SAP Knowledge Base Article - Public

3138533 - How to use SuccessFactors API Audit Log to determine authentication methods used in your environment

Symptom

How to check whether specific integrations have successfully migrated to OAuth 2.0 authentication and stop using Basic Authentication ahead of the planned retirement of Basic Authentication ?
(Note: this is applicable only to OData v2, so LMS entities are not included)

Environment

  • SAP SuccessFactors HcM Suite
    • SuccessFactors ODATA API
    • SuccessFactors SFAPI

Reproducing the Issue

Trigger an Basic Authentication OData API request from a test client such as postman or from your browser.

To trigger an OData API call from your browser. See here for the right API URL of your tenant: 2215682 - Successfactors API URLs for different Data Centers - SAP for Me

The example below is using the URL for salesdemo in DC4:

https://apisalesdemo4.successfactors.com/odata/v2/User?$top=1&$select=userId

 

After entering this into your browser press return to load the page.

In the resulting Popup enter your API user and company ID in the format username@company, e.g. sfapi@abcd into the username field and enter the password of that user in the password field.
   

Resolution

  1. Assign Permissions in Manage Permissions Roles.
    Ensure that the user you use to login to SAP SuccessFactors has all needed permissions to access to OData API Audit Log. Find the relevant permission in this guide: 
      
    SAP SuccessFactors API Reference Guide (OData V2) > API Center > Enabling API Audit Logs
       
  2. Enabling the OData API Audit Log in API Center.
    Follow this KBA to ensure that the OData API Audit Log is enabled: 2639894 - [1805 Feature] API Audit Log Availability - SAP for Me
       
  3. Access the OData API Audit Log to check API calls for Basic Authentication usage.
    Enter “OData API Audit Log” into the action search or start it from the “Admin Center”. 
      

      
    Select the OData API call to investigate and click on the button with the three dots:
      

      
    In the resulting popup check for the string “Authorization: Bearer” or “Authorization: Basic” in the “Request Header” section.
    If you like so you can also download this information from here.
      

      
    In case the string says “authorization: Bearer” this API call is secure and uses oAuth2 already (this will be visible in SFAPI Audit Log "Request Headers" also).
      
    In case the string says “authorization: Basic” as in this screenshot (this will NOT be visible in SFAPI Audit Log "Request Headers"):
      

    Your API call uses Basic authentication and should be changed.
       
      
  4. Get more insights about the caller of the API - The OData API Audit Log provides information about the caller of the API as well.
      
    The following values in the Request Header can be used to get analyze the consumer of the API and might provide needed information to find the source of the call:

    Field Name

    Meaning / Information

    How to use it?

    authorization

    Type of authentication

    If it start with “Basic”, calls should get migrated to oAuth, if it says “Bearer” calls are secure already.

    ip address

    ip address of the caller

    The ip address might help you to track down the source of the call to some of your known middleware solutions, servers or desktop computers.

    user-agent

    The type of the environment where to call originated from

    This information can again be used to identify the caller, being a middleware (e.g. in case of SAP Intergation Suite his value is “SAP CPI”, or in case of API client the corresponding client name (e.g. postman)

    x-sf-process-name

    In case of SAP Integration Suite the process name.

    Use this field to find the name of the process the OData API is coming from and change the call if required in the SAP Integration Suite

    x-sf-client-tenant-id

    Relates the API call to the Tenant ID of the Subaccount

    Tenant ID of the sub account running  the Cloud Integration service

    x-sf-correlation-id

    Relates the API call to a message in the Cloud Integration service.

    Use this to correlate the API call with a message ID in the Cloud Integration Service. See screenshot below

      
      
  5. Find the tenant the OData API is coming from.
    In your SAP BTP Cockpit use the search in the subaccount and the x-sf-client-tenant-id value to find the subaccount which is running the Integration Cloud service the API call was coming from:
      
      
      
  6. Find the log of the integration flow using the x-sf-correlation-id from the SF API Audit Log
    Use the value of the x-sf-correlation-id to enter it in the search of the Cloud Integration Service. This search is available in the “Monitor Section” when selecting one of the “Monitor Message Processing” tiles.
       

 

 

Keywords

SF Basic auth deprecation, ODATA, SFAPI , KBA , LOD-SF-INT-ODATA , OData API Framework , How To

Product

SAP SuccessFactors HCM Suite all versions