3031657 - How to generate SAML assertions using SAP-provided Offline tool

This KBA aims to cover how to generate SAML assertions using the SAP-provided Offline tool, when integrating with SuccessFactors APIs.

This KBA is intended for demonstration purposes and developer reference.
Software vendors must review and approve the code with their security and legal teams, particularly regarding third-party licensing, before reuse.
SAP is not liable for issues unless caused by gross negligence or willful misconduct.
If you use this code to generate SAML Assertions in a production environment, you are fully responsible for securing those assertions.
All sample code is provided "AS-IS" without warranty.

For production scenarios, the preferred method is to use a corporate Identity Provider (IdP) such as:
- SAP Identity Authentication Services (IAS)
- A trusted third-party IdP
Refer to your corporate IdP's documentation for setup and configuration guidance.
Reference: Generating a SAML Assertion chapter from OData API guide.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP SuccessFactors HXM Suite

Download the file from Downloading Apache Maven and unzip it to your local drive.
In the example below, the folder has been extracted to the C drive:

At your computer: Click on File Explorer > This PC (right button) > Properties > Advanced System Settings > Environment Variables;
At System Variables, ensure JAVA_HOME variable is set and points to the path of your JDK installation;
At User Variables, click on new and set the path of the "bin" folder (from your JDK installation folders) to the variable "PATH" as shown below:

NOTE: The sample SAML Assertion code in this SAP KBA is compatible with Java 8. If you encounter Java-related errors, update your JDK or install the latest SapMachine JDK.

Go to Command Prompt and execute the command: echo %JAVA_HOME%
If it prints the folder path of the JDK installation, it means the installation was successful:

Open the Command Prompt and execute the command: mvn -v

This means Maven installation is successful. Now we are good to proceed with generating SAML assertion using the Offline tool.

Go to attachment section of this KBA and download the zip file;
Extract folder from zip file to your local drive;
Go to the folder and open "SAMLAssertion.properties" file;
Fill the data there:
- tokenUrl: API server endpoint from guide page List of SAP SuccessFactors API Servers with "/oauth/token" in the end.
- clientId: API Key which you received while registering the client in SF.
- userId OR userName (choose one to fill and left the other empty):
  - The userId expects the User ID of the API/integration user
  - The userName expects the username of the API/integration user
    NOTE: This solution does not support multiple API users simultaneously. A different user requires a separate SAML assertion and property file.
- privateKey: X.509 private key.
- expireInMinutes: Set it according your business requirements. SAML assertions usually expires in 5-10 minutes.
See the sample file below:
Save the file and close;
Open a new Command Prompt;
Execute the command: "cd C:\SAMLAssertionGen-master" (the directory where folder was extracted):
Execute the command: mvn compile exec:java -Dexec.args="SAMLAssertion.properties"
Once completed, it would generate SAML assertion. Copy this and store it securely in your local drive.

Oauth, Odata, API, Maven, JDK, saml , KBA , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , How To

SAP SuccessFactors HCM Suite all versions

Pasted image.png
SAMLAssertionGen-master (1).zip
2a3b0381c33562d88319352f05013130
5a3bcf41c33562d88319352f050131e1
a23b0381c33562d88319352f05013182
d23bcf41c33562d88319352f050131f6

3031657 - How to generate SAML assertions using SAP-provided Offline tool - SAP SuccessFactors