[{ALLOW view All}]
[{ALLOW edit Markus}]
[{TableOfContents }]
!!Connecting SAP SuccessFactors Using an OAuth 2.0 Client (OA2CS)
Follow \\
SIMG > ABAP Platform > Application Server > Basis Services > Communication Interfaces \\
> OAuth 2.0 Client Implementation for SAP SuccessFactors Integration
The default implementation allows only a connection to ONE SuccessFactors instance.\\
Then you can use the existing objects.
This ones decribes how to create custom objects for multiple instances.
!certificates / communication
1. Configure Proxy Settings\\
x.SICF > F8 > Menu > Client > Proxy Settings \\
* > HTTPS Protocol = <host>:<port> SKIPPED !!!\\
* > Global Settings > Set Active SKIPPED !!!
!OAuth configuration
* OAuth profile type, SM30 > OA2C_TYPES (used as filter in the BAdI)
* OAuth profile, default "SUCCESSFACTORS", use SE80 > Create > Others > OAuth 2.0 Client Profile (t.OA2C_PROFILES, see below to add en entry in that table!)
* Provider type, default "SuccessFactors", x.CLB2_PTYPE (SM30 > CLB2V_PTYPE)
* Application ID, default "DEFAULT", x.CLB2_APPLI
* Application Server Assignment, default "DEFAULT", SM34 > CLB2VC_APPLI_PLATF <= here we have the OAuth App ID and the companyId
* Collaboration: Communication Server Settings, SM30 > CLB2V_PLATF
* Server Communication, default "SuccessFactors", SM34 > CLB2VC_PLATF (SM30 > CLB2V_PLATF), make sure to fill also the "Authentication Methods" like USER
* Server, default "SuccessFactors", SM34 > CLB2VC_PLATF_DEF
* Application Settings" for each instance with SM30 > CLB2V_APPL_DATA
* Parameters for each instance with SM30 > CLB2V_APPL_EXT, here we have company_id
x. OA2C_CONFIG (t.oa2c_client)
{{{
<sf_host>/oauth/token
form, header, current, SAML
www.successfactors.com
998}}}
!Modifications
Whenever you choose to create SAML a new STRUST is created:
"SSF OAuth2 Client Identity Provider - Signature"
{{{
" Create entry with r.ZMDW_TEST, the new applic need to be assigned to the type via SM30 > CLB2V_PTYPE
FORM create_sf_application.
DATA: ls_app TYPE ssfapplic,
ls_appt type SSFAPPLICT,
lv_new_app_name TYPE string.
delete from ssfapplic where applic = 'OA_CD'.
delete from ssfapplict where applic = 'OA_CD'.
lv_new_app_name = 'OACD'.
SELECT SINGLE * FROM ssfapplic INTO ls_app WHERE applic = 'OA2CS'.
ls_app-applic = lv_new_app_name.
MODIFY ssfapplic FROM ls_app.
WRITE: / |modified { lv_new_app_name }, rc={ sy-subrc }|.
SELECT SINGLE * FROM SSFAPPLICT INTO ls_appt WHERE sprsl = 'E' and applic = 'OA2CS'.
ls_appt-applic = lv_new_app_name.
ls_appt-descript = |OAuth2 Client Identity Provider - { lv_new_app_name }|.
MODIFY SSFAPPLICT FROM ls_appt.
WRITE: / |modified { lv_new_app_name }, rc={ sy-subrc }|.
ENDFORM.
}}}
Add SFF ID specific parameters with
* x.SSFA (t.SSFAPPLIC) or SM30 > VSSFARGS (x.SIMG > Multi Bank Connectivity Connector > Maintain SSF Application Parameters)
Note: use always same case to avoid mixing up at all artifacts:
Profile, Type, Application ID, Service Provider Type, SSF ID, Server
{{{
CL_OA2C_SPECIFICS_DEFAULT
CL_OA2C_CONFIG_EXT_DEFAULT
BAdI Definition: OA2C_SPECIFICS_BADI_DEF
BAdI Implementation: SMI_OA2C_SPEC_SFSF_BIZX
Filter Value: SUCCESSFACTORS
Implementation Class: CL_SMI_OA2C_SPEC_SFSF => copied to ZCL_SMI_OA2C_SPEC_SFSF_CD
=> exchange all references from class CL_SMI_OA2C_CONFIG_SFSF to ZCL_SMI_OA2C_CONFIG_SFSF_CD
=> edit method IF_OA2C_SPECIFICS~GET_CONFIG_EXTENSION (replace R_CONFIG_EXTENSION name)
SE18 > BAdI OA2C_SPECIFICS_BADI_DEF
> Right-Click > Create implementation > ei.Z_SMI_OA2C_SPEC_SFSF_BIZX_CD
> bi.Z_SMI_OA2C_SPEC_SFSF_CD
> assign class from above and add filter
Enh. Spot OA2C_CONFIG_EXTENSION
Enh. Impl. SMI_OA2C_CONFIG_SFSF
BAdI Def OA2C_CONFIG_EXTENSION_BADI_DEF
BAdi Impl. SMI_OA2C_CONFIG_SFSF_BIZX
Filter Value: SUCCESSFACTORS
Implementation Class: CL_SMI_OA2C_CONFIG_SFSF => copied to ZCL_SMI_OA2C_CONFIG_SFSF_CD
=> update attributes GC_APPLICATION and GC_SMI_SP_SFSF
SE18 > es.OA2C_CONFIG_EXTENSION
> Right-Click > Create implementation > ei.Z_SMI_OA2C_CONFIG_SFSF_CD
> bi.Z_SMI_OA2C_CONFIG_SFSF_BIZX_CD
> assign class from above and add filter
}}}
! Connection Test
* r.OA2C_GENERIC_ACCESS
* r.RCLB2_DEMO_GENERIC
{{{
Choose your Service Provider Type and Application ID
Request Method: HTTP Get (GET)
Manually Entered Endpoint
Endpoint: /odata/v2/FODivision/
Authentication Context: User Context (USER)
}}}
! Successfactors auth endpoints
The first is not secure anymore and should not be used anymore.
{{{
/oauth/idp
parameters:
client_id
user_id
private_key
token_url
use_email
use_username <=== true
/oauth/token
parameters:
company_id
client_id
grant_type
assertion
new_token <=== true
}}}
!Trace
/usr/sap/DMD/D11/work/dev_w* (work process traces) => search for "OA2C"
!!Issues
!Enable SAML button
OA2C_CONFIG > reenable/toggle "SAML 2.0 Disabled" is creating a new certificate at STRUST "SSF OAuth2 Client Identity Provider - Signature", but not if just edited- Then you need to copy the STRUST certificate to SF again!.
!400 "Invalid SAML assertion. For the correct SAML assertion format.."
* x.OA2C_CONFIG press button "Delete SAML 2.0 Settings" Then reenable SAML 2.0 by pressing the toggle button "SAML 2.0 Disabled".
* to use username from DMD use 998 in OA2C_CONFIG and add the userId as alias to your SAP user
!401 "Client authentication failed (e.g., unknown client, no client authentication included, ...)"
* Wrong certificate between STRUST and SF
!401 "Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID."
* wrong certificate in SF OAuth => use the one from STRUST "SSF OAuth2 Client Identity Provider - Signature"
!401 Unable to authenticate the client (Login failed - invalid user)
see [https://me.sap.com/notes/2668018/E]
* Test: CL_OA2C_SAML20_ASSERTION->BUILD_NAME_ID() > at line 25 es_saml20_name_id-_value = sy-uname. > replace with userId
* the SF login expects the userId though you configured and pass the username
!SAML 2.0 for OAuth 2.0 client is disabled.
* visible at exception in CL_OA2C_CLIENT->IF_OAUTH2_CLIENT~EXECUTE_SAML20_FLOW() line 174
* OA2C_CONFIG > reenable/toggle with "SAML 2.0 Disabled"
!No implementation exists for BAdI CLB2_OAUTH2_IMPL
* Enhancement Implementation SMI_OAUTH2_AUTH_MAP > Add filter