[{ALLOW view All}]
[{ALLOW edit Markus}]

[{TableOfContents }]

!!Connecting SAP SuccessFactors Using an OAuth 2.0 Client (OA2CS)

Follow \\
SIMG > ABAP Platform > Application Server > Basis Services > Communication Interfaces \\
> OAuth 2.0 Client Implementation for SAP SuccessFactors Integration

The default implementation allows only a connection to ONE SuccessFactors instance.\\
Then you can use the existing objects.

This ones decribes how to create custom objects for multiple instances.

!certificates / communication
1. Configure Proxy Settings\\
x.SICF > F8 > Menu > Client > Proxy Settings \\
*   > HTTPS Protocol = <host>:<port> SKIPPED !!!\\
*   > Global Settings > Set Active SKIPPED !!!
   

!OAuth configuration
* OAuth profile, default "SUCCESSFACTORS", use SE80 > Create > Others > OAuth 2.0 Client Profile (t.OA2C_PROFILES)
* Application ID, default "DEFAULT", x.CLB2_APPLI
* Provider type, default "SuccessFactors", x.CLB2_PTYPE (SM30 > CLB2V_PTYPE)
* Application Server Assignment, default "DEFAULT", SM34 > CLB2VC_APPLI_PLATF  <= here we have the OAuth App ID and the companyId
* Server Communication, default "SuccessFactors", SM34 > CLB2VC_PLATF (SM30 > CLB2V_PLATF), make sure to fill also the "Authentication Methods" like USER
* Server, default "SuccessFactors", SM34 > CLB2VC_PLATF_DEF 
* Application Settings" for each instance with SM30 > CLB2V_APPL_DATA
* Parameters for each instance with SM30 > CLB2V_APPL_EXT, here we have company_id	

x. OA2C_CONFIG (t.oa2c_client)
{{{
<sf_host>/oauth/token
form, header, current, SAML
www.successfactors.com
998}}}

!Modifications
Whenever you choose to create SAML a new STRUST is created:
"SSF OAuth2 Client Identity Provider - Signature" (x.SSFA)
table SSFAPPLIC  <====
	> Create entry with r.ZMDW_TEST


Note: use always same case to avoid mixing up at all artifacts:
Profile, Type, Application ID, Service Provider Type, SSF ID, Server

{{{
CL_OA2C_SPECIFICS_DEFAULT
CL_OA2C_CONFIG_EXT_DEFAULT

BADI Definition:	OA2C_SPECIFICS_BADI_DEF
BADI Implementation:	SMI_OA2C_SPEC_SFSF_BIZX				
Filter Value:		SUCCESSFACTORS
Implementation Class:	CL_SMI_OA2C_SPEC_SFSF	=> copied to ZCL_SMI_OA2C_SPEC_SFSF_CD
						=> exchange all references from class CL_SMI_OA2C_CONFIG_SFSF to ZCL_SMI_OA2C_CONFIG_SFSF_CD
						=> edit method IF_OA2C_SPECIFICS~GET_CONFIG_EXTENSION (replace R_CONFIG_EXTENSION name)
						
BADI Definition:	OA2C_CONFIG_EXTENSION_BADI_DEF
BAdI Implementation:	SMI_OA2C_CONFIG_SFSF_BIZX
Filter Value:		SUCCESSFACTORS
Implementation Class:	CL_SMI_OA2C_CONFIG_SFSF => copied to ZCL_SMI_OA2C_CONFIG_SFSF_CD
						=> update attributes GC_APPLICATION and GC_SMI_SP_SFSF
						
SE18 > BAdI OA2C_CONFIG_EXTENSION_BADI_DEF 
	> Right-Click > Create implementation > ei.Z_SMI_OA2C_SPEC_SFSF_BIZX_CD
	> bi.Z_SMI_OA2C_SPEC_SFSF_CD
	> assign class from above and add filter

SE18 > BAdI OA2C_SPECIFICS_BADI_DEF 
	> Right-Click > Create implementation > ei.Z_SMI_OA2C_CONFIG_SFSF_CD
	> bi.Z_SMI_OA2C_CONFIG_SFSF_BIZX_CD
	> assign class from above and add filter	
}}}										

! Connection Test
* r.OA2C_GENERIC_ACCESS
* r.RCLB2_DEMO_GENERIC
{{{
Choose your Service Provider Type and Application ID
Request Method: HTTP Get (GET)
Manually Entered Endpoint
  Endpoint: /odata/v2/FODivision/
  Authentication Context: User Context (USER)
}}}

! Successfactors auth endpoints

The first is not secure anymore and should not be used anymore.
{{{
/oauth/idp
	parameters: 
		client_id
		user_id
		private_key
		token_url
		use_email
		use_username  <=== true
/oauth/token
	parameters:
		company_id
		client_id
		grant_type
		assertion
		new_token	<=== true
}}}
	
!Trace
/usr/sap/DMD/D11/work/dev_w*  (work process traces) => search for "OA2C"

!!Issues

!Enable SAML button
OA2C_CONFIG > reenable/toggle "SAML 2.0 Disabled"	is creating a new certificate at STRUST "SSF OAuth2 Client Identity Provider - Signature", but not if just edited- Then you need to copy the STRUST certificate to SF again!.

!400 "Invalid SAML assertion. For the correct SAML assertion format.."
* x.OA2C_CONFIG press button "Delete SAML 2.0 Settings" Then reenable SAML 2.0 by pressing the toggle button "SAML 2.0 Disabled".
* to use username from DMD use 998 in OA2C_CONFIG and add the userId as alias to your SAP user

!401 "Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID."
* wrong certificate in SF OAuth => use the one from STRUST "SSF OAuth2 Client Identity Provider - Signature"

!401 Unable to authenticate the client (Login failed - invalid user)
see [https://me.sap.com/notes/2668018/E]
* Test: CL_OA2C_SAML20_ASSERTION->BUILD_NAME_ID() > at line 25 es_saml20_name_id-_value = sy-uname. > replace with userId
* the SF login expects the userId though you configured and pass the username

!SAML 2.0 for OAuth 2.0 client is disabled.
* visible at exception in CL_OA2C_CLIENT->IF_OAUTH2_CLIENT~EXECUTE_SAML20_FLOW() line 174
* OA2C_CONFIG > reenable/toggle with "SAML 2.0 Disabled"