Symptom
In this document we will demonstrate how to retrieve an OAuth Access Token to successfully authenticate against the OData API of a SuccessFactors
The steps in this KBA can and should be used to test and validate that OAuth 2.0 Authentication is working correctly in SF before it is configured in the client system
These steps can also be used to troubleshoot in more detail - existing OAuth configurations that have already been setup
Please Note:
- This document will not cover the steps on generating the SAML Assertion as there are multiple ways this step can be done and can vary depending on each customer's IT landscape
Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.
Environment
SAP SuccessFactors HCM Suite
- OAuth 2.0
- OData API
Resolution
Below is a high-level overview of the OAuth Authentication process in SAP SuccessFactors:
1) Register your client application in SAP SuccessFactors to obtain an API key.
- In this step we create / register the OAuth configurations in Successfactors in Manage OAuth 2.0 Client Applications:
Reference: Registering Your OAuth2 Client Application
2) Obtain a SAML assertion from your trusted IdP (recommended, for example, SAP Cloud Identity Services - Identity Authentication) or use the sample code to generate one.
- Once Step 1 is completed, you can use the details from Step 1 to generate the SAML assertion (e.g. API Key and / or Private Key)
Please Note:
- Generating SAML assertion can done multiple ways and can vary depending on each customer's IT landscape so this will depend on your specific setup
Please refer to the See Also section of this KBA for some examples
- Generating SAML assertion can done multiple ways and can vary depending on each customer's IT landscape so this will depend on your specific setup
- DO NOT USE /oauth/idp API to generate SAML assertions - This approach is unsecure and has been deprecated. For more information, see the Related Information.
Reference: Generating a SAML Assertion
3) Pass your SAML assertion and API key (in the client_id field) along with other information to generate an OAuth token.
-
HTTP Method POST URI https://<API-Server>/oauth/token Authentication No Auth Headers Content-Type: application/x-www-form-urlencoded
Request Body Enter the following values in the format of x-www.-form-urlencoded:
- company_id: Required. Your company ID.
- client_id: Required. API key generated in Registering Your OAuth2 Client Application.
- grant_type: Required. Set the value to "urn:ietf:params:oauth:grant-type:saml2-bearer".
- assertion: Required. Enter the Base64-encoded assertion obtained from Generating a SAML Assertion.
- new_token: (Optional) If you have already requested an access token with the same SAML assertion and the token hasn't expired yet, your request returns the same token by default with the remaining time indicated in the expire_in field. You can use parameter new_token=true to force the server to generate a new access token valid for 24 hours.
What this looks like in practice from a REST Client is shown below:
- HTTP Method, URI & Authentication:
- Headers:
- Request Body:
- company_id: Required. Your company ID.
- The response to this request will contain the OAuth Bearer Token and will look be presented as shown below:
Reference: Requesting an Access Token
4) Use the generated token to call APIs.
- Now we can query the SuccessFactors APi using this token:
In this step you choose "Bearer Token" as the authentication method and enter the token returned in the response of previous step
5) (Optional) Check whether your access token has expired or not.
- Similar to the previous step, you can use the same authentication method and token to validate how long is left before the current expires:
Reference: Viewing the Validity of an Access Token
We strongly recommend that these steps be done before implementing this in a client system, as it will enable you to validate that the OAuth is set up & functioning correctly
Or in the event of issues, running through these steps should assist in isolating / localizing the problem
See Also
3429585 - How to generate SAML assertion in Identity Authentication(IAS) and use it to request OAuth token from SuccessFactors
3031657 - How to generate SAML assertion using SAP-provided offline tool - SAP SuccessFactors
3301583 - SAP SuccessFactors SAML Assertion format demonstration using MS Azure
Keywords
odata, api, oauth, authentication, token, bearer, access_token, assertion, client_id, grant_type, assertion, saml, , KBA , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , How To
Product
Attachments
Pasted image.png |
Pasted image.png |
Pasted image.png |
Pasted image.png |
Pasted image.png |