to Postman

To get going, please take a look at the documentation on the homepage: sf-oauth (npmjs.com)

Here is a sneak peak on how effortless your API testing will become in Postman using this utility: