cancel
Showing results for 
Search instead for 
Did you mean: 

SuccessFactors OAuth Authentication via Azure SAML Assertion. Unable to verify the signature

former_member183909
Active Participant
1,782

I have got the SuccessFactors ODATA and SFAPI connection working using the offline SAML Generation method but I wanted to use the recommended SAML assertion via Azure.

I'm also following the SAP KBA 3301583 SAP SuccessFactors SAML Assertion format demonstration using MS Azure

I've got down to the testing. I can generate the JWT Token and generate a SAML assertion from MS Azure but on the third step I am stuck on the Test C Exchange token by the SAML assertion in HXM Suite.

Why do you think I am getting this error ? Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID

I am also wondering about that SAP KBA and the X509 - I am using the SuccessFactors Manage OAuth2 Client Application page - in the KBA they do not explain what to do with it - are you meant to just generate this or paste in something from Azure or do you even need the X509? If so what do you do with it.

Anyway my failed call with that error is as follows (although I am using POSTMAN do to the calls).

POST https://api68sales.successfactors.com/oauth/token

header Content-Type: application/x-www-form-urlencoded

with a body text of;

company_id=abc*************&client_id=NjZkNjM0MGExMD******************* &grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer &assertion=PEFzc2VydGlvbiBJRD0iXzE0***********************

This is the company_id & client_id from the SAP SuccessFactors Admin Centre page "Manage OAuth2 Client Application"

company_id: The company ID as seen in that SAP SuccessFactors page

client_id: The API key as seen in that SAP SuccessFactors page.

grant_type: Set to "urn:ietf:params:oauth:grant-type:saml2-bearer".

assertion: Enter the Base64-encoded assertion obtained from Generating a SAML Assertion - see Step B in that KBA

Accepted Solutions (1)

Accepted Solutions (1)

former_member183909
Active Participant

Hi Souvik

I got it working. The SAP KBA is missing a few key steps !. Firstly the X509 certificate Public key from Azure (from the SuccessFactors enterprise app's SAML settings) needs simply to be copied into my SuccessFactors OAuth2 Client Application page - and secondly the user that is bound on that page needs an email address matching the Azure test-user I'd set up. It all seems quite obvious now.

NilotpalM
Explorer
0 Kudos

This was really helpful. Thanks for posting the resolution. I was stuck with the same issue for a while.

MG3
Contributor
0 Kudos

Thanks for this, Jonny. Helped us resolve the same issue.

Answers (2)

Answers (2)

sinhasouvik
Participant

Hello jonny.wellard ,

This is one kind of generic error I also got during our implementation. Unfortunately I have not used Azure as 3rd Party IDP.

Based on my experience these could be the possible reason.

  • SignatureValue attribute in SAML Assertion should be certificate signature, which you might have registered in SF OAuth Client registration transaction.
  • X509Certificate attribute in SAML Assertion should have linkage with your certificate which you have registered in SF OAuth Client registration transaction.
  • In SAML Configuration, unique user identifier format has to be "unspecified".

Regards,

Souvik

Venky999
Explorer
0 Kudos

Hi Souvik,

May i know which 3rd party IDP you have used to generate SAML assertion for SuccessFactors API?

Also, i would you like to know whether SAP had released this notes 3301583 - SAP SuccessFactors SAML Assertion format demonstration using MS Azure - SAP for Me based on your request. I see some of your old question realted to it.

We have OKAT IDP and would like to use same for the SAML assertion generation for SuccessFactors API.

Thanks,

Venkatesh

sinhasouvik
Participant
0 Kudos

I have used SAG APIGW as 3rd Party IDP. They have internal SAML generation framework.

Okta is also fine. Concept will be same for all IDPs.

Regards,

Souvik

gdunham
Explorer
0 Kudos

Are you referring to Azure AD aka Microsoft Entra ID?

If so why not use SAP Cloud Identity Services as a proxy and connect that to Azure AD using the out of the box application available in Azure AD? SAP are moving everyone to use Cloud Identity Services anyway.

Gerald_Weinmann
Discoverer
0 Kudos

Hi gdunham,

I would be interested to learn how you would set this up for OAuth2 authentication as described in Authentication Using OAuth 2.0 | SAP Help Portal. We are also in the process of setting this up and if there is a better way including SAP Cloud Identity Services as a proxy I would probably prefer that way.

Jonny is referring to this KBA 3301583 - SAP SuccessFactors SAML Assertion format demonstration using MS Azure. This seems to be the recommended setup when it comes to Entra ID as 3rd party IDP currently.

Best regards,

Gerald

gdunham
Explorer
0 Kudos

Hi gerald.weinmann

AFAIK you will be forced to utilise SAP Cloud Identity Services (IAS and IPS are parts of this solution) at some point in the future so might as well leverage it:

https://me.sap.com/notes/3097769/E

https://groups.community.sap.com/t5/product-and-customer-updates/migration-to-sap-cloud-identity-aut...

https://me.sap.com/notes/2791410

You will need to setup the provisioning of users from SF -> CIS first and upgrade your successfactors instance. There's some great info here (also read above links):

https://www.linkedin.com/pulse/single-sign-on-sap-successfactors-vasanth-kumar-g-s

Then you can install the Azure (entra) application for SAP Cloud Platform Identity Authentication for Sign on (we're currently using SAML but will probably move to OpenID/OAuth at some point):

https://developers.sap.com/tutorials/cp-ias-azure-ad.html#4d9aadfc-1200-40aa-a889-3e8e73e74a3b

Here's how we have things setup:

Provisioning of accounts:

Successfactors -> Azure AD via the standard Azure AD Successfactors provisioning app

SucessFactors -> Cloud Identity Services via CIS Identity Provisioning Service (IPS)

Authentication (Trusts on trusts - it does add a lot of complexity):

Client -> Azure AD -> Cloud Identity Services -> SuccessFactors

Not sure if that helps or answers your question, but hopefully something there has helped.

Cheers

Gary