using-oauth-client-with-saml-bearer-assertion-authentication-b5e0cd1.md

Using OAuth Client with SAML Bearer Assertion Authentication

Context

To be able to make calls to the SAP SuccessFactors OData APIs with user propagation, you need to create a destination with SAML Bearer Assertion authentication in the SAP BTP cockpit on a subaccount level. You also need to create an OAuth client in the SAP SuccessFactors system.

Procedure

1. Download the X509 Certificate in SAP BTP.

2. Create an OAuth Client in SAP SuccessFactors.

3. Create an HTTP Destination Using SAML 2.0 Bearer Assertion Authentication.

4. Consume the Destination.

Related Information

SAP Authorization and Trust Management Service in the Cloud Foundry Environment

Consuming the Destination Service (Cloud Foundry Environment)

Download the X509 Certificate in SAP BTP

Procedure

1. In the SAP BTP cockpit, navigate to your extension subaccount in the Cloud Foundry environment.

2. Choose Connectivity > Destinations.

3. Choose Download Trust to get the certificate for this subaccount and save it on your local file system.

4. Open the certificate in a text editor and copy the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Create an OAuth Client in SAP SuccessFactors

Procedure

1. In the SAP SuccessFactors system, go to Admin Center and search for OAuth. Choose Manage OAuth2 Client Applications from the search results.

2. Choose Register Client Application.

3. In the Application Name, choose a descriptive name for the client of your choice.

4. In the Application URL field, enter the URL of the extension application.

5. In the X.509 Certificate field, paste the content between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- of the certificate you downloaded in the Download the X509 Certificate in SAP BTP, step 4.

6. Choose Register to save the OAuth client.

Create an HTTP Destination Using SAML 2.0 Bearer Assertion Authentication

You create an HTTP destination to be able to make calls to the SAP SuccessFactors HXM Suite OData APIs using SAML 2.0 Bearer Assertion authentication.

Procedure

1. In the SAP BTP cockpit, navigate to your extension subaccount in the Cloud Foundry environment.

2. Choose Connectivity > Destinations.

3. Choose New Destination and fill in the following properties:

   Property	Value
   Name	Enter a name for the destination. For example, sap_hcmcloud_core_odata.
   Type	HTTP
   URL	Enter the URL of the SAP SuccessFactors OData API you want to consume. For a list of the API Endpoint URL for the SAP SuccessFactors environments, see About HXM Suite OData APIs.
   Proxy Type	Internet
   Authentication	OAuth2SAMLBearerAssertion
   Audience	www.successfactors.com
   AuthnContextClassRef	urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
   Client Key	Enter the API Key of the OAuth client you created in SAP SuccessFactors.
   Token Service URL	Enter the API Endpoint URL for the SAP SuccessFactors instance followed by /oauth/token. For example, https://apisalesdemo2.successfactors.eu/oauth/token. For a list of the API Endpoint URL for the SAP SuccessFactors environments, see About HXM Suite OData APIs.

4. In the Additional Properties, choose New Property to define the following properties:

   Property	Value
   apiKey	Enter the API Key of the OAuth client you created in SAP SuccessFactors.
   SystemUser	The technical user for an OData access with SAML 2.0 Bearer Assertion authentication with technical user. Specify a value for this setting if you want to configure OData access with SAML 2.0 Bearer Assertion authentication with technical user.
   companyId	The ID of your SAP SuccessFactors company.
   nameIdFormat	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified if the user ID will be propagated to SAP SuccessFactors application or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress if the user email will be propagated to SAP SuccessFactors.

5. (Optional) If you are using SAP Business Application Studio to develop your application, you have to specify another set of additional properties. See What is SAP Business Application Studio.

   In the Additional Properties, choose New Property to define the following properties related to the SAP Business Application Studio:

   Property	Value
   WebIDEUsage	Specify this property with value odata_gen to consume an OData service in your application.
   WebIDEEnabled	If your application does not run on Cloud Foundry, you have to establish a connection to an external system by setting this property to true.
   HTML5.DynamicDestination	If your application does not run on Cloud Foundry, you have to establish a connection to an external system by setting this property to true.
   product.name	SAP SuccessFactors The type of the SAP System for which you create this HTTP destination.

6. Save the changes.

Consume the Destination

Context

To consume the destination you have created, you use the Destination service. You can either consume the Destination service directly, or configure the application router to consume it.

• For more information about consuming the destination service using the application router, see Application Routes and Destinations.

• For more information about consuming the destination service directly, see Consuming the Destination Service (Cloud Foundry Environment).