Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
divyamary
Product and Topic Expert
Product and Topic Expert
7,282
SAP SuccessFactors Employee Central OData APIs provides two types of authentications:-

  • Basic Authentication

  • OAuth 2.0 Authentication.


Using OAuth authentication, users can securely consume Employee central OData API using a registered OAuth client id and valid OAuth token. This concept can then be extended to provide single sign on features while consuming the SAP SuccessFactors Employee Central OData APIs.

SAP SuccessFactors Connectivity  policy templates available in SAP API Business Hub facilitates easy and secure consumption of SAP SuccessFactors APIs. In this blog, the usage of SAP SuccessFactors Connectivity policy templates for User Management from SAP SuccessFactors is covered in detailed.

Pre Requisites



  1. SAP Cloud Platform API Management ( ref link for trial access)

  2. SAP SuccessFactors tenant


Registration of OAuth Client in SAP SuccessFactors


In the blog How to initiate an OAuth connection to SuccessFactors Employee central the concept of OAuth has been explained by Arijit Das along with the detailed steps for setting up OAuth in SAP SuccessFactors.

  • Logon to SAP SuccessFactors and go to Admin Center




  • Search for OAuth in Tools and then select Manage OAuth2 Client Applications




  • Click on Register Client application to register a new OAuth client




 

  • Enter an application name, application URL ( any dummy URL can be provided here).

  • Click on Generate X.509 Certificate to generate a certificate signed by SAP SuccessFactors.

  • Click on Register to register OAuth client.




 

 

  • After registration, an OAuth key is generated. Generated X509 certificate and API Key would be required while applying the SAP SuccessFactors Connectivity policy template to SAP SuccessFactors OData APIs.


 



Discover and Copy SAP SuccessFactors Connectivity policy template


From SAP Cloud Platform API Management, all the APIs and policy templates available in SAP API Business Hub can be discovered via the Discover tab.

  • Logon to your SAP Cloud Platform, API Management account (say https://account.hanatrial.ondemand.com/cockpit).

  • Navigate to the Services tab, search for API Management service tile and click to open SAP API Management service.




 

  • Click on the link Access API Portal to open API Portal.




  • Navigate to the Discover from the hamburger icon




 

  • SAP API Business Hub is integrated into SAP Cloud Platform API Management and therefore all the APIs and Policy templates available in SAP API Business Hub can be easily discovered and consumed in SAP Cloud Platform API Management.

  • Navigate to the All tab, search and select SuccessFactors Connectivity.




 

  • Navigate to the Artifacts tab and select SuccessFactors_OAuth2SAMLAssertion policy template.




 

  • Click on Copy to copy the SAP SuccessFactors Connectivity policy template into SAP Cloud Platform API Management tenant.




 

  • Copied metadata cache policy templates would be available under POLICY TEMPLATES tab of Develop view.




 

Apply SAP SuccessFactors Connectivity policy template to SAP SuccessFactors Employee Central OData APIs


In the blog series Discover, Consume and Manage SAP SuccessFactors APIs the detailed steps to access the User Management OData API and the management of the User Management API via SAP Cloud Platform API Management is covered. In this section steps to apply SAP SuccessFactors connectivity cache to the PLTUserManagement  API Proxy is covered in detail.

  • Click on APIs tab and select PLTUserManagement SAP SuccessFactors OData API.




  • Click on Policies to navigate to the Policy designer view.




 

  • Click on Edit to switch to the editable mode.




 

  • Select Apply from the Policy Template.




 

  • Select the newly copied SuccessFactors_OAuth2SAMLAssertion template from Apply Template dialog.




 

  • Select the config.js file Scripts region and enter details like your SAP SuccessFactors user Id, OAuth Client Id or API Key which was generated during OAuth client registration steps, SAP SuccessFactors company id, X509 Certificate generated during OAuth client registrations.




 



 

  • From the Target endpoint preflow, select the policy getSAMLAssertion and in HTTPTargetConnection->URL provide your SAP SuccessFactors data centers.




 



 

  • Select the policy getOAuthAccessToken and in HTTPTargetConnection->URL provide your SAP SuccessFactors data centers.




 



 

  • Click on Update to save changes in the policy designer.




 

  • Click on Save to apply the changes to the PLTUserManagement API Proxy.




 

Finally testing the flow



  • Select the RESOURCES tab and click on GET operation view all Users from SAP SuccessFactors.




 

  • This would open up the Test Console. Click on Url Params and then user $top value to limit the number of user records returned by SAP SuccessFactors OData API and Click on Send.




 



 

Further Reads



  • API Security Best Practices blog series.

  • Monitor and Analytics blog.

  • Enchanced developer experience blog.


For more blogs on SAP Cloud Platform API Management visit us at SAP Community

 
9 Comments
VL1
Active Contributor
0 Kudos
Divya - Very good blog. Very helpful Information.

 
divyamary
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Vinay,

Thanks a lot for the kind words.

Best Regards,

Divya
sandeep
Explorer
0 Kudos
Hi Divya,

 

I am trying to follow the instruction and set up connectivity to the SuccessFactors but i am getting an error “Unable to copy Policy template SuccessFactors_OAuth2SAMLAssertion”  in the API portal and i am not able to figure out as to what’s the issue; would it be possible for you to recommend probable cause or let me know what might be the issue/missed step/missed configuration
divyamary
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Sandeep,

No configuration is required for copying policy templates from SAP API Business Hub into SAP Cloud Platform API Management tenant.  Try to refresh the page ( in case session might have expired resulting in this error) and copying the template once more.

If you continue to face issue, kindly raise an incident on component OPU-API-OD-OPS so that our DevOps can provide the corrective action.

Thanks and Best Regards,

Divya
sandeep
Explorer
0 Kudos
i just did raise a issue  on OPU-API but let me see if i can change to OPU-API-OD-OP
Former Member
0 Kudos
 

Hi Divya,

Thank you for sharing, it’s amazing blog.

I am curious to know that would this mandate all calls to SF EC APIs to go through this proxy? It would be great to have your insights on this.

Moreover, I have few scenarios where I have heavy OData calls to EC APIs from groovy script using HttpURLConnection. What would be an ideal way to manage this?

 

Best regards,

Harsh B.
divyamary
Product and Topic Expert
Product and Topic Expert
0 Kudos
Hi Harsh,

Thanks for the kind words and feedback.

There are benefits of using SAP Cloud Platform API Management to manage your APIs. These benefits are the following :-

  • Applying API Security Best Practices  ( details available in blog series) .

  • Getting insights into API usage ( details available in blog) .

  • Sharing your APIs with your partner/customers and enabling Omni channel access.

  • ...


If you have similar use cases then using SAP Cloud Platform API Management would be a good fit.

Thanks and Best Regards,

Divya
SinhaSouvik
Participant
Hello,  divya.mary and shilpa.vij and sriprasadshivaramabhat ,

 

Connecting to SuccessFactors API from API Management policy  "SuccessFactors_OAuth2SAMLAssertion"

I have checked the current policy and found that It is still calling SuccessFactors idp endpoint, which is not recommended as per latest implementation guide right.

Is there  any plan to change the policy in near future ?


 

Regards,

Souvik
former_member440061
Participant
Hi divya.mary

I have same query as Souvik.

Now that /oath/Idp is being deprecated, we are looking for an alternate way to get the saml response for authenticating to SuccessFactors. Do you have any suggestions, please?