Symptom
How to check whether specific integrations have successfully migrated to OAuth 2.0 authentication and stop using Basic Authentication ahead of the planned retirement of Basic Authentication ?
(Note: this is applicable only to OData v2, so LMS entities are not included)
Environment
- SAP SuccessFactors HcM Suite
- SuccessFactors ODATA API
- SuccessFactors SFAPI
Reproducing the Issue
Trigger an Basic Authentication OData API request from a test client such as postman or from your browser.
To trigger an OData API call from your browser. See here for the right API URL of your tenant: 2215682 - Successfactors API URLs for different Data Centers - SAP for Me
The example below is using the URL for salesdemo in DC4:
https://apisalesdemo4.successfactors.com/odata/v2/User?$top=1&$select=userId
After entering this into your browser press return to load the page.
In the resulting Popup enter your API user and company ID in the format username@company, e.g. sfapi@abcd into the username field and enter the password of that user in the password field.
Resolution
- Assign Permissions in Manage Permissions Roles.
Ensure that the user you use to login to SAP SuccessFactors has all needed permissions to access to OData API Audit Log. Find the relevant permission in this guide:
SAP SuccessFactors API Reference Guide (OData V2) > API Center > Enabling API Audit Logs
- Enabling the OData API Audit Log in API Center.
Follow this KBA to ensure that the OData API Audit Log is enabled: 2639894 - [1805 Feature] API Audit Log Availability - SAP for Me
- Access the OData API Audit Log to check API calls for Basic Authentication usage.
Enter “OData API Audit Log” into the action search or start it from the “Admin Center”.
Select the OData API call to investigate and click on the button with the three dots:
In the resulting popup check for the string “Authorization: Bearer” or “Authorization: Basic” in the “Request Header” section.
If you like so you can also download this information from here.
In case the string says “authorization: Bearer” this API call is secure and uses oAuth2 already (this will be visible in SFAPI Audit Log "Request Headers" also).
In case the string says “authorization: Basic” as in this screenshot (this will NOT be visible in SFAPI Audit Log "Request Headers"):
Your API call uses Basic authentication and should be changed.
- Get more insights about the caller of the API - The OData API Audit Log provides information about the caller of the API as well.
The following values in the Request Header can be used to get analyze the consumer of the API and might provide needed information to find the source of the call:
Field Name
Meaning / Information
How to use it?
authorization
Type of authentication
If it start with “Basic”, calls should get migrated to oAuth, if it says “Bearer” calls are secure already.
ip address
ip address of the caller
The ip address might help you to track down the source of the call to some of your known middleware solutions, servers or desktop computers.
user-agent
The type of the environment where to call originated from
This information can again be used to identify the caller, being a middleware (e.g. in case of SAP Intergation Suite his value is “SAP CPI”, or in case of API client the corresponding client name (e.g. postman)
x-sf-process-name
In case of SAP Integration Suite the process name.
Use this field to find the name of the process the OData API is coming from and change the call if required in the SAP Integration Suite
x-sf-client-tenant-id
Relates the API call to the Tenant ID of the Subaccount
Tenant ID of the sub account running the Cloud Integration service
x-sf-correlation-id
Relates the API call to a message in the Cloud Integration service.
Use this to correlate the API call with a message ID in the Cloud Integration Service. See screenshot below
- Find the tenant the OData API is coming from.
In your SAP BTP Cockpit use the search in the subaccount and the x-sf-client-tenant-id value to find the subaccount which is running the Integration Cloud service the API call was coming from:
- Find the log of the integration flow using the x-sf-correlation-id from the SF API Audit Log
Use the value of the x-sf-correlation-id to enter it in the search of the Cloud Integration Service. This search is available in the “Monitor Section” when selecting one of the “Monitor Message Processing” tiles.
Keywords
SF Basic auth deprecation, ODATA, SFAPI , KBA , LOD-SF-INT-ODATA , OData API Framework , How To