Symptom
The deprecation of the OAuth IdP API /oauth/idp has been announced in 2H 2022 Release.
The /oauth/idp API was provided for API users to generate SAML assertions for authentication. However, this method is considered unsafe because it requires users to pass private keys through an API call. Therefore, we're deprecating this API and encouraging you to choose secure ways to generate SAML assertions.
Environment
SAP SuccessFactors OData API
SAP SuccessFactors Compound Employee API
Resolution
Effective immediately, new customers will not be able to use this API to generate SAML assertions. Existing usage will also be stopped on the deletion date.
For more information, please see the See Also section below.
FAQ:
1) How do I know if my company is using the "/oauth/idp" endpoint?
There are no logs that would help confirming that on SuccessFactors side. All the SAP standard integration processes that connect to SuccessFactors already don't use "/oauth/idp" or are being enhanced to not use it. So, for the other integration processes that connect to SuccessFactors API (the ones that are not delivered by SAP), you'll have to check internally with the people in your company that are responsible for such integrations and confirm if the "/oauth/idp" is being used or not.
2) What are the alternatives to "/oauth/idp"?
The "/oauth/idp" endpoint was used to generate a SAML Assertion, so other alternatives are:
- SAP IAS (refer to KBA 3429585 - How to generate SAML assertion for SuccessFactors using Identity Authentication Services (IAS)?).
- SAP offline tool (example in KBA 3031657 - SAP SuccessFactors SAML Assertion format demonstration using SAP Provided offline tool).
- Any other 3rd party IdP (MS Azure for example).
- It's up to your company to determine which third-party Identity Provider (IdP) would be the most suitable for your scenario. Microsoft Azure is merely provided as an example.
See Also
WNV: Deprecation of OAuth IdP API /oauth/idp
Generating a SAML Assertion
Guide: SAP SuccessFactors HXM Suite OData API: Developer Guide (V4)
KBA 3146449 OAuth Authentication: Frequently Asked Questions (FAQ)
KBA 3031657 SAP SuccessFactors SAML Assertion format demonstration using SAP Provided offline tool
Keywords
/oauth/idp, idp, oauth, deprecation, SAML, SAML assertion, security, API-23511, OAuth IdP API , KBA , LOD-SF-INT , Integrations , LOD-SF-INT-ODATA , OData API Framework , LOD-SF-INT-API , API & Adhoc API Framework , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , LOD-SF-INT-CE , Compound Employee API , Product Enhancement