SAP Knowledge Base Article - Public

2850646 - How to register for OAuth 2.0 authentication - SuccessFactors Integrations


How to register and create the configuration for OData API with OAuth 2.0 authentication?

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.


SAP SuccessFactors HCM Suite OData API


OAuth 2.0 lets all users log in regardless of whether they are SSO users. If you are planning to use OAuth 2.0 for authentication, you will first need to register your OAuth client, and set up the permissions required for this registration. Then you can register your OAuth client application. After registering an OAuth client, any user of the registered client can connect to SuccessFactors HCM Suite using this method.


RBP System:

From the admin menu Manage Permission Roles, select the desired role for which you want to add the permission. As a best practice, create role named "API Administrator". Under the Manage Integration Tools link, select the Manage OAuth2 Client Applications checkbox.

After you have done this, you will see a link, Manage OAuth2 Client Applications under the Company Settings category in the new admin tools, and under Integration Tools in the older administration tools interface.

User-based system:

From the Admin Menu click on Manage Security -> Administrative Privileges. For the user you are logged in as, look under Integration Tools and check the box under Access to OAuth 2 Management.

After you have done this, you will see a link under Integration Tools to where you can register your OAuth client.

Registering an OAuth Client Application

To register an OAuth client application, log into your application instance with an administrator account. From the Admin menu, click on Manage OAuth2 Client Applications -> Register New Client Application.

You can use tools such as OpenSSL to create a self-signed X.509 certificate. For more information, please refer to:

Find the fields definitions below:

Field Description

The name of your company. This value is pre-filled based on the instance of the company currently logged in.

Application Name

A unique name of your OAuth client.

Description (optional)

An optional description of your application.

Application URL

A unique URL of the page that the client wants to display to the end-user. The page might contain more information about the client application. This is needed for 3-legged OAuth, however it is not currently supported.

X.509 Certificate

The certificate corresponding to the private and public key used in the OAuth 2.0 authentication process. In this flow, the SuccessFactors HCM Suite system will need the public key (the certificate) and the client application will have the private key. To register a client application, you will need to install the public key (aka certificate) in SuccessFactors HCM Suite. If you supply that certificate, you must use the RSA-SHA1 signature type for authenticating. As an optional feature, you can generate a public and private key pair with the Generate X.509 Certificate button. If you do this, you must download the private key (or key pair) and install it into your client application.

* We do not recommend generating the X-509 certificate in API Center and downloading the private key. This method is less secure as downloading the private key will increase the risk of exposing it. The private key must be kept secure under all circumstances. This method should only be used if the client is unable to generate an X-509 certificate through the button below.

Generate X.509 Certificate Button

A button that generates an X.509 certificate if the customer doesn't have one already. When clicked, a dialog box is displayed, in which the customer can enter the following information then click "Generate" to generate a selfsigned certificate:

  • Issued By : Value set to SuccessFactors
  • Common Name: The name or IP address for which the certificate is valid.
  • Organization (optional): The entity to which the certificate is issued.
  • Organization Unit (optional): The organization unit of the entity to which the certificate is issued.
  • Locality (optional): Name of Locality of the entity to which the certificate is issued.
  • State/Province (optional): Name of State or Province of the entity to which the certificate is issued.
  • Country (optional): Name of Country of the entity to which the certificate is issued.
  • Validity: The number of days for which you want the X.509 certificate to be valid.

If you have generated the X-509 Certificate through the button, you must download the certificate (which include the private key) before you finish to register you Client Application. Only the public key is available for viewing when the client is registered. If you lose the private key you will need to register the Client Application again. The private key (Client Secret) is necessary to make token requests.


Finally, click on Register to finish your Client Application registration. Then, clicking on View your API key (Client ID) will be available.

See Also

SAP SuccessFactors HXM Suite OData API: Developer Guide (V2)


KBA , LOD-SF-INT , Integrations , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , How To


SAP SuccessFactors HXM Suite all versions