SAP Knowledge Base Article - Public

3532791 - H2 - 2024: How to set up OIDC so APIs can authenticate in your SuccessFactors instance

Symptom

As of 2H24 release SAP has introduced OIDC (OpenID Connect) support which then allows customers to authenticate their API calls through IAS.

This will allow IAS to act as a central identity provider also for API calls facilitating the configuration for the customer.

The timelines for the availability of this feature can be seen in the below document:

OpenID Connect Supported for Incoming Calls to SAP SuccessFactors HCM suite with Identity Authentication

This KBA will document all the steps needed for setting up this configuration if you want to use it.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.



Environment

  • SuccessFactors
  • IAS

Resolution

NOTE: Remember to save your changes after each step to make sure that all the changes you done are really applied

Pre-Requisites:

  1. You must have a SuccessFactors instance already integrated with IAS
  2. You must have at least one user synced to IAS correctly
  3. The user synced must have some specific RBP permissions in SuccessFactors which will be documented in the configuration steps
  4. You'll need your Immutable company ID so refer to the KBA 2369644 to learn how to get that

Configuration Steps:

Sender Application:

  1. In your IAS tenant, navigate to Application & Resources > Applications, then on the left panel click create. You'll need to set up a display name and also in the Protocol Type ensure this is set as OpenID Connect:



  2. Navigate to Provided APIs and also make sure that "Allow all APIs for principal propagation" is checked, if not then mark the option and save the changes:



  3. Navigate to Dependencies click in Add, then you can define a dependency name of your choice and under application, select your SF application and save it:



  4. [OPTIONAL] Go to Client Authentication scroll to Secrets page click in add then create a secret a client secret copy the ID and secret for later use:



    NOTE: This step is ONLY needed if you are planning to test the OIDC in an API tool such as postman or in case SAP support request for some test, if SAP asks you to perform this you may delete as soon as your support case is closed.

  5. Finally under Client Authentication scroll up in the page and copy the Client ID (same step as step 5 for client application configuration) and save this for later use:

Mapping client and sender application on SuccessFactors

The final piece of configuration here is mapping the sender application in your SuccessFactors instance, for that refer to the steps below

  1. Make sure that your user has the below permissions:
    1. Manage Security > Manage Application Security Feature Settings
    2. Manage Security > Manage SAML SSO Settings

        
  2. Navigate to Security Center > Manage OIDC OAuth Client Application:



  3. Manage OIDC OAuth Client Application, go to Application type then click in register, this will allow you to create a custom application type which we will use to sync the sender application:



  4. Now you can map your sender application to your SuccessFactors application, this is done in the tab Application Map once you click in Register, for that you'll need to:
    1. Add a unique name
    2. Select an application type
    3. Add the Client ID copied in step 5 of Sender Application configuration

Keywords

KBA , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , How To

Product

SAP SuccessFactors HCM Suite all versions