SAP Knowledge Base Article - Public

2516614 - OData API Basic Authentication Configuration (1708 new feature)

Symptom

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

This KBA is a know how on the new feature released in 1708.

This feature is under "Admin Center" in SuccessFactors

Environment

  • SAP SuccessFactors HXM Suite
  • OData API

Resolution

1. When "Always" is enabled, then all the IP address can be used to use basic auth to access the system. The IP addresses in textbox should not take any effect.

2. When "Never" is enabled, then all the IP address can't be used to use basic auth to access the system.The IP addresses in textbox should not take any effect.

<!       ·  The error message should be like below: Basic authentication for ODATA API is disabled for company XXX

3. When "Restrict access to below IPs" is enabeld, then all only IP address set in textbox can be used to use basic auth to access the system.

  • IP address in text box should be separated by comma or Enter. That means, one complete address starts with spacing/comma, ends with spacing/comma.

<!      ·  The extra spacing before and after the IP address should be trimmed

4. Basic Authentication Configuration [A] VS IP Restriction in "Password & Login Policy Settings" [B]

  • When use Basic Authorization way, it should first check "Basic Authentication Configuration", then check "Password & Login Policy Settings"
  • When the login ip is in A but not in B, it should give such error: Authentication failed. Attempted login from unauthorized ip: xxx to company id: xxx by username: admin(status code = 8)
  • When the login ip is in B but not in A, it should give such error: This client IP is disabled for ODATA API basic authentication for company xxx
  • When the login ip is neither in A nor in B, it should give such error: This client IP is disabled for ODATA API basic authentication for company xxx
  • When the login ip is in both A and B, it should login successfully.
  • When use non-Basic Authorization way, it should only check "Password & Login Policy Settings" (Only external oauth will check it.) That means, external oauth and internal oauth login should not be affected by Basic Authentication Configuration.

5. Basic Authentication VS OData API Access Permission VS OData API Feature

  • It will firstly check OData API feature is enabled or not, then check the IP setting in Basic Authentication.at last check whether the user has OData API Admin Access Permission

Please keep in mind the below limit when putting too many IPs in the restriction:

There is a 4000-character threshold set in the definition of the "Restrict access to below IPs" input box, meaning after reaching this limit, you will not be able to add other IPs.
This is a hard-coded limit, therefore cannot be exceeded or lifted on an individual basis.

As a workaround, please remove old/unnecessary IPs from the list or use wildcard character * where possible to merge a few and/or a range of IPs and free up some space for the new ones.

See Also

Restricting OData API Access through Basic Authentication | SAP Help Portal

Keywords

  • OData API Basic Authentication Configuration
  • 1708 new release feature in API
  • Admin Center
  • Admin Centre
  • OData API Basic Authentication Configuration
  • IP
  • IP restriction
  • limit
, KBA , odata api basic authentication configura , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT , Integrations , LOD-SF-INT-API , API & Adhoc API Framework , How To

Product

SAP SuccessFactors HCM Core 1708