Configure OAuth 2.0 with SAML for SAP SuccessFactors

Early Access release

SAP SuccessFactors is retiring Basic Authentication for API access. To maintain your integration and improve security, you must transition to the OAuth 2.0 with SAML flow.

This flow uses a unique Okta signing certificate to authenticate API requests, eliminating the need to manage static administrator passwords.

Before you begin

• You have an SAP SuccessFactors tenant with administrative privileges.
• You've enabled the feature flag:

  In the Admin Console, go to Settings > Features, and in the Early access section, enable the SuccessFactors OAuth feature.

Register Okta as an OAuth client in SAP SuccessFactors

Register an Okta public certificate in SAP SuccessFactors to generate an API key.

1. In the Admin Console, go to Applications > Applications and select your SAP SuccessFactors app.
2. On the Provisioning tab, select Settings > Integration.
3. Locate the Signing Certificate, and click Download or Copy.
4. Sign in to SAP SuccessFactors Admin Center.
5. Search for and open Manage OAuth2 Client Applications.
6. Click Register Client Application.
7. Enter the Application Name and Application URL including the unique app instance ID. (for example, https://<your-org>.okta.com/admin/app/successfactors/instance/<instance-id>).
8. In the X.509 Certificate box, paste the certificate you downloaded earlier.
9. Click Register.
10. Locate the app in the Manage OAuth2 Client Applications list, and click View.
11. Copy the API Key and store it somewhere safely.

Configure OAuth in Okta

1. In the Admin Console, go to Provisioning tab of your SAP SuccessFactors app and click Edit.
2. In the Client Id box, paste the API Key you copied from SAP SuccessFactors.
3. Click Test API Credentials.
4. After the success message appears, click Save.