3532791 - How to authenticate for SuccessFactors using OIDC in IAS

As of 2H24 release SAP has introduced OIDC (OpenID Connect) support which then allows customers to authenticate their API calls through IAS.

This will allow IAS to act as a central identity provider also for API calls facilitating the configuration for the customer.

The below KBA will point you to the relevant documentation that allows you to to configure your application.

Also at the end of this KBA we will provide you with some test scripts so you can test locally using postman or another other API tool.

SAP SuccessFactors HCM Suite

NOTE: Remember to save your changes after each step to make sure that all the changes you done are really applied

Pre-Requisites:

1. You must have a SuccessFactors instance already integrated with IAS
2. You must have at least one user synced to IAS correctly
3. The user synced must have some specific RBP permissions in SuccessFactors which will be documented in the configuration steps

Configuration steps:

The configuration steps are explained in details on the guide session: Register Your Own Application to Communicate with SAP SuccessFactors HCM Suite with OpenID Connect

Testing your configuration:

After you perform the configuration, it is important to test the API calls to validate if everything was setup correctly.

Note: the steps below to test will only be possible if you have created a client id and secret in your OIDC setup so consider that although this is an optional step for the application to work it self, it is mandatory for the test we are going to document below.

So if you need to create a client secret, refer to "(Optional) To test your OIDC configuration using an API tool such as Postman, or if requested by Technical Support, you can create a client secret:" in the referenced guide.

1. Authenticate in your IAS tenant via API, this step requires you the following:
   • client_id
   • client_secret
   • username (this a username that exists in your SFSF tenant and is also synced to IAS)
   • password (this is your IAS user password)
   • Example CURL:
     curl --request POST \
       --url <<your_IAS_tenant>>/oauth2/token \
       --header 'Accept: application/json' \
       --header 'content-type: application/x-www-form-urlencoded' \
       --data 'client_id=<<oidc_client_ID>>' \
       --data 'client_secret=<<oidc_client_secret>>' \
       --data username=<<ias_username>> \
       --data 'password=<<ias_usernamr_password>>\
       --data grant_type=password
   • Result: This API call will generate an access_token, copy that and use in the next API call
     
     
2. Request the SFSF saml token to your IAS which will be used to connect on SFSF, for this step you need the following:
   • client_id
   • client_secret
   • grant_type
   • assertion: this is the token generated from previous call 
   • resource:add in the resource (at the end) your dependency name which you created on step 10 of the reference guide
   • example CURL:
     curl --request POST \
       --url <<your_IAS_tenant>>/oauth2/token \
       --header 'Accept: application/json' \
       --header 'content-type: application/x-www-form-urlencoded' \
       --data 'client_id=<<oidc_client_ID>>' \
       --data 'client_secret=<<oidc_client_secret>>' \
       --data 'grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer"' \
       --data assertion=<<access_token_from_previous_step>> \
       --data 'resource="urn:sap:identity:application:provider:name:<<your_dependency_name>>"'
   • Result: This API call will generate the access_token which is accepted in SFSF and will authenticate you.
3. Test an API call on successfactors: In this step you conclude the connection and retrieve a single user from your instance to prove the authentication worked.
   • Authorization: must be the value Bearer <<access_token_generated_on_previous_step>>
   • example CURL:
     curl --request GET \
       --url '<<your_sfsf_api_url>>/odata/v2/User?%24top=1&%24format=json' \
       --header 'Authorization: Bearer <<access_token_generated_on_previous_step>>
   • Result: This API call should complete with 200 response code and 1 user returned

How to, authenticate, authentication, oauth, oidc, openid, open id, connect, connection, SuccessFactors, SF, IAS, Identity Authentication Service , KBA , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , How To