cancel
Showing results for 
Search instead for 
Did you mean: 

SuccessFactors OAuth Authentication (without CPI) - Generating SAML Assertion - using 3rd Party Idp

sinhasouvik
Participant
0 Kudos

Hello Expert,

I am working for a client where few 3rd party application want to connect our SuccessFactors API directly(without CPI).

To authenticate SF API's using OAuth first step is to get the SAML Assertion. I understood from the our help document that there are couple of approach to generate the SAML Assertion.

1. Using third-party IdP (Recommended)

2. Using offline SAML generator tool. (for this approach we have SAP Note: 3031657)

In our landscape we have Azure Active Directory, I need some help guide to generate SAML Assertion using this type of 3rd party identity provider(Like: Azure AD etc.)

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...

Regards,

Souvik

Accepted Solutions (1)

Accepted Solutions (1)

sinhasouvik
Participant
0 Kudos

Hello All,

Please find the latest SAP KBA, it demonstrate the step by step process to Generate SAP SuccessFactors SAML Assertion using MS Azure as 3rd Party IDP.

SAP SuccessFactors SAML Assertion format demonstration using MS Azure

Regards,

Souvik

former_member183909
Active Participant
0 Kudos

Hi Souvik,

I have got the SuccessFactors ODATA and SFAPI connection working using the offline SAML Generation method but I wanted to use the recommended SAML assertion via Azure.

I'm also following the SAP KBA 3301583

SAP SuccessFactors SAML Assertion format demonstration using MS Azure

I've got down to the testing. I can generate the JWT Token and generate a SAML assertion from MS Azure but on the third step I am stuck on the Test C Exchange token by the SAML assertion in HXM Suite.

Why do you think I am getting this error ? Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID

I am also wondering about that SAP KBA and the X509 - I am using the SuccessFactors Manage OAuth2 Client Application page - in the KBA they do not explain what to do with it - are you meant to just generate this or paste in something from Azure or do you even need the X509? If so what do you do with it.

Anyway my failed call with that error is as follows (although I am using POSTMAN do to the calls).

POST https://api68sales.successfactors.com/oauth/token

header Content-Type: application/x-www-form-urlencoded

with a body text of;

company_id=abc*************&client_id=NjZkNjM0MGExMD******************* &grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer &assertion=PEFzc2VydGlvbiBJRD0iXzE0***********************

This is the company_id & client_id from the SAP SuccessFactors Admin Centre page "Manage OAuth2 Client Application"

  • company_id: The company ID as seen in that SAP SuccessFactors page
  • client_id: The API key as seen in that SAP SuccessFactors page.
  • grant_type: Set to "urn:ietf:params:oauth:grant-type:saml2-bearer".
  • assertion: Enter the Base64-encoded assertion obtained from Generating a SAML Assertion - see Step B in that KBA
0 Kudos

Do you have same instructions for other identity providers ?

Thank you

Answers (2)

Answers (2)

rajkumar_thakur
Discoverer
0 Kudos

Hi Souvik,

Any solution found on this query, if yes, please share some insight here.

Thanks,

Raj Kumar

sinhasouvik
Participant
0 Kudos

Hello Rajkumar,

Check the answer from PDC. If this helps you.

https://groups.community.sap.com/t5/api-integration/successfactors-oauth-authentication-generating-s...

Regards,

Souvik

rajkumar_thakur
Discoverer
0 Kudos

Hi Souvik ,

Thanks for your quick turnaround. Unfortunately it looks like I don't have permission to view the details shared in link.

It will be helpful if you can share details on my mail or if you can share some different link.

Thanks,

Raj Kumar

nlgro023
Active Contributor
0 Kudos

Did you try the steps of this blog (it's a bit more in depth than the manual is)?
How to use Postman to call SuccessFactors API using OAuth authentication method and SAP Offline SAML...

sinhasouvik
Participant
0 Kudos

Hello jasper.de.groot ,

This is an alternate approach as per SAP, same has been mentioned in the Option 2 in my question. I am looking for solution of recommended approach option 1.

Regards,

Souvik