on 2023 Aug 24 9:09 AM
I have got the SuccessFactors ODATA and SFAPI connection working using the offline SAML Generation method but I wanted to use the recommended SAML assertion via Azure.
I'm also following the SAP KBA 3301583 SAP SuccessFactors SAML Assertion format demonstration using MS Azure
I've got down to the testing. I can generate the JWT Token and generate a SAML assertion from MS Azure but on the third step I am stuck on the Test C Exchange token by the SAML assertion in HXM Suite.
Why do you think I am getting this error ? Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID
I am also wondering about that SAP KBA and the X509 - I am using the SuccessFactors Manage OAuth2 Client Application page - in the KBA they do not explain what to do with it - are you meant to just generate this or paste in something from Azure or do you even need the X509? If so what do you do with it.
Anyway my failed call with that error is as follows (although I am using POSTMAN do to the calls).
POST https://api68sales.successfactors.com/oauth/token
header Content-Type: application/x-www-form-urlencoded
with a body text of;
company_id=abc*************&client_id=NjZkNjM0MGExMD******************* &grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer &assertion=PEFzc2VydGlvbiBJRD0iXzE0***********************
This is the company_id & client_id from the SAP SuccessFactors Admin Centre page "Manage OAuth2 Client Application"
company_id: The company ID as seen in that SAP SuccessFactors page
client_id: The API key as seen in that SAP SuccessFactors page.
grant_type: Set to "urn:ietf:params:oauth:grant-type:saml2-bearer".
assertion: Enter the Base64-encoded assertion obtained from Generating a SAML Assertion - see Step B in that KBA
Hi Souvik
I got it working. The SAP KBA is missing a few key steps !. Firstly the X509 certificate Public key from Azure (from the SuccessFactors enterprise app's SAML settings) needs simply to be copied into my SuccessFactors OAuth2 Client Application page - and secondly the user that is bound on that page needs an email address matching the Azure test-user I'd set up. It all seems quite obvious now.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello jonny.wellard ,
This is one kind of generic error I also got during our implementation. Unfortunately I have not used Azure as 3rd Party IDP.
Based on my experience these could be the possible reason.
Regards,
Souvik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Souvik,
May i know which 3rd party IDP you have used to generate SAML assertion for SuccessFactors API?
Also, i would you like to know whether SAP had released this notes 3301583 - SAP SuccessFactors SAML Assertion format demonstration using MS Azure - SAP for Me based on your request. I see some of your old question realted to it.
We have OKAT IDP and would like to use same for the SAML assertion generation for SuccessFactors API.
Thanks,
Venkatesh
Are you referring to Azure AD aka Microsoft Entra ID?
If so why not use SAP Cloud Identity Services as a proxy and connect that to Azure AD using the out of the box application available in Azure AD? SAP are moving everyone to use Cloud Identity Services anyway.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi gdunham,
I would be interested to learn how you would set this up for OAuth2 authentication as described in Authentication Using OAuth 2.0 | SAP Help Portal. We are also in the process of setting this up and if there is a better way including SAP Cloud Identity Services as a proxy I would probably prefer that way.
Jonny is referring to this KBA 3301583 - SAP SuccessFactors SAML Assertion format demonstration using MS Azure. This seems to be the recommended setup when it comes to Entra ID as 3rd party IDP currently.
Best regards,
Gerald
Hi gerald.weinmann
AFAIK you will be forced to utilise SAP Cloud Identity Services (IAS and IPS are parts of this solution) at some point in the future so might as well leverage it:
https://me.sap.com/notes/3097769/E
https://me.sap.com/notes/2791410
You will need to setup the provisioning of users from SF -> CIS first and upgrade your successfactors instance. There's some great info here (also read above links):
https://www.linkedin.com/pulse/single-sign-on-sap-successfactors-vasanth-kumar-g-s
Then you can install the Azure (entra) application for SAP Cloud Platform Identity Authentication for Sign on (we're currently using SAML but will probably move to OpenID/OAuth at some point):
https://developers.sap.com/tutorials/cp-ias-azure-ad.html#4d9aadfc-1200-40aa-a889-3e8e73e74a3b
Here's how we have things setup:
Provisioning of accounts:
Successfactors -> Azure AD via the standard Azure AD Successfactors provisioning app
SucessFactors -> Cloud Identity Services via CIS Identity Provisioning Service (IPS)
Authentication (Trusts on trusts - it does add a lot of complexity):
Client -> Azure AD -> Cloud Identity Services -> SuccessFactors
Not sure if that helps or answers your question, but hopefully something there has helped.
Cheers
Gary
User | Count |
---|---|
4 | |
4 | |
3 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.