3031657 - How to generate SAML assertion using SAP-provided offline tool - SuccessFactors

You wish to learn how to generate a SAML assertion for SAP SuccessFactors SFAPI/ODATA API using an SAP provided offline tool.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP SuccessFactors HXM Suite

STEP 1: DOWNLOADING MAVEN FILE

• Download the file from Downloading Apache Maven and unzip it to your local drive.
  In the example below, the folder has been extracted to the C drive:
  
  

STEP 2: VALIDATING JAVA JDK COMPATIBILITY AND MAINTAINING ENVIRONMENT VARIABLES

1. At your computer: Click on File Explorer > This PC (right button) > Properties > Advanced System Settings > Environment Variables;
2. At System Variables, ensure JAVA_HOME variable is set and points to the path of your JDK installation;
3. At User Variables, click on new and set the path of the "bin" folder (from your JDK installation folders) to the variable "PATH" as shown below:
   
   

STEP 3: VALIDATING JDK INSTALLATION

• Go to Command Prompt and execute the command below:
  echo %JAVA_HOME%
  
  

STEP 4: VALIDATING MAVEN INSTALLATION

1. Open the "bin" folder (from your JDK installation folders) and copy its path (e.g. C:\apache-maven-3.6.3\bin)
2. Go to Command Prompt and navigate to the above directory:
   
   
   
   
3. Execute the command below:
   mvn -v
   
   
   
   This means Maven installation is successful. Now we are good to proceed with generating SAML assertion using SAP provided offline tool.

STEP 5: GENERATING SAML ASSERTION

1. Go to attachment section of this KBA and download the zip file;
2. Extract folder from zip file to your local drive;
3. Go to the folder and open "SAMLAssertion.properties" file;
   
   
   
   
   
   
4. Fill the data there:

• clientId: API Key which you received while registering the client in SF
• userName: API Username
• privateKey: X509 private key
• expireInDays/expireInMinutes: SAML assertions usually expires in 5-10 minutes. Anyway, you must set it according your business requirements
  
  See the sample file below:
  
  
  
  5. Save the file and close;
  
  6. Open a new Command Prompt window and go to the directory where folder was extracted:
  
  
  
  7. Execute the command below:
  mvn compile exec:java -Dexec.args="SAMLAssertion.properties"
  
  
  
  8. Once completed, it would generate SAML assertion. Copy this and store it securely in your local drive.
  
  

IMPORTANT NOTES:

• The codebase for generating SAML Assertion provided in the SAP KBA (Sample coding) can be run and compiled on Java 8 too. If you are facing JAVA errors or exceptions performing this KBA, you may need to update your Java JDK version or install SapMachine JDK from https://sap.github.io/SapMachine/#download (newest version). 

• With the 2H 2022 Release we changed the expireInDays field in SAMLAssertion.properties to expireInMinutes so customers can set expire period based on their needs for the generated SAML Assertion. The default value for expireInMinutes is 10 minutes, customers can set any valid values for it.

• We supported use userId to generate SAML Assertion. And userName will only be considered when userId is null/empty (in other words, if you want to use userId, you must make sure that value for userId field is valid and correct; If we want to use userName, we must make sure that userId’s value is null/empty and userName’s value is valid and correct).

• The above scenario will not work for more than one API user. The reason for this is that SAML properties are used in preparing the SAML assertion, thus a single SAML assertion cannot be devised for more than one user at a time (i.e., more than one SAML property file would have to be maintained and generated).

• Any software coding and/or code snippets are examples. If you use any examples to help generate a SAML Assertion that will be used in a production environment, you are solely responsible for ensuring the security of such a SAML Assertion. SAP does not warrant the correctness and completeness of the example code and such code is delivered “AS-IS”. SAP shall not be liable for errors or damages caused by the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

• This KBA is for demonstration purposes and developers' know-how only. 

• Software Vendors who want to re-use the sample code in their platform, need to check the code with their security team and legal team (for 3rd party licensing) and then re-use it accordingly.

Boomi connectors - Generating a SAML Assertion

Oauth, Odata, API, Maven, JDK , KBA , LOD-SF-INT-ODATA , OData API Framework , How To