SAP Knowledge Base Article - Public

3012376 - SuccessFactors SFAPI/ODATA/REST API call connectivity verification to validate compatibility with SAP network changes

Symptom

• SAP SuccessFactors will roll out network changes across all Datacenters. This would affect SFAPI/ODATA/REST API endpoints across all datacenters.
• Customers currently restricting access of these API endpoints via an IP-based “allow list” will need to transition the allow list to domain-based allow list described later in this document.
• The test steps described in KBA are to verify that the customer is already able to access the edge servers to ensure that when these API endpoints are transitioned to edge servers, the customer’s usage of these APIs will continue to work seamlessly. 
• List of complete API endpoint URLs can be found in KBA:  2605498 

Timeline:

  • Friday, August 27, 2021: Customers complete switch from IP address to domain name
  • To be decided: Change will be effective in all Non-Production environments
  • To be decided: Change will be effective in all Production environments

NOTE: Once change implementation date has been decided, customers will be notified and KBA  will be updated.

Environment

  • SAP SuccessFactors HXM Suite
    • SAP SuccessFactors SFAPI
    • SAP SuccessFactors ODATA API

Reproducing the Issue

Description:

  1. Overview of IP Restriction and typical uses:
  • API endpoint IP address has been added to allowlist IPs/Domains - restricting user access to the internet via a list of “Allowed” IPs/Domains in client network.
    • IP allowlist not compatible with network changes

IP allowlist is a common practice used by IT departments to allow outbound Internet traffic to trusted endpoints. IP allowlist can occur at several different points on a customer’s network, but the most common place is the firewall.

  • Please follow the following steps to Identify if IP allowlist is enabled on your corporate network and API endpoint's IP address has been enabled
  • Contact your Corporate IT team to check the use of IP allowlist feature and to confirm if API endpoint's IP address has been allowed.

More Detail:

There could be 2 possibilities of accessing SuccessFactors API endpoint for Integration purpose:

Case 1:

Client from where you are triggering connectivity to API endpoints (documented in KBA 2605498 ) is hosted in your corporate network.

Test Step: Click on the connectivity validation URL below from you corporate network.

NOTE:

You can select URL from above based on your SAP SuccessFactors domain. Example: If SF company ID is hosted in DC4, then your API endpoint domain would be "successfactors.com".
Hence, URL you can use to test is "https://test.successfactors.com/domain/validation.html"


Result:

If you get the following message “Testing is successful.”, your Connectivity test is successful and verified for compatibility with network changes. Please see the  screenshot below.



Case 2:

You are triggering SuccessFactors' API call from client which is hosted in  3rd party application's network and this 3rd party application does not have browser available to validate links shared above.

Test Step: In such case, 3rd party application needs to test the connectivity to API endpoint URL using CURL command as explained below:

Here is the steps using Curl to test URLs.

  1. Open terminal of the server where  Client has been hosted and  type below curl command to validate test URLs:

Result:

If you get the following message “Testing is successful” in the bottom of the response, your Connectivity test is successful and verified for compatibility with network changes.

NOTE: You can select URL from above based on your SAP SuccessFactors domain. Example: If SF company ID is hosted in DC4, then your API endpoint domain would be "successfactors.com".
Hence, URL you can use to test is "https://test.successfactors.com/domain/validation.html"

NOTE: CURL test is also applicable for customer's own network/DC where browser is not installed/available for testing

 

Resolution

As mentioned above, if you are receiving message “Testing is successful!”, your Connectivity test is successful and verified for compatibility with network changes. Hence, no further action would be required. You are all set for the change.

If you are unable to get the above message while testing ,please follow the instructions in the solution section to resolve this issue:

  1. Contact your corporate IT department to disable IP Restrictions
  2. Enable Domain based allowlist (example: successfactors.com) instead of the Specific IP. Domains that needs to be added to allowlist :
  • successfactors.com
  • sapsf.com
  • successfactors.eu
  • sapsf.eu
  • sapsf.cn

If you continue to experience connectivity issues, please contact SuccessFactors customer support for further assistance.

Frequently asked Question

Has Changes been implemented already by SAP?

  • No. This is only an announcement to notify all customers. The implementation date will be included in customer communication email.

Who would be impacted by this?

  • Customers who are using SuccessFactors API endpoint based on datacenter documented in KBA 2605498 need to evaluate the impact.
  • As highlighted above, if IP address has been allowed by your IT team, you should perform test as per guidance above. If there is no IP address for API endpoint has been added to allow list by your IT team then no action is required by you.

What kind of API call get impacted?

  • Any SFAPI/ODATA API call which are being triggered using API endpoint documented in KBA 2605498 would get impacted.

Would CompoundEmployee API call be impacted too?

  • Yes. CompoundEmployee API uses SOAP protocol same as SFAPI and it uses API endpoint documented in KBA 2605498 .

How do I know list of  API entities for which impact needs to be analyzed?

  • API call triggered from any client for entities found under "Admin Center->SFAPI Data Dictionary" or "Admin Center-> ODATA API data Dictionary"  would get impacted. Hence API endpoint documented in KBA 2605498 needs to be checked and test guideline needs to be followed t confirm the impact.

Would this also impact LMS or Onboarding API calls?

  • No. LMS and Onboarding APIs uses different API endpoint URL which would not get impacted by this change.

Have more questions?

Post your open queries on Community Blog or Partner community Blog where SAP experts would answer your queries directly.

Keywords

KBA , LOD-SF-INT-ODATA , OData API Framework , Problem

Product

SAP SuccessFactors HCM suite all versions

Attachments

Pasted image.png