This blog will assist you in setting up the connection between SAP Datasphere and SAP SuccessFactors HXM Suite using OData, Authentication type OAuth2 and Grant type SAML Bearer on cloud.
Before getting into the specifics, let's look at some technical terms.
OAuth 2.0: OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.
OData: The Open Data Protocol (OData) is a standardized protocol for creating and consuming data APIs. The SAP SuccessFactors HXM Suite OData API is a Web Service API feature based on the OData protocol. It's intended to enable access to SAP SuccessFactors data in the system.
SAML 2.0: The Security Assertion Markup Language (SAML) version 2.0 provides a standards-based mechanism for Single Sign-On (SSO). It is needed for integrating an enterprise’s existing single sign-on (SSO) with third-party (cloud based) service providers. The two main components of a SAML 2.0 landscape are an identity provider and a service provider. The service provider is a system entity that provide a set of Web applications with a common session management, identity management, and trust management. The identity provider is a system entity that manages identity information for principals and provides authentication services to other trusted service providers. In other words, the service providers outsource the job of authenticating the user to the identity provider. The identity provider maintains the list of service providers where the user is logged in and passes on logout requests to those service providers.
Here, the following connection type and grant type have been used for making connections.
Connection Type: SAP SuccessFactors
Authentication Type: OAuth 2.0
OAuth Grant Type: SAML Bearer
SAML Assertion: There are two options True and False, here I will explain you both the options. However if you use option “FALSE” you will get the below warning message in the connection, although your connection will be successfully established.
Section 1: How to generate X.509 certificate, API Key, Private Key and Download/Upload SuccessFactors url into Datasphere?
The first step is to create an
X.509 certificate from SuccessFactors and store the private key; you will need to utilize this private key later on when setting up a connection in the Datasphere. And register your client application so that you can authenticate API users using OAuth2. After you register an application, you’ll get an exclusive API key for your application to access SAP SuccessFactors OData APIs.
So, let’s start creating
X.509 certificate.
Step 1: Login into your SAP SuccessFactors url instance as administrator and then search for
oauth2 and create a new OAuth2 Client in “
Manage OAuth2 Client Applications” section.
After opening page, Click on
Register Client Application
If you need help filling out the information above, see the SAP help portal below.
https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/6b3c741483de4...
After filling above details, click on
Generate X.509 Certificate
If you need help filling out the information above, see the SAP help portal below.
https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/13f815208a0f4...
After filling above details, click
Generate.
Here you must click on
Download and save the certificate.
And then click
Register
Your entry will be created as shown on the page.
After this, you just click on
View and take a note of
API Key this will require you to while creating the connection.
From the above API Key and Private Key (In the downloaded certificate), you can create the connection using option
SAML Assertion: FALSE, The section on creating connections below will explain how to do so using these keys.
Note: In the downloaded certificate.pem there will be two part (Private Key & Public Key), so you need to copy and paste (from private key) only the enclosed string without the beginning and ending lines (-----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY-----), otherwise an error occurs.
Caution: The private key must be kept secure under all circumstances. Do not share the private key with others. If you lose the private key, you must create a new certificate.
Certificate.pem looks like as below.
Step 2: In this case will use when
SAML Assertion: TRUE. Follow the complete process as mentioned in
step 1 and note down the private key. Here I will generate the other key without having to expose your private key to the internet.
Generating a SAML Assertion: Generate a Security Assertion Markup Language (SAML) assertion for requesting an OAuth token. This topic explains how to generate a SAML assertion using the offline tool provided by SAP SuccessFactors.
Prerequisites
You’ve registered your application in Manage OAuth2 Client Applications in the SAP SuccessFactors and obtained the API key and Private key for the application.
Why Deprecation ?
Warning message when you use
SAML Assertion: FALSE as shown below
.
The /oauth/idp API was provided for API users to generate SAML assertions for authentication. However, this method is considered unsafe because it requires users to pass private keys through an API call. Therefore, we're deprecating this API and encouraging to choose secure ways to generate SAML assertions.
Caution: Do not use the /oauth/idp API to generate SAML assertions. This approach is unsecure and has been deprecated.
Solution: For complete process follow the S-Note
3031657 - How to generate SAML assertion using SAP-provided offline tool – SuccessFactors.
https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...
Step 3: The third step would be download the url certificate from the SuccessFactors and upload the certificate into Datasphere.
You can refer the SAP S-Note and blog for this activity.
3138841 - Error when using Remote tables in SAP Datasphere
In Blog: Goto the section
Download Certificate
https://blogs.sap.com/2023/04/20/connecting-sap-successfactors-and-sap-datasphere/
Section 2: How to create connections in Success Factors?
Let’s create the connection with option
SAML Assertion: TRUE or FALSE
Step 1: With Option SAML Assertion: FALSE
Login into Datasphere ->
Connections -> Search for
Success Factors -> Local Connections -> Create
Connection Information
Business Name: You can give generic name as you like.
Technical Name: You can give generic name as you like, later you will not be able to change.
Description: You can mention about connection details here.
Connection Details
URL: Enter the OData service provider URL of the SAP SuccessFactors service that you want to access.
Version: Displays the OData version used to implement the SAP SuccessFactors OData service.
Authentication
Authentication Type: OAuth 2.0
OAuth 2.0
Provide SAML Assertion: FALSE
OAuth Token Endpoint: Enter the Token endpoint to use to request an access token: <SAP SuccessFactors API Server>/oauth/token.
OAuth Scope: Optional.
OAuth API Endpoint: Enter the API endpoint: <SAP SuccessFactors API Server>/oauth/idp.
OAuth User ID: This user ID should be existed in your SuccessFactors portal.
OAuth Company ID: Enter the SAP SuccessFactors company ID.
Note: SAP SuccessFactors API Server you can find List of SAP SuccessFactors API Servers & URL from below s-note and link.
2089448 - SuccessFactors Datacenter Name, Location, Production Login URL, Production Domain Name, External mail Server details and External mail Server IPs
https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/af2b8d5437494...
Credentials (OAuth 2.0)
Client ID: API Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)
Client Secret: Private Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)
Click on Save
Now test the connection.
Select
Business Name or
Connection Name and click on
Validate. You will see the below success message.
Connection
“Business Name” is valid.
- Data flows are enabled.
- Remote tables are enabled.
Step 2: With Option SAML Assertion: TRUE
Login into Datasphere ->
Connections -> Search for
Success Factors -> Local Connections -> Create
OAuth 2.0
Provide SAML Assertion: TRUE
OAuth Token Endpoint: Enter the Token endpoint to use to request an access token: <SAP SuccessFactors API Server>/oauth/token.
OAuth Scope: Optional.
OAuth Company ID: Enter the SAP SuccessFactors company ID.
Credentials (OAuth 2.0)
Client ID: API Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)
SAML Assertion: Private Key (Which was generated while X.509 certificate as explained in Section 1 &
Step 2)
Now test the connection.
Select
Business Name or Connection Name and click on
Validate. You will see the below success message.
Connection
“Business Name” is valid.
- Data flows are enabled.
- Remote tables are enabled.
Summary:
In the above
Section 1 we have completed following points.
- X.509 Certificate
- Generated API Key
- Generated Private Key
- Downloaded/Uploaded the url certificate
In the
Section 2 we have completed how to build a connection using
OAuth 2.0 and SAML Assertion: TRUE and FALSE.
Troubleshooting:
Error 1: If you are getting below error message.
Resolution:
- Make sure that you are using the Private key generated from the OAuth key in SF, and not the public key that it's the one displaying in the OAuth Key config. The private key is only shared once, which is when you create the OAuth Key initially.
- Make sure no extra spaces are included when you add the private key in the Data Sphere system.
Error 2:
Connection "Business Name" couldn’t be established. - Data flows can't be used because of errors in the connection. - Replication flows are not supported. - Remote tables can't be used because of errors in the connection.
Data Flows: Cause: Invalid odata connection! Getting odata metadata failed because of Excpetion: org.apache.olingo.client.core.http.OAuth2Exception: Failed to fetch OAuth2 token! Token endpoint response HTTP/1.1 400 {"errorHttpCode":"400","errorMessage":"Invalid SAML assertion. For the correct SAML assertion format, see
https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...."} Code:1500010
Remote Tables: Unable to connect remote source: Failed to fetch OAuth2 access token: 'HttpClient.request: OAuth2 request failed with error:
Response HTTP code: 400
Response HTTP body: {"errorHttpCode":"400","errorMessage":"
Invalid SAML assertion. For the correct SAML assertion format, see
https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...."}', Code: 5921, SQL State: HY000
Correlation ID: 08e0739b-cbdc-415a-5b32-2d90e5950b49
Resolution: Follow the below link
https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...
Error 3:
Connection "
Business Name or Connection_Name" is valid, but not all features are available.
- Data flows are enabled.
- Remote tables can't be used because of errors in the connection.
Remote Tables: Unable to connect remote source: SSL requested, but no trust store configured, Code: 5921, SQL State: HY000
Resolution: Follow the S-Note: 3138841 - Error when using Remote tables in SAP Datasphere
References Link & S-Notes:
SAP SuccessFactors Connections: https://help.sap.com/docs/SAP_DATASPHERE/be5967d099974c69b77f4549425ca4c0/39df02030d4b411487bacecf9a...
3138841 - Error when using Remote tables in SAP Datasphere
3031657 - How to generate SAML assertion using SAP-provided offline tool – SuccessFactors
2850646 - How to register for OAuth 2.0 authentication - SuccessFactors Integrations
2613670 - What are the available APIs for SuccessFactors?
2533915 - SAP SuccessFactors SSL Certificate Renewal Schedule and Public Certificate Repository
2203741 - How to download an SAP SuccessFactors or API SSL Certificate
----------------------------
Thanks for reading this article! Your feedback and suggestions are welcome.