212

How to use OAuth2 SAML Bearer Assertion in SAP Cloud Platform Integration connec...

 3 years ago
source link: https://blogs.sap.com/2021/07/29/how-to-use-oauth2-saml-bearer-assertion-in-sap-cloud-platform-integration-connecting-with-sap-successfactors-sfapi-soap/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
Technical Articles
Posted on July 29, 2021 5 minute read

How to use OAuth2 SAML Bearer Assertion in SAP Cloud Platform Integration connecting with SAP SuccessFactors SFAPI (SOAP)

1 Like 6 Views 0 Comments

Hello SAP community,

During the 2H 2020 release of SAP SuccessFactors application was announced the sunset (planned retirement) of HTTP Basic Authentication for API calls (both SFAPI & OData), you can find more details in this link.

Recently (26th July 2021) our SAP Cloud Platform engineering colleagues also enhanced the CPI SF Adapter to support OAuth2 SAML Bearer Assertion in the SFAPI (SOAP).

Please check the details in the handbook:

Objective of this blog post:

  • Sharing with SAP community one working sample of OAuth2 + SFAPI (SOAP) with customers and partners.
  • New custom development integrations needs to start using OAuth2 instead of HTTP Basic Authentication (username/password) to be prepared for the Basic Auth sunset/retirement.

Let’s check the steps:

1) 

Starting with SuccessFactors configuration side.

If you are not familiar with OAuth, please check this page Authentication Using OAuth 2.0 – SAP Help Portal

Your SF user will need two permissions. Please add these in your role:

  • General User Permission > SFAPI User Login
  • Manage Integration Tools > Manage OAuth2 Client Applications

Access the Admin center > Manage OAuth2 Client Applications

Click on “Register Client Application” button and start writing down the fields *Application Name and *Application URL

Keep this page open (don’t save or close yet) and let’s continue with the subsequent steps.

Screen-Shot-2021-07-29-at-12.47.02-1.png

In another browser tab, open your CPI tenant > Monitor > Manage Security > Keystore

Screen-Shot-2021-07-29-at-12.51.20.png

Click on the “Create” button > Key Pair

Screen-Shot-2021-07-29-at-12.52.18.png

Fill out the fields Alias, Common Name (CN) and Country/Region (C), the other fields you can keep the default values, but some could be changed too if you want, like Valid Until.

After that, click in “Create”.

Screen-Shot-2021-07-29-at-12.54.02.png

After that, open the line you just created > click on Download button > Certificate.

Screen-Shot-2021-07-29-at-12.57.51.png

This will generate one file with .cer extension and will be stored in your default download folder of your browser, in my sample the file generated was:

  • salesdemosf_key_pair_sample_blog.cer

Opening this .cer file with your preferable text software editor, we will find the certificate value.

Screen-Shot-2021-07-29-at-13.01.42.png

Copy this value and add inside the field *X.509 Certificate field of your SuccessFactors browser tab that we opened initially.

Then, click on “Register”.

Screen-Shot-2021-07-29-at-13.03.51.png

Later you will see your entry created and you can click in “View”

Screen-Shot-2021-07-29-at-13.05.12.png

Copy the value of the field “API Key”

Screen-Shot-2021-07-29-at-13.09.11-1.png

2)

Let’s back to CPI to complete the steps there.

Open your CPI tenant > Monitor > Manage Security > Security Material

Screen-Shot-2021-07-29-at-13.12.52.png

Click on the “Create” button > OAuth2 SAML Bearer Assertion

Screen-Shot-2021-07-29-at-13.13.49.png

Fill out the fields:

  • Name: your unique name for this key/credentials
  • Grant Type: OAuth2SAMLBearerAssertion
  • Audience: www.successfactors.com
  • Client Key:  copy the value of the API Key we saw in steps earlier
  • Token Service URL: in my sample the value for DC4 salesdemo URL is = https://apisalesdemo4.successfactors.com/oauth/token
  • Target System Type: SuccessFactors
  • Company ID: your SF company ID
  • User ID: Key Pair Common Name (CN)
  • Key Pair Alias: your unique name created in earlier instruction (found in Keystore), in my sample was salesdemosf_key_pair_sample_blog

Screen-Shot-2021-07-29-at-13.18.02.png

Deploy!

3)

We are ready to start using this Key inside CPI development.

Creating your Request Reply, select the SuccessFactors Adapter Type

Screen-Shot-2021-07-29-at-13.26.19.png

After step above, Message protocol select SOAP

Screen-Shot-2021-07-29-at-13.27.29.png

In the Connection > Address field > you will select your SF datacenter API url

In the Connection > Credential Name field > you will type the Name of the Security Material we created in the step 2.

Screen-Shot-2021-07-29-at-13.29.19.png

In the Processing tab, you can click on the button “Select” in the right side of the field “Entity”.

Screen-Shot-2021-07-29-at-13.32.15.png

Once the screen load, click in the plus (“+”) button.

Then you can fill out the fields System, Authentication, Address, Address Suffix, Credential Name like sample below.

Screen-Shot-2021-07-29-at-13.33.39.png

Then click on “Connect”.

In the Entity Selection, we can type the entity we want, like the SFAPI CompoundEmployee:

Screen-Shot-2021-07-29-at-13.35.43.png

After selecting your entity, your Query Editor will be ready to be used, selecting the fields you want, applying your filter criteria, etc.

Screen-Shot-2021-07-29-at-13.37.44.png

You can click in OK (right side top of the screen, not visible in the above screenshot) and deploy your CPI custom process to validate.

My CPI process was very simple and the query used was:

Screen-Shot-2021-07-29-at-13.40.11.png

Once the process is deployed and executed, we can see the calls reaching the SF side under Admin center > SFAPI Audit logs:

Screen-Shot-2021-07-29-at-13.41.59.png

As you can see above, the calls used authorization: Bearer ********** (SFAPI and OAuth2).

Screen-Shot-2021-07-29-at-13.43.58.png

That’s it, all set!

Happy implementations.

If you are interested to see one working sample in CPI for OAuth2 and OData, please find more details in the links below:

Conclusion:

Using the instructions of this blog posting, you will be able to set up the SAP Cloud Platform Integration (CPI) connecting with SuccessFactors SFAPI (SOAP) with OAuth.

I hope this blog post can help your team doing the same implementation faster.

If you find this blog post helpful – please press like button 🙂

Best Regards from Brazil,

Soliman


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK