3145716 - OAuth Token got expired --> No more Time Events are integrated from the External Terminal to SAP SuccessFactors Clock In Clock Out

Symptom

The OAuth Token got expired, and consequently, no more Time Event can be integrated from the External Terminal to SAP SuccessFactors Clock In Clock Out.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP SuccessFactors Time Tracking – Clock In Clock Out

Cause

For the employees themselves register their Clock In Clock Out in a Company, they punch their Time Events through an External Terminal.

This External Terminal need to be integrated with SAP SuccessFactors Clock In Clock Out, so on, it will store the registered Clock In Clock Outs, and use it in EC Time Sheet for the Time Valuation process, for example.

The integration between the External Terminal and SAP SuccessFactors Clock In Clock Out have its Authorization Framework based on a generated SAML Assertion and OAuth Token.

This OAuth Token is valid for 11 hours, and is then used to call the external REST API and send the time punches from the External Terminal to Clock In Clock Out.

What can happen is that since the last OAuth Token generation, at least 11 hours have passed, and so on, it got expired. As a result, no more Time Event can be integrated from the External Terminal to SAP SuccessFactors Clock In Clock Out.

Resolution

It is necessary to generate a new OAuth Token.

The requires steps to generate a new OAuth token are mentioned in the documentation guide here, but please consider the following:

1. API Key

Since the Time Events integration were working before and have stopped only now since the OAuth token got expired, mostly likely the API Key is already correctly reconfigured, but please ensure that this step is proper set as per the documentation guide previous mentioned.

Once going to “Admin Center > Manage OAuth2 Client Applications”, it can be seen.

This step creates the API Key, which is then used to the create the OAuth Token.

2. Creating OAuth Token

To create the OAuth Token, two main steps are needed:

2.1 Generate the SAML assertion

The Identity Provider (IDP) API is responsible to generate the SAML assertion, which will be used as the assertion value to generate the OAuth Token (step 2.2).

Refer to the “Description” highlighted in the below image, which has the corresponding details for the key values that are necessary to be set under request Body.

2.2 Generate the OAuth Token

The OAuth Token API generates the OAuth Token itself as a result.

Refer to the “Description” highlighted in the below image, which has the corresponding details for the key values that are necessary to be set under request Body.

3. The new OAuth Token has been generated

Use this token to call the REST API: /rest/timemanagement/timeeventprocessing/v1/TimeEvents, and so on, integrate the Time Events from the External Terminal to SAP SuccessFactors Clock In Clock Out.

Obs.: The above steps can be done using any API Client by creating/saving HTTP/HTTPs protocols and checking its response; the one showed here is just an example, as well of the "Key Values" that will be different for each SAP SuccessFactors Employee Central instance.

Keywords

OAuth Token, Token, Expired, External Terminal, SAP SuccessFactors Clock In Clock Out, Clock In Clock Out, TTR, CICO, TTR CICO, Time Tracking, API Key, SAML assertion, assertion, HTTP, POST. , KBA , LOD-SF-TTR-CIO , Clock In/ Clock Out , LOD-SF-TTR , Time Tracking , Problem

Product

SAP SuccessFactors HCM suite all versions ; SAP SuccessFactors Time Tracking all versions

Attachments

Pasted image.png