SAP Knowledge Base Article - Public

3462403 - SuccessFactors OData API: OAuth 2.0 Authentication


In this document we will demonstrate how to retrieve an OAuth Access Token to successfully authenticate against the OData API of a SuccessFactors 


The steps in this KBA can and should be used to test and validate that OAuth 2.0 Authentication is working correctly in SF before it is configured in the client system

These steps can also be used to troubleshoot in more detail - existing OAuth configurations that have already been setup

Please Note:

  • This document will not cover the steps on generating the SAML Assertion as there are multiple ways this step can be done and can vary depending on each customer's IT landscape 


Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.


SAP SuccessFactors HCM Suite

  • OAuth 2.0
  • OData API


Below is a high-level overview of the OAuth Authentication process in SAP SuccessFactors:

1) Register your client application in SAP SuccessFactors to obtain an API key.


2) Obtain a SAML assertion from your trusted IdP (recommended, for example, SAP Cloud Identity Services - Identity Authentication) or use the sample code to generate one. 

  • Once Step 1 is completed, you can use the details from Step 1 to generate the SAML assertion (e.g. API Key and / or Private Key)
    Please Note:
    • Generating SAML assertion can done multiple ways and can vary depending on each customer's IT landscape so this will depend on your specific setup

      Please refer to the See Also section of this KBA for some examples

  • DO NOT USE /oauth/idp API to generate SAML assertions -  This approach is unsecure and has been deprecated. For more information, see the Related Information.

    Reference: Generating a SAML Assertion


3) Pass your SAML assertion and API key (in the client_id field) along with other information to generate an OAuth token.

  • HTTP MethodPOST
    AuthenticationNo Auth

    Content-Type: application/x-www-form-urlencoded

    Request Body

    Enter the following values in the format of x-www.-form-urlencoded:

    • company_id: Required. Your company ID.
    • client_id: Required. API key generated in Registering Your OAuth2 Client Application.
    • grant_type: Required. Set the value to "urn:ietf:params:oauth:grant-type:saml2-bearer".
    • assertion: Required. Enter the Base64-encoded assertion obtained from Generating a SAML Assertion.
    • new_token: (Optional) If you have already requested an access token with the same SAML assertion and the token hasn't expired yet, your request returns the same token by default with the remaining time indicated in the expire_in field. You can use parameter new_token=true to force the server to generate a new access token valid for 24 hours.
    What this looks like in practice from a REST Client is shown below:
    • HTTP Method, URI & Authentication:

    • Headers:

    • Request Body:


  • The response to this request will contain the OAuth Bearer Token and will look be presented as shown below:

    Reference: Requesting an Access Token

4) Use the generated token to call APIs.

  • Now we can query the SuccessFactors APi using this token:

    In this step you choose "Bearer Token" as the authentication method and enter the token returned in the response of previous step


5) (Optional) Check whether your access token has expired or not.


We strongly recommend that these steps be done before implementing this in a client system, as it will enable you to validate that the OAuth is set up & functioning correctly

Or in the event of issues, running through these steps should assist in isolating / localizing the problem

See Also

3429585 - How to generate SAML assertion in Identity Authentication(IAS) and use it to request OAuth token from SuccessFactors

3031657 - How to generate SAML assertion using SAP-provided offline tool - SAP SuccessFactors

3301583 - SAP SuccessFactors SAML Assertion format demonstration using MS Azure


odata, api, oauth, authentication, token, bearer, access_token, assertion, client_id, grant_type, assertion, saml,  , KBA , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , How To


SAP SuccessFactors HCM suite all versions


Pasted image.png
Pasted image.png
Pasted image.png
Pasted image.png
Pasted image.png