Symptom
- You are trying to do API calls (SFAPI/OData) providing the API user credentials (Basic Authentication) but is receiving Unauthorized (401) error.
- Your SuccessFactors (SF) instance is Single Sign On (SSO) enabled without the IAS/IPS feature;
Environment
SAP SuccessFactors HXM Suite
Reproducing the Issue
- Enable SSO in your SF instance;
- Try to do some API call;
Cause
In a API call where the API user has SSO as login method the SF system credentials are not validated.
Resolution
The API user's login method needs to be PWD (Basic Authentication).
One possible solution is to enable the Partial SSO feature. The Partial Organization SSO (Single Sign On) feature allows an organization to specify some users authenticate (login) through SSO while others authenticate through the username/password login page.
This feature is opt-in and is enabled by Customer Support or Partners. Refer to the KBA 2088837 to see how to implement it.
Alternatively:
- Via API, you can try to upsert the field <password> in the User entity for the API user;
- OR create new user with PWD and password through import (Admin center > Import Employee Data);
Note: When SF instance is SSO enabled, the Basic Authentication should be used only by users who need administrative access for system-to-system data integration.
See Also
KBA 2088837 - [SSO] Partial Organization Single Sign-On - BizX Platform
KBA 2693822 - Error message '401: Unauthorized'
Keywords
auth, validation, authorization, not, allow, allowed, cannot, be used, API, user, call, login method, pwd , KBA , LOD-SF-INT-API , API & Adhoc API Framework , LOD-SF-INT , Integrations , LOD-SF-INT-ODATA , OData API Framework , Problem