Configuring SuccessFactors OData API authentication in Jitterbit App Builder
SuccessFactors supports the OAuth 2.0 SAML Bearer Assertion flow. This flow provides user-constrained authorization, exchanging SAML assertions for access tokens as described in the following specification:
https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23
This document covers the following tasks:
- Register App Builder as a SuccessFactors OAuth2 Client Application
- Register SuccessFactors as an App Builder security provider.
- Register the SAP OData Service data source server.
Requirements
To proceed, you will need the following:
- An existing SuccessFactors account.
- Administrator access to SuccessFactors account.
- Administrator access to App Builder.
Register App Builder as a SuccessFactors OAuth2 client application
App Builder will need to be registered within SuccessFactors as an OAuth2 Client Application. To register App Builder as an OAuth2 Client Application, you will need the following information:
Example | Notes | |
---|---|---|
Application Name | App Builder | The application name is arbitrary. If registering multiple instances of App Builder as OAuth2 Client Applications, give each a distinctive name. |
Application URL | https://example.com/App Builder/ | This is the App Builder web root. The URL must include the trailing slash. |
Common Name | example.com | This is the host name portion of the web root. |
To register App Builder as a SuccessFactors OAuth2 Client Application:
- Sign into SuccessFactors as an administrator
- Navigate to the Admin Center
- Select Company Settings → Manage OAuth 2 Client Applications
- Click the Register Client Application button
- Provide the Application Name and Application URL
- Click the Generate X.509 Certificate button
- Provide the Common Name(CN)
- Click the Generate button
- Click the Download button to save the certificate
- Click the Register button
Once registered, SuccessFactors will assign an API Key. The API Key, along with the certificate, will be needed to complete the remaining procedures.
Convert certificate
SuccessFactors generates a PEM formatted certificate; App Builder requires a base64 encoded, PKCS#12-formatted certificate. A full discussion of this topic is outside the scope of this document. However, by way of example, the OpenSSL command line utility can be used to convert a certificate from PEM to PKCS#12:
openssl pkcs12 -in certificate.pem -export -out certificate.pfx
Note that you will be prompted to provide a password. Record the password as it will be needed later.
To base64 encode the certificate:
openssl base64 -in certificate.pfx -out certificate.txt -A
For additional information regarding SuccessFactors OAuth2 Client Application certificates, consult the following document:
http://help.sap.com/saphelpiis_cloud4hr/EN/SuccessFactors_HCM_Suite_OData_API_Handbook_en.pdf
Note
At the time of writing, SuccessFactors does not generate an OpenSSL-compatibile certificate. To make the certificate compatible, open the certificate in a text editor and make the following changes:
Replace both occurrences of "ENCRYPTED PRIVATE KEY" with "PRIVATE KEY".
Insert line breaks such that no line is longer than 76 characters. Note that these must be Unix-style line breaks (line feed), not Windows- or Internet-style line breaks (line feed / carriage return pairs).
Register SuccessFactors as an App Builder security provider
To register SuccessFactors as an App Builder security provider, you will need the following information:
Example | Notes | |
---|---|---|
API Key | The API Key is assigned by SuccessFactors when registering the OAuth2 Client Application (see above). | |
Signing Certificate | The signing certificate must be a base64-encoded, PKCS#12 certificate containing the private key. The certificate may be generated manually or during the SuccessFactors OAuth2 Client Application registration process (see above). | |
Signing Certificate Password | The signing certificate password is assigned when generating the PKCS#12 formatted certificate. | |
Company ID | The SuccessFactors company identifier. | |
Instance API URL | https://api8.successfactors.com/ | SuccessFactors API URL: "Your endpoint URLs for accessing the OData APIs depend on the data center hosting your SuccessFactors instance." Refer to http://help.sap.com/saphelpiis_cloud4hr/EN/SuccessFactors_HCM_Suite_OData_API_Handbook_en.pdf for additional information. |
Note
The URL does not contain the /odata/v2 path. App Builder will append the path.
To register SuccessFactors as an App Builder security provider:
- Log into App Builder as an Administrator
- Navigate to the IDE
- Click the Security Providers button
- From the Data Source Authentication panel, click the + Data Source Authentication button
-
Provide the following:
- Name: A unique security provider name.
- Example: SuccessFactors
- Type: SuccessFactors OData
-
Priority: A unique integer between 10 and 100. Note that this value must be unique.
Example: 40
-
Click the Save button
-
Set the following properties (In the Properties panel, click the + Property button → Select the Parameter → Provide the Value → Click the Save icon):
- AuthenticationType: Saml
- CompanyID: Company ID
- ApiKey: API Key
- InstanceApiUrl: Instance API URL
- SigningCertificate: Signing Certificate
- SigningCertificatePassword: Signing Certificate Password
-
Click the Edit button in the Providers panel
- Check the Enabled option
- Click the Save button
Register the SAP OData service data source server
To register SuccessFactors as an App Builder data source server, you will need the following information:
Example | Notes | |
---|---|---|
OData Endpoint | https://api8.successfactors.com/odata/v2/ | SuccessFactors API URL: "Your endpoint URLs for accessing the OData APIs depend on the data center hosting your SuccessFactors instance." Refer to http://help.sap.com/saphelpiis_cloud4hr/EN/SuccessFactors_HCM_Suite_OData_API_Handbook_en.pdf for additional information. |
Security Provider Name | SuccessFactors | The security provider name as supplied above. |
Note
As of March 2016, the OData Endpoint appears to require a trailing slash.
To register SuccessFactors as an App Builder Data Source Server:
- Log into App Builder as an administrator
- Navigate to the IDE
- Select the Data Servers button
- In the Data Servers panel, click the + Server button
-
Provide the following:
- Name: A unique, logical server name.
- Example: SuccessFactors
- Type: SuccessFactors
-
URL:
{OData Endpoint}
Example: https://api8.successfactors.com/odata/v2
-
Example:
https://api8.successfactors.com/odata/v2
- Security Provider:
{Security Provider Name}
-
Click the Save button
Once the data source server has been registered, click the Test Connection button to ensure that everything is configured correctly. You may be prompted to sign in with Okta at this time.
Troubleshooting
A list of SuccessFactors OAuth 2.0 error responses is available from the following page:
http://help.sap.com/saphelpiis_cloud4hr/EN/SuccessFactors_HCM_Suite_OData_API_Handbook_en.pdf
The following "OAuth 2.0 Related Error Messages" appendix contains additional errors:
See the following for additional troubleshooting information:
Security provider - successfactors OData
"Either the server is unavailable or the connection information is incorrect." when testing connection
Ensure that the data source server URL ends with a trailing slash. For instance:
https://api8.successfactors.com/odata/v2/
As of March 2016, SuccessFactors requires a trailing slash.
"Accessing OData API using Basic authentication or External OAuth on non-API servers is forbidden." when testing connection
It is possible that the API endpoint has been replaced with a new endpoint. For instance, the following endpoints have been replaced:
- In November 2015, the API endpoint
https://salesdemo4.successfactors.com/
was replaced withhttps://apisalesdemo4.successfactors.com/
. - In March 2016, the API endpoint
https://hcm8preview.sapsf.com/
was replaced withhttps://api8preview.sapsf.com/
.