SAP Knowledge Base Article - Public

3666719 - Migration of Technical Users from Basic Authentication to OIDC

Symptom

With the upcoming deprecation of API basic authentication (WNV), all customers still using basic authentication for API calls into SuccessFactors should migrate to OIDC-based API authentication.

Types of API Integration

  • Principal Propagation: On-behalf of a named user. It is essential to securely transfer the context of the named user from the sender to the receiver.
  • Technical Access: Access on-behalf of the calling client/application (sender), typically using a predefined technical user embedded in SuccessFactors' code, or a designated API-only user.

Note: Based on usage statistics, the majority of API basic authentication use is for the technical access case. If your calling client/application (sender) supports OIDC protocol, it is highly recommended to migrate to OIDC with IAS as the authentication provider for SuccessFactors API endpoints.

Environment

  • SuccessFactors
  • IAS
  • OIDC

Resolution

In order to perform the migration of technical access, please refer to the steps below:

  1. Define your sender application as an OIDC app in IAS
    Refer to step 1 through 8 on this help page.

  2. Define dependency from your sender's IAS app towards SuccessFactors' IAS app
    Refer to step 9 through 13 on this help page.

    • On step 11, be sure to select the sf_technical_access option to enable technical access integration.

  3. Register your sender application in SuccessFactors for OIDC-based API integration
    Refer to step 14 through 20 on this help page.

    • On step 19, check the "Bind to user" checkbox, then enter the userid that you are currently using for integration with your sender application.

  4. Testing OIDC Technical Access

    • Create client id, client secret for testing
    • Get idtoken using client id and client secret
    • Get access token with the idtoken from prior step
    • Call SF API endpoint with the access token from prior step
      Note: if you are not certain how you can test the configuration, please refer to the KBA 3532791
Below are the only known exception regarding migration of technical users from basic authentication to OIDC:
  1. IAS/IPS: if you are currently using IPSADMIN or similar API only technical users for integration between SF and IAS/IPS, then you should migrate to use X509/mTLS certificate, please details, please refer to this blog
  2. EC Payroll: you should migrate to use x509/mTLS certificate for authentication when calling SF API, please follow steps on this help page, be sure to follow instructions of  “Connect with X.509 Certificate”, not “Connect with User ID and Password"

Keywords

KBA , LOD-SF-INT-ODATA-OAU , ODATA OAUTH Authentication , How To

Product

SAP SuccessFactors HCM Suite all versions