SAP Knowledge Base Article - Public

3639320 - Configuring Ask HR Application on Mobile Devices after KSA migration

Symptom

In our efforts to keep out customer with the most modern landscape. SAP ia performing a datacenter migration which will affect DC23 customers to GCP platform.

As a result of this migrations, customers are required to perform a series of steps to keep a smooth transition.

The below KBA will address the activities that needs to be done so you can correctly configure Ask HR on you mobile devices after the migration.

Resolution

 
  1. Generate an OAuth X509 Key in SAP SuccessFactors
  2. Create Trust Configuration: Security > Trust Configuration
    1. New SAML Trust Configuration with metadata sample as below:
      1. refer to the landscape domain as ${SF_DOMAIN}
      2. refer to sf company id as ${SF_COMPANY_ID}
      3. refer to the name of OAuth X509 Key as ${S1_ALIAS}
      4. refer to the value of OAuth X509 Key as ${S1_CERTIFICATE}
    2. Chose Parse
    3. Provide a name <name> for the trust configuration and choose save
      Metadata Sample Code:
  3. Create Askhr Saas reuse service instance in the consumer subaccount
    1. subscribe "Ask HR saas reuse service" in Services>Service Marketplace page.
    2. create an OAuth2 client with a name "mobile"of Askhr Saas reuse service
    3. get clientid and clientsecret from "mobile"'s view page
  4. Creating Outbound OAuth Configuration in SAP SuccessFactors
    1. Log on to the SAP SuccessFactors system and go to the Security Center.
    2. Click the Outbound OAuth Configurations tile.
    3. Click Add to create a new outbound OAuth configuration.
    4. The Configuration Name field is set to ECSCMobileApp.
    5. The OAuth Type field is defaulted to OAuth 2.0 with SAML Flow.
    6. In the Client ID field, paste the value of the ID field of the OAuth client that you have in the SAP Business Technology Platform cockpit.
    7. In the Client Secret field, enter the value of the Secret field of the OAuth client that you have created previously in the SAP Business Technology Platform cockpit.
    8. In the Token URL field, paste the value of the Token URL from the Token Endpoint field in the SAP Business Technology Platform Security OAuth Branding OAuth URLs.
      1. In the cockpit, navigate to the overview page of subaccount. For details, see Navigate in the Cockpit. Here, you can see the landscape domain, subaccount ID, and subdomain. Below, we refer to the landscape domain as ${LANDSCAPE_DOMAIN}, to the subaccount ID as ${SUBACCOUNT_ID} and to the subdomain as ${SUBDOMAIN}.
      2. In your browser, call https:// ${SUBDOMAIN}.authentication. ${LANDSCAPE_DOMAIN}/saml/metadata and download the XML file. Within the XML file you can find the following structure as below
      3. In your browser, call https:// ${S1_SUBDOMAIN}.authentication. ${S1_LANDSCAPE_DOMAIN}/saml/metadata and download the XML file. Within the XML file you can find the following structure

        Note: The value for ${S1_LANDSCAPE_DOMAIN} must contain the main landscape only. For example, if the landscape is cf.us10-001.hana.ondemand.com, the URL would look like this: https://${S1_SUBDOMAIN}.authentication.us10.hana.ondenmand.com/saml/metadata.

        Sample Code:


        Below, we refer to the value of <Location> as Token URL
        1. In the Token Method field, select POST.
        2. In the Audience field, refer to the value of entityID as audience
        3. In the Recipient field, enter the same value as the one in the Token URL field.
        4. In the Issuer field, copy and paste the same value as the entityID field of the trusted configuration you created in the SAP Business Technology Platform cockpit
        5. In the X509 Keys, select the OAuth X509 key you created.
        6. Chose Save
        7. Configure Destination Settings in Security Center.
        8. Use the URL of the provider as the Endpoint URL.

Keywords

KBA , LOD-SF-INT-AHR , Ask HR - Employee Central Service Center (ECSC) , How To

Product

SAP SuccessFactors HCM Suite all versions