Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
ashwani1
Explorer
This blog will assist you in setting up the connection between SAP Datasphere and SAP SuccessFactors HXM Suite using OData, Authentication type OAuth2 and Grant type SAML Bearer on cloud.

Before getting into the specifics, let's look at some technical terms.

OAuth 2.0: OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.

OData: The Open Data Protocol (OData) is a standardized protocol for creating and consuming data APIs. The SAP SuccessFactors HXM Suite OData API is a Web Service API feature based on the OData protocol. It's intended to enable access to SAP SuccessFactors data in the system.

SAML 2.0: The Security Assertion Markup Language (SAML) version 2.0 provides a standards-based mechanism for Single Sign-On (SSO). It is needed for integrating an enterprise’s existing single sign-on (SSO) with third-party (cloud based) service providers. The two main components of a SAML 2.0 landscape are an identity provider and a service provider. The service provider is a system entity that provide a set of Web applications with a common session management, identity management, and trust management. The identity provider is a system entity that manages identity information for principals and provides authentication services to other trusted service providers. In other words, the service providers outsource the job of authenticating the user to the identity provider. The identity provider maintains the list of service providers where the user is logged in and passes on logout requests to those service providers.


Here, the following connection type and grant type have been used for making connections.

Connection Type: SAP SuccessFactors

Authentication Type: OAuth 2.0

OAuth Grant Type: SAML Bearer

SAML Assertion: There are two options True and False, here I will explain you both the options. However if you use option “FALSE” you will get the below warning message in the connection, although your connection will be successfully established.

Section 1: How to generate X.509 certificate, API Key, Private Key and Download/Upload SuccessFactors url into Datasphere?


The first step is to create an X.509 certificate from SuccessFactors and store the private key; you will need to utilize this private key later on when setting up a connection in the Datasphere. And register your client application so that you can authenticate API users using OAuth2. After you register an application, you’ll get an exclusive API key for your application to access SAP SuccessFactors OData APIs.

So, let’s start creating X.509 certificate.

Step 1: Login into your SAP SuccessFactors url instance as administrator and then search for oauth2 and create a new OAuth2 Client in “Manage OAuth2 Client Applications” section.


After opening page, Click on Register Client Application



If you need help filling out the information above, see the SAP help portal below.

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/6b3c741483de4...


After filling above details, click on Generate X.509 Certificate


If you need help filling out the information above, see the SAP help portal below.

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/13f815208a0f4...



After filling above details, click Generate.


Here you must click on Download and save the certificate.


And then click Register

Your entry will be created as shown on the page.


After this, you just click on View and take a note of API Key this will require you to while creating the connection.


From the above API Key and Private Key (In the downloaded certificate), you can create the connection using option SAML Assertion: FALSE, The section on creating connections below will explain how to do so using these keys.

Note: In the downloaded certificate.pem there will be two part (Private Key & Public Key), so you need to copy and paste (from private key) only the enclosed string without the beginning and ending lines (-----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY-----), otherwise an error occurs.

Caution: The private key must be kept secure under all circumstances. Do not share the private key with others. If you lose the private key, you must create a new certificate.

Certificate.pem looks like as below.


 

Step 2: In this case will use when SAML Assertion: TRUE. Follow the complete process as mentioned in step 1 and note down the private key. Here I will generate the other key without having to expose your private key to the internet.

Generating a SAML Assertion: Generate a Security Assertion Markup Language (SAML) assertion for requesting an OAuth token. This topic explains how to generate a SAML assertion using the offline tool provided by SAP SuccessFactors.

Prerequisites

You’ve registered your application in Manage OAuth2 Client Applications in the SAP SuccessFactors and obtained the API key and Private key for the application.

Why Deprecation ?

Warning message when you use SAML Assertion: FALSE as shown below.



The /oauth/idp API was provided for API users to generate SAML assertions for authentication. However, this method is considered unsafe because it requires users to pass private keys through an API call. Therefore, we're deprecating this API and encouraging to choose secure ways to generate SAML assertions.

Caution: Do not use the /oauth/idp API to generate SAML assertions. This approach is unsecure and has been deprecated.

Solution: For complete process follow the S-Note 3031657 - How to generate SAML assertion using SAP-provided offline tool – SuccessFactors.

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...

 

Step 3: The third step would be download the url certificate from the SuccessFactors and upload the certificate into Datasphere.

You can refer the SAP S-Note and blog for this activity.

3138841 - Error when using Remote tables in SAP Datasphere

In Blog: Goto the section Download Certificate

https://blogs.sap.com/2023/04/20/connecting-sap-successfactors-and-sap-datasphere/




 

Section 2: How to create connections in Success Factors?


Let’s create the connection with option SAML Assertion: TRUE or FALSE

Step 1: With Option SAML Assertion: FALSE

Login into Datasphere -> Connections -> Search for Success Factors -> Local Connections -> Create


Connection Information 
Business Name:  You can give generic name as you like.

Technical Name: You can give generic name as you like, later you will not be able to change.

Description: You can mention about connection details here.

Connection Details 
URL:  Enter the OData service provider URL of the SAP SuccessFactors service that you want to access.
Version: Displays the OData version used to implement the SAP SuccessFactors OData service.

Authentication 
Authentication Type: OAuth 2.0



OAuth 2.0

Provide SAML Assertion: FALSE

OAuth Token Endpoint: Enter the Token endpoint to use to request an access token: <SAP SuccessFactors API Server>/oauth/token.

OAuth Scope: Optional.

OAuth API Endpoint: Enter the API endpoint: <SAP SuccessFactors API Server>/oauth/idp.

OAuth User ID: This user ID should be existed in your SuccessFactors portal.

OAuth Company ID: Enter the SAP SuccessFactors company ID.

Note: SAP SuccessFactors API Server you can find List of SAP SuccessFactors API Servers & URL from below s-note and link.

2089448 - SuccessFactors Datacenter Name, Location, Production Login URL, Production Domain Name, External mail Server details and External mail Server IPs

https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/af2b8d5437494...

 

Credentials (OAuth 2.0)

Client ID: API Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)

Client Secret: Private Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)

Click on Save

Now test the connection.

Select Business Name or Connection Name and click on Validate. You will see the below success message.

Connection


Business Name” is valid.


- Data flows are enabled.


- Remote tables are enabled.


 

Step 2: With Option SAML Assertion: TRUE

Login into Datasphere -> Connections -> Search for Success Factors -> Local Connections -> Create



OAuth 2.0

Provide SAML Assertion: TRUE

OAuth Token Endpoint: Enter the Token endpoint to use to request an access token: <SAP SuccessFactors API Server>/oauth/token.

OAuth Scope: Optional.

OAuth Company ID: Enter the SAP SuccessFactors company ID.

Credentials (OAuth 2.0)

Client ID: API Key (Which was generated while X.509 certificate as explained in Section 1 & Step 1)

SAML Assertion: Private Key (Which was generated while X.509 certificate as explained in Section 1 & Step 2)

Now test the connection.

Select Business Name or Connection Name and click on Validate. You will see the below success message.

Connection


Business Name” is valid.


- Data flows are enabled.


- Remote tables are enabled.







 

Summary:


In the above Section 1 we have completed following points.

  1. X.509 Certificate

  2. Generated API Key

  3. Generated Private Key

  4. Downloaded/Uploaded the url certificate


 

In the Section 2 we have completed how to build a connection using OAuth 2.0 and SAML Assertion: TRUE and FALSE.




 

Troubleshooting:


Error 1: If you are getting below error message.


Resolution:

- Make sure that you are using the Private key generated from the OAuth key in SF, and not the public key that it's the one displaying in the OAuth Key config. The private key is only shared once, which is when you create the OAuth Key initially.

- Make sure no extra spaces are included when you add the private key in the Data Sphere system.

 

Error 2:

Connection "Business Name" couldn’t be established. - Data flows can't be used because of errors in the connection. - Replication flows are not supported. - Remote tables can't be used because of errors in the connection.

Data Flows: Cause: Invalid odata connection! Getting odata metadata failed because of Excpetion: org.apache.olingo.client.core.http.OAuth2Exception: Failed to fetch OAuth2 token! Token endpoint response HTTP/1.1 400 {"errorHttpCode":"400","errorMessage":"Invalid SAML assertion. For the correct SAML assertion format, see https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...."} Code:1500010
Remote Tables: Unable to connect remote source: Failed to fetch OAuth2 access token: 'HttpClient.request: OAuth2 request failed with error:
Response HTTP code: 400
Response HTTP body: {"errorHttpCode":"400","errorMessage":"Invalid SAML assertion. For the correct SAML assertion format, see https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...."}', Code: 5921, SQL State: HY000

Correlation ID: 08e0739b-cbdc-415a-5b32-2d90e5950b49

Resolution:  Follow the below link https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/4e27e8f6ae274...

 

Error 3:

Connection "Business Name or Connection_Name" is valid, but not all features are available.

- Data flows are enabled.

- Remote tables can't be used because of errors in the connection.

Remote Tables: Unable to connect remote source: SSL requested, but no trust store configured, Code: 5921, SQL State: HY000

 

Resolution:  Follow the S-Note: 3138841 - Error when using Remote tables in SAP Datasphere




 

References Link & S-Notes:


SAP SuccessFactors Connections: https://help.sap.com/docs/SAP_DATASPHERE/be5967d099974c69b77f4549425ca4c0/39df02030d4b411487bacecf9a...

3138841 - Error when using Remote tables in SAP Datasphere

3031657 - How to generate SAML assertion using SAP-provided offline tool – SuccessFactors

2850646 - How to register for OAuth 2.0 authentication - SuccessFactors Integrations

2613670 - What are the available APIs for SuccessFactors?

2533915 - SAP SuccessFactors SSL Certificate Renewal Schedule and Public Certificate Repository

2203741 - How to download an SAP SuccessFactors or API SSL Certificate

----------------------------

Thanks for reading this article! Your feedback and suggestions are welcome.
2 Comments
Labels in this area