Adding your SAP SucessFactors credentials to Oomnitza

Best practice
For the integration with Oomnitza, create a dedicated user account.

Prerequisites

SAP SuccessFactors uses OAuth 2.0 authentication and requires you to complete the following steps before you add your credentials to Oomnitza:

1. Create an X.509 Certificate.
2. Register your OAuth app.
3. Obtain a SAML assertion.
4. Obtain your SAP SucessFactors CompanyID.
5. Obtain your SAP API Server URL.

Create an X.509 Certificate

You can generate a self-signed X.509 certificate (recommended) by following the steps in SAP API Documentation: Creating a Self-Signed X.509 Certificate. When your self-signed certificate is generated, proceed to Register your OAuth app.

If you are unable to create a self-signed certificate, you can generate an X.509 certificate using SAP SuccessFactors. To generate an X.509 certificate using SAP SuccessFactors complete the following steps:

1. Log into your instance as an administrator.
2. Go to Admin Center>API Center>OAuth Configuration for OData. You can also access the tool by searching Manage OAuth2 Client Applications in the Action Search.
3. Click Register Client Application.
4. Click Generate X.509. Do not exit the screen, as you will need to register your OAuth app in the next steps.

The private key is available to you in the generated certificate. You must save the private key before you register your OAuth app.

Warning
The private key must be kept secure under all circumstances. Do not share the private key with others. If you lose the private key, you can create a new one.

For further information, refer to the SAP API Documentation: Creating an X.509 Certificate in SAP SuccessFactors.

Next steps

Supply your X.509 certificate to generate your OAuth API key.

Register your OAuth app

1. If you have completed the previous step, your X.509 certificate is already populated. Enter the mandatory information. Otherwise, if you have generated a self-signed certificate, navigate to Admin Center>API Center>OAuth Configuration for OData>Register Client Application. Enter the mandatory information including the X.509 certificate. 
2. For the Application URL, enter the following https://generic-oauth2-proxy.oomnitza.com/oauth2/redirect_url
3. Click Register to complete your registration. 

Once the application is registered the public API Key (also known as the Client ID) is displayed. This will be required in later steps for authentication.

For further information, refer to the following links:

• SAP API Documentation: Registering Your OAuth2 Client Application
• SAP Blog: How to use OAuth2 SAML Bearer Assertion

Next steps

Generate a SAML assertion file with your private and public API keys.

Obtain a SAML assertion

You can obtain a SAML assertion from your trusted IdP (recommended) or using the offline SAML generator provided by SAP SuccessFactors. To obtain a SAML assertion using the offline SAML generator complete the following steps:

1. Install Apache Maven in your local environment. Apache Maven is required to run the commands to generate SAML assertions in this task. For more information, see Installing Apache Maven.
2. Download the SAML generator tool from 3031657  and extract the files to your local directory.
3. Go to the SAMLAssertionGen directory, open the SAMLAssertion.properties file with a text editor, and enter the following values:
   • Token URL: The recipient URL from where the access token is to be generated. This is the OAuth API endpoint of your SAP SuccessFactors API server. For example, if your API Server is located in Virginia, your API Server URL with OAuth endpoint would be :https://api8.successfactors.com/oauth/token
   • Client ID: The public API key you obtained in Register your OAuth app.
     
   • UserName: The SAP SuccessFactors username used to access the APIs.
     
   • Private Key: The X.509 private key that you obtained in Creating an X.509 Certificate.
   • Expire in days: The expiration days of the SAML assertion. The default value is set to 10000.
4. Save the changes
5. Open a command-line tool and go to the SAMLAssertionGen directory. Run the following command: mvn compile exec:java -Dexec.args="SAMLAssertion.properties" 
6. Once completed, the SAML assertion is generated. Copy this and store it securely in your local drive.

Figure: The SAMLAssertion.properties file

For further information, refer to the following links:

• SAP API Documentation: Generating a SAML Assertion
• SAP Blog: SAP SuccessFactors SAML Assertion format demonstration using SAP Provided offline tool
• SAP Help Portal: List of API Servers URLs.

Obtain your Company ID

You can find your Company ID in the profile dropdown. Go to Show version information and look for the Company ID field. For additional information, refer to SAP Knowledge Base: How to find the SucessFactors Company ID.

Obtain your API Server URL

You can find a list of API Server URLs for your location on the SAP Help Portal.

Next steps

Add your Company ID, API Server URL (Token URL), Client ID (Public Key), and SAML Assertion to Oomnitza.

Adding your SAP credentials

To stream SAP SuccessFactors data into Oomnitza, and the credentials that you obtained to Oomnitza:

1. In Oomnitza, click Configuration > Security > Credentials.
2. Click Add new credential (+).
3. Search for the integration, and then click the forward arrow > to select the integration. 
4. Enter your client credentials and any other additional information.
5. Click Authenticate. You are prompted to log in to authorize your request.
6. Click CREATE.

1. Add the information details.
2. Click the AUTHORIZATION tab.
3. Ensure that OAuth 2.0 is selected as the Authorization type.
4. Ensure that SAP SucessFactors is selected from the SaaS list.
5. Enter the OAuth credentials.
6. Click Authenticate.
7. Click Create.