The Definitive Guide to Connecting SAP SuccessFactors with SAP Datasphere
Last week one of my customers wanted to setup a connection between SAP SuccessFactors and SAP Datasphere. There was a connector in SAP Datasphere that they read about, and it should be easy enough to make the connection, right? After reading countless blogs and SAP notes we got it working in the end, and I want to keep you from the struggle that we went through. So, want to connect your SAP SuccessFactors to SAP Datasphere? Let me help you in this blog.
There are a few steps to get the connection between SAP SuccessFactors and SAP Datasphere up and running. Overall these are the steps that you need to take:
1) Create an API user in SAP SuccessFactors
2) Make sure that your user has the correct authorizations
3) Create a Client Application in SAP SuccessFactors for SAP Datasphere
4) Download the SSL certificate of the SAP SuccessFactors tenant
5) Create a SAML Assertion
6) Set-up the connection in SAP Datasphere
I don’t recommend skipping any of the steps, since there are quite a few small nitty-bitty things that you need to do or note down to get this working. Let’s start with step 1.
Create a user in SAP SuccessFactors with the correct authorizations
The first thing to do is to setup a user in SAP SuccessFactors that will be used as an API user. This step felt a bit strange to me, as this is not normally how you would expect a user to be setup, but it worked. We basically can follow this SAP Note: 2956021 https://userapps.support.sap.com/sap/support/knowledge/en/2956021
What is described in that SAP Note is that you first have to create a new user through the Import Employee Data tool. Here are the steps that you need to follow (directly copied from the Guided Answer):
1) Go to Admin Center > “Import Employee Data” tool.
2) Select the action “Download Template”.
3) Choose “Basic Import” as the entity.
4) Click on “Generate Template” to download the CSV file that will be used as the import file.
5) Provide the required fields in the CSV file (refer to the KBA 2267907 – Employee Import/Export file: supported standard-elements fields).
6) Go back to “Import Employee Data” tool and select the action as “Import Data”.
7) Select the entity as “Basic Import” and choose the CSV file you built previously.
8) Click on the “Validate Import File Data” button before actually importing it to confirm if there’s not any problems with the file.
9) After that, click on “Import” to effectively import the data.
Now that we have created an API User we have to lookup the UserID for this user in SuccessFactors. I think this was one of the most confusing steps. Normally you would think we would need to have the username, or the user e-mail address would represent the UserID, but after trying a lot of times I found out it is actually this number that you are looking for:
Write that ID down somewhere, because we will need it later. Also make sure that this new user has the correct authorizations to be able to see data (I am not going to burn my hands on authorizations 😉).
Make sure that your user has the correct authorizations
To be able to execute the next step you need to make sure that your user has the rights to create an oAuth Client.
Create a Client Application
We will now create our Client Application in SuccessFactors. For this we have to go to the API Center (search for it in the search bar) and then this button should be available to you if you followed the previous steps correctly:
In the Manage OAuth2 Client Applications we can register a new client application by clicking on this button:
Fill in the required fields and fill in the URL of your Datasphere tenant.
After you have done this, click on Generate X.509 Certificate and Download that Certificate. Last step is to click Register to create the Client application. Now the API Key should be visible:
Please copy and paste that somewhere, we are going to need that!
Get the SSL Certificate for your SuccessFactors tenant
Last thing we need to do in SuccessFactors is to download the certificate of your SuccessFactors tenant. For this you click on the lock icon left of the URL (based on Chrome / Brave Browser).
Then click on Certificate is Valid Open New Window button:
And now you can Export the Certificate of your tenant:
After you have done that, we can finally close the SuccessFactors website and move on to the next step in the process.
Prepare for the creation of a SAML Assertion
To create a SAML Assertion we can follow this SAP Note: https://me.sap.com/notes/3031657. Please follow the first 4 steps yourself, and then you can pick up again with this blog. Please also download the attachment to the SAP note and then return to me 😊.
So, welcome back.
Okay, let’s extract the contents of the attachment in a simple to find directory on your hard drive. Please open this file in Notepad (or Notepad++, or whatever text editor you like to use).
Now for the first part of the information we need to visit this SAP site: https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/af2b8d5437494b12be88fe374eba75b6.html
On this site you can find what the API server for your tenant is. You can filter the table like below, in our case the location of the data center for our SuccessFactors tenant is in Frankfurt.
There is two types of API servers. The preview version is for your development / test environments of SuccessFactors and the production one is for your production tenant. Please copy the URL of the API Server and paste it here.
For the Client ID, we can use the API key that we copied earlier in the Client Registration process.
The userID we will fill with the ID of the API User that we created in Step 1. This should be a numeric ID. The privateKey we can get from the download that we made of the X.509 certificate.
And lastly change the value of expireInMinutes to something large, like 6000000.
Creating the SAML Assertion
Now that we have done all that please open up a command prompt window and get to the folder where you have extracted the SAMLAssertion.properties file. You can get into different folders by using cd <folder> . When you are in the specific folder execute this statement: mvn compile exec:java -Dexec.args=”SAMLAssertion.properties”
And now some sort of wizardry happens, and something gets created. When it is done we need to copy the content after “The generated Signed SAML Assertion is:”
And finally, we can get to SAP Datasphere
We can finally return to our favourite tool: SAP Datasphere. First we will upload the SSL certificate to our DSP tenant. Go to System -> Configuration -> Security and click the + button at SSL/TLS Certificates
Browse to wherever you placed the SSL certificate export and click upload:
The certificate should now be available in SAP Datasphere, and as a result we will not run into any SSL issues when creating the connection.
Setting up the connection
We have arrived at the last step hopefully. Go to Connections and choose the space where the connection should be in. Click on the + button and click on create a connection.
Look for the standard SuccessFactors connection:
Now we are going to use the separate pieces of the puzzle to fill in this connection screen. We start with the URL. This should be the same URL as looked up earlier in the SAML Assertion step, but now it ends with /odata/v2.
Leave the Authentication Type on OAuth 2.0, and fill the OAuth Token Endpoint with the same URL as used in the SAML Assertion (should be ending with /oauth/token). The OAuth Company ID is the Company ID used in SAP Successfactors. You can find it somewhere in the URL of your tenant. See the screenshot below (it should be the value under the black rectangle):
For the Client ID we can use the API key that we generated earlier. And the SAML Assertion is the part that you have created via the command prompt screen. Overall, it should look something like this:
Click Next, give the connection a name and business description and click the button to create the connection. We can now use the Validate button to check if the connection is working. If you see this after you have clicked the Validate button, then you are all set to start building the datasets for your business!
Conclusion
Connecting SAP SuccessFactors to SAP Datasphere may seem complex, but hopefully, this guide has helped you get the connection up and running smoothly. A big thanks to everyone who contributed blogs and insights on this topic, as they provided crucial pieces to complete the puzzle of this integration.
