Inhaltsverzeichnis
- Connecting SAP SuccessFactors Using an OAuth 2.0 Client (OA2CS)
- certificates / communication
- OAuth configuration
- Modifications
- Connection Test
- Successfactors auth endpoints
- Trace
- Issues
- Enable SAML button
- 400 "Invalid SAML assertion. For the correct SAML assertion format.."
- 401 "Client authentication failed (e.g., unknown client, no client authentication included, ...)"
- 401 "Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID."
- 401 Unable to authenticate the client (Login failed - invalid user)
- SAML 2.0 for OAuth 2.0 client is disabled.
- No implementation exists for BAdI CLB2_OAUTH2_IMPL
Connecting SAP SuccessFactors Using an OAuth 2.0 Client (OA2CS)#
Follow
SIMG > ABAP Platform > Application Server > Basis Services > Communication Interfaces
> OAuth 2.0 Client Implementation for SAP SuccessFactors Integration
The default implementation allows only a connection to ONE SuccessFactors instance.
Then you can use the existing objects.
This ones decribes how to create custom objects for multiple instances.
certificates / communication#
1. Configure Proxy Settingsx.SICF > F8 > Menu > Client > Proxy Settings
- > HTTPS Protocol = <host>:<port> SKIPPED !!!
- > Global Settings > Set Active SKIPPED !!!
OAuth configuration#
- OAuth profile type, SM30 > OA2C_TYPES (used as filter in the BAdI)
- OAuth profile, default "SUCCESSFACTORS", use SE80 > Create > Others > OAuth 2.0 Client Profile (t.OA2C_PROFILES, see below to add en entry in that table!)
- Provider type, default "SuccessFactors", x.CLB2_PTYPE (SM30 > CLB2V_PTYPE)
- Application ID, default "DEFAULT", x.CLB2_APPLI
- Application Server Assignment, default "DEFAULT", SM34 > CLB2VC_APPLI_PLATF <= here we have the OAuth App ID and the companyId
- Collaboration: Communication Server Settings, SM30 > CLB2V_PLATF
- Server Communication, default "SuccessFactors", SM34 > CLB2VC_PLATF (SM30 > CLB2V_PLATF), make sure to fill also the "Authentication Methods" like USER
- Server, default "SuccessFactors", SM34 > CLB2VC_PLATF_DEF
- Application Settings" for each instance with SM30 > CLB2V_APPL_DATA
- Parameters for each instance with SM30 > CLB2V_APPL_EXT, here we have company_id
x. OA2C_CONFIG (t.oa2c_client)
<sf_host>/oauth/token form, header, current, SAML www.successfactors.com 998
Modifications#
Whenever you choose to create SAML a new STRUST is created: "SSF OAuth2 Client Identity Provider - Signature"
" Create entry with r.ZMDW_TEST, the new applic need to be assigned to the type via SM30 > CLB2V_PTYPE
FORM create_sf_application.
DATA: ls_app TYPE ssfapplic,
ls_appt type SSFAPPLICT,
lv_new_app_name TYPE string.
delete from ssfapplic where applic = 'OA_CD'.
delete from ssfapplict where applic = 'OA_CD'.
lv_new_app_name = 'OACD'.
SELECT SINGLE * FROM ssfapplic INTO ls_app WHERE applic = 'OA2CS'.
ls_app-applic = lv_new_app_name.
MODIFY ssfapplic FROM ls_app.
WRITE: / |modified { lv_new_app_name }, rc={ sy-subrc }|.
SELECT SINGLE * FROM SSFAPPLICT INTO ls_appt WHERE sprsl = 'E' and applic = 'OA2CS'.
ls_appt-applic = lv_new_app_name.
ls_appt-descript = |OAuth2 Client Identity Provider - { lv_new_app_name }|.
MODIFY SSFAPPLICT FROM ls_appt.
WRITE: / |modified { lv_new_app_name }, rc={ sy-subrc }|.
ENDFORM.
Add SFF ID specific parameters with
- x.SSFA (t.SSFAPPLIC) or SM30 > VSSFARGS (x.SIMG > Multi Bank Connectivity Connector > Maintain SSF Application Parameters)
Note: use always same case to avoid mixing up at all artifacts: Profile, Type, Application ID, Service Provider Type, SSF ID, Server
CL_OA2C_SPECIFICS_DEFAULT CL_OA2C_CONFIG_EXT_DEFAULT BAdI Definition: OA2C_SPECIFICS_BADI_DEF BAdI Implementation: SMI_OA2C_SPEC_SFSF_BIZX Filter Value: SUCCESSFACTORS Implementation Class: CL_SMI_OA2C_SPEC_SFSF => copied to ZCL_SMI_OA2C_SPEC_SFSF_CD => exchange all references from class CL_SMI_OA2C_CONFIG_SFSF to ZCL_SMI_OA2C_CONFIG_SFSF_CD => edit method IF_OA2C_SPECIFICS~GET_CONFIG_EXTENSION (replace R_CONFIG_EXTENSION name) SE18 > BAdI OA2C_SPECIFICS_BADI_DEF > Right-Click > Create implementation > ei.Z_SMI_OA2C_SPEC_SFSF_BIZX_CD > bi.Z_SMI_OA2C_SPEC_SFSF_CD > assign class from above and add filter ENh. Spot OA2C_CONFIG_EXTENSION Enh. Impl. SMI_OA2C_CONFIG_SFSF BAdI Def OA2C_CONFIG_EXTENSION_BADI_DEF BAdi Impl. SMI_OA2C_CONFIG_SFSF_BIZX Filter Value: SUCCESSFACTORS Implementation Class: CL_SMI_OA2C_CONFIG_SFSF => copied to ZCL_SMI_OA2C_CONFIG_SFSF_CD => update attributes GC_APPLICATION and GC_SMI_SP_SFSF SE18 > BAdI OA2C_CONFIG_EXTENSION_BADI_DEF > Right-Click > Create implementation > ei.Z_SMI_OA2C_CONFIG_SFSF_CD > bi.Z_SMI_OA2C_CONFIG_SFSF_BIZX_CD > assign class from above and add filter
Connection Test#
- r.OA2C_GENERIC_ACCESS
- r.RCLB2_DEMO_GENERIC
Choose your Service Provider Type and Application ID Request Method: HTTP Get (GET) Manually Entered Endpoint Endpoint: /odata/v2/FODivision/ Authentication Context: User Context (USER)
Successfactors auth endpoints#
The first is not secure anymore and should not be used anymore.
/oauth/idp parameters: client_id user_id private_key token_url use_email use_username <=== true /oauth/token parameters: company_id client_id grant_type assertion new_token <=== true
Trace#
/usr/sap/DMD/D11/work/dev_w* (work process traces) => search for "OA2C"Issues#
Enable SAML button#
OA2C_CONFIG > reenable/toggle "SAML 2.0 Disabled" is creating a new certificate at STRUST "SSF OAuth2 Client Identity Provider - Signature", but not if just edited- Then you need to copy the STRUST certificate to SF again!.400 "Invalid SAML assertion. For the correct SAML assertion format.."#
- x.OA2C_CONFIG press button "Delete SAML 2.0 Settings" Then reenable SAML 2.0 by pressing the toggle button "SAML 2.0 Disabled".
- to use username from DMD use 998 in OA2C_CONFIG and add the userId as alias to your SAP user
401 "Client authentication failed (e.g., unknown client, no client authentication included, ...)"#
- Wrong certificate between STRUST and SF
401 "Unable to verify the signature of the SAML assertion. Please ensure that the assertion has a signature and the key pairs match the client ID."#
- wrong certificate in SF OAuth => use the one from STRUST "SSF OAuth2 Client Identity Provider - Signature"
401 Unable to authenticate the client (Login failed - invalid user)#
see https://me.sap.com/notes/2668018/E
- Test: CL_OA2C_SAML20_ASSERTION->BUILD_NAME_ID() > at line 25 es_saml20_name_id-_value = sy-uname. > replace with userId
- the SF login expects the userId though you configured and pass the username
SAML 2.0 for OAuth 2.0 client is disabled.#
- visible at exception in CL_OA2C_CLIENT->IF_OAUTH2_CLIENT~EXECUTE_SAML20_FLOW() line 174
- OA2C_CONFIG > reenable/toggle with "SAML 2.0 Disabled"
No implementation exists for BAdI CLB2_OAUTH2_IMPL#
- Enhancement Implementation SMI_OAUTH2_AUTH_MAP > Add filter
No Copyright