Integrating with SAP SuccessFactors

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 16 minutes to read

    • Integrating your Software Asset Management application with the SAP SuccessFactors application enables you to track your software subscriptions and to reclaim unused licenses.

    Important:
    You must request and install the following applications from ServiceNow Store:
    • SaaS License Management
    • SuccessFactors Spoke
    • Software Asset Management integration with SuccessFactors
    Important:
    Minimize security risks and protect information by granting access only to the necessary user or API permissions.
    Table 1. Minimal user permissions
    Process Required user role in the SAP SuccessFactors application Authentication scopes
    Download subscriptions admin None
    Pull user activity admin None
    Reclaim subscription admin None

    Set up basic authentication for SAP SuccessFactors

    Set up basic authentication to enable access to the SAP SuccessFactors API.

    Before you begin

    SAP SuccessFactors Role required: admin

    Procedure

    1. Log in to the SAP SuccessFactors instance using your admin credentials.
    2. On the page header of your instance, select Home > Admin Center.
    3. Create a group to assign API access permissions to.
      Tip:
      Include only non-admin users in this group, as admin users automatically have access to the SuccessFactors API.
      1. In the Tool Search field of the Admin Center, search for and select Manage Permission Groups.
      2. On the Permission Group dialog box, enter a name for the permission group in the Group Name field.
      3. In the Choose Group Members section, specify the users or user groups that you want to include in this permission group by adding them to a People Pool.

        People Pools allow you to specify the sets of users or user groups that you want to include or exclude for a permission group. You can either include all users and user groups in a single People Pool or group them into different People Pools. For example, you can create different People Pools for each department or office location within your organization.

        To add users or user groups to a People Pool, select an identification category, such as Username, and then enter each user or user group in the corresponding text box. Each entry must be separated by a comma.

        You can apply multiple identification categories to a single People Pool by clicking Add another category. You can also add additional People Pools by clicking Add another People Pool.

      4. Optional: In the Exclude these people from the group section, specify the users or user groups that you want to exclude from this permission group by adding them to a People Pool.

        To add users or user groups to a People Pool, select an identification category, such as Username, and then enter each user or user group in the corresponding text box. Each entry must be separated by a comma.

        You can apply multiple identification categories to a single People Pool by clicking Add another category. You can also add additional People Pools by clicking Add another People Pool.

      5. Select Done.
    4. Configure API access permissions for your group.
      1. In the Tool Search field of the Admin Center, search for and select Manage Permission Roles.
      2. Select Create New.
      3. On the Permission Role Detail form, enter a name for the permission role in the Role Name field.
      4. Optional: Enter a description for the permission role in the Description field.
      5. Under Permission settings, select Permission....
      6. In the Permission settings dialog box, select Manage Integration Tools from the left navigation pane.
      7. Select the Allow Admin to Access OData API through Basic Authentication check box.
      8. Select Employee Central API from the left navigation pane.
      9. Select the Employee Central HRIS OData API (editable) check box.
      10. Select Done.
        The dialog box closes and you return to the Permission Role Detail form.
      11. Under the Grant this role to... tab, select Add... to search for and select the permission groups that you created in step 4.
        Adding this permission group allows the associated users and user groups to access the APIs that are enabled in this permission role.
      12. Select Save Changes.

    Create an SAP SuccessFactors connection

    Create a connection between your SAP SuccessFactors OData API and your ServiceNow instance.

    Before you begin

    ServiceNow Role required: admin

    Procedure

    1. From your ServiceNow instance, navigate to Process Automation > Flow Designer.
      The Flow Designer launches in a new tab.
    2. Select the Connections tab.
    3. Select View Details for your SuccessFactors_OData connection.
    4. From the list of available connections, search for and select SuccessFactors_OData.
    5. Select Configure.
    6. In the Configure Connection dialog box, fill in the fields.
      Table 2. Configure Connection dialog box
      Field Description
      Connection Name Name of the SuccessFactors_OData connection.
      Connection URL OData API URL of your SAP SuccessFactors instance.
      User name Username for your SAP SuccessFactors admin account. Enter the same username that you used to log in to your SAP SuccessFactors instance in Set up basic authentication for SAP SuccessFactors.
      Password Password for your SAP SuccessFactors admin account. Enter the same password that you used to log in to your SAP SuccessFactors instance in Set up basic authentication for SAP SuccessFactors.
    7. Select Configure Connection.

    Register OAuth application in SuccessFactors

    Enable client certificate authentication for the outbound communication from SAP Master Data service by generating the keystore.jks and keystore.cer files.

    Before you begin

    Role required: admin

    Procedure

    1. Create a JKS certificate by using any one of the following methods:
      • Follow the steps in the Creating Java Keystore(JKS) with Private Key and Certificate Chain topic SAP Help Portal.
      • Install Java JDK 8 and Open SSL and execute the following commands in the Terminal:
        1. openssl genrsa -out private.key 2048

          The private.key file is generated.

        2. openssl rsa -in private.key -pubout -out public.key

          Extract the public key from key pair type.

        3. openssl req -new -x509 -key private.key -out publickey.cer -days 365

          Enter details of the Distinguished Name (DN). The publickey.cer file is generated.

        4. openssl pkcs12 -export -in publickey.cer -inkey private.key -out successfactors.p12 -name "successfactors"

          You’re prompted for a password. The successfactors.p12 file is generated using the private and public key created in step a and step b.

        5. keytool -importkeystore -srckeystore successfactors.p12 -srcstoretype pkcs12 -destkeystore successfactors.jks

          You’re prompted for the destination and source file password. The successfactors.jks file is created using the successfactors.p12 file created in step c.

        Note:
        Confirm that you enter the same passwords in steps c and d. For example, if you enter the password as 123456 in step c, you must enter 123456 as password in step d too.
    2. Log in to the SuccessFactors account as an admin.
    3. Navigate to Admin Centre and select Company Settings.
    4. Select Manage OAuth2 Client Applications.
    5. Select Register Client Application.
      Managing OAuth2 client applications
    6. In the X.509 Certificate field, provide the contents of the publickey.cer file (public key) without the headers.
    7. Select Submit.

    Result

    The API Key is generated and displayed.

    What to do next

    Copy the API key generated and record the value for later use.

    Upload the JKS certificate in your ServiceNow instance

    Enable client certificate authentication for the outbound communication by uploading the JKS certificate in your ServiceNow instance.

    Before you begin

    Role required: admin

    Procedure

    1. Log in to your ServiceNow instance as an admin.
    2. Upload the JKS certificate to your ServiceNow instance.
      For instructions to upload the JKS certificate, see Upload a certificate to an instance.Uploading certificate to an instance

    Register SuccessFactors as an OAuth provider

    Use the API key generated during the client application configuration to register the application as an OAuth provider.

    Before you begin

    Change the application scope to SuccessFactors spoke.

    Role required: admin

    Procedure

    1. In your ServiceNow instance, navigate to System OAuth > Application Registry.
    2. Select New.
    3. In the form, fill in these fields.
      Field Description
      Name Unique name to identify the certificate. For example, SuccessFactors SAML.
      Client ID Value of the API key you had copied after registering the OAuth client application in SuccessFactors.
      Client Secret
      Note:
      Client secret isn’t needed to register the application as an OAuth provider. You can provide any value for this field.
      Default Grant Type Default grant type used to establish the token. Select SAML2 Bearer.
      Token URL SuccessFactors OAuth server endpoint URL that includes the Company ID in this format: https://<SuccessFactors_Instance_Name>/oauth/token?company_id=<Company_ID>. For example, https://example.successfactors.eu/oauth/token?company_id=SFCPART123456.
      Application Registries form
    4. Select Submit.

    Create the SAML2 assertion producer record

    Create a SAML2 assertion record to generate the SAML2 assertion and exchange the assertion for the access tokens with the provider.

    Before you begin

    Change the application scope to SuccessFactors spoke.

    Role required: admin

    Procedure

    1. Create a SAML2 assertion producer record in your instance.
      1. Navigate to All > System OAuth > SAML2 Assertion Producers.
      2. Click New.
      3. On the form, fill these values.
        Field Description
        Name Unique name to identify the SAML2 assertion producer record. For example, Successfactor SAML OAuth.
        Issuer Unique identifier for the assertion issuing entity. Provide the ServiceNow instance URL.
        Subject NameID User name to log in to the SuccessFactors instance. For example, sfadmin.
        Audience Intended audience for the assertion. Enter the value, www.successfactors.com.
        Recipient Intended recipient for the assertion. Enter URL in this format, https://<SuccessFactors-Instance-Name>/oauth/token.
      4. Right-click the form header and click Save.
      5. Under the SAML2 Assertion Keystores tab, click New.
      6. On the form, fill these values.
        Field Description
        Name Unique name to identify the SAML2 assertion keystore record. For example, successfactors.
        Signing Key Alias Alias of key entry stored in the Keystore used to sign the assertion. For example, successfactors.
        Signing Key Password Password of the key entry stored in the keystore used to sign the assertion.
        Signing Keystore Required X.509 certificate record. Select the X.509 certificate record that you had earlier created. For more information, seeUpload the JKS certificate in your ServiceNow instance.
      7. Click Submit.
      8. Navigate to All > System OAuth > SAML2 Assertion Producers.
      9. Open the SAML2 assertion producer record that you had created.
        For example, Successfactor SAML OAuth.
      10. Under the SAML2 Assertion Attributes tab, click New.
      11. On the form, fill these values.
        Field Description
        Name Name to identify the SAML2 assertion attribute record. Enter api_key.
        Type Type of the Value field. Select String.
        Value API key generated after the OAuth client application is created in SuccessFactors.
      12. Click Submit.
    2. Associate the SAML2 assertion producer with the application registry record.
      1. Navigate to System OAuth > Application Registry.
      2. Open the application registry record that you had created.
        For example, SuccessFactors OAuth Reg. For more information about creating the application registry, see Register SuccessFactors as an OAuth provider.
      3. Under the OAuth Entity Profiles tab, open the default OAuth entity profile record.
        For example, Successfactor SAML default_profile.
      4. For the Assertion Producer field, select the SAML2 assertion producer record you had created.
        For example, Successfactor SAML OAuth.Defining OAuth scoped for this profile
      5. Click Update.

    Create credential record for the OData API

    Create a connection record for the OData API in SuccessFactors. The SuccessFactors spoke connection and credential alias uses these connections to perform actions in SuccessFactors.

    Before you begin

    Role required: admin

    Procedure

    1. Navigate to All > Connections & Credentials > Credentials.
    2. Click New.
      The system displays the message What type of Credentials would you like to create?.
    3. Select OAuth 2.0 Credentials.
      An empty OAuth 2.0 Credentials form is displayed.
    4. On the form, fill these values.
      Field Value required
      Name Name to uniquely identify the record. For example, enter SAML_SuccessFactors_OData_Cred.
      OAuth Entity Profile OAuth entity profile record that is associated with the OAuth application registry you had created. For example, Successfactor SAML default_profile.

      For more information about creating the application registry, see Register SuccessFactors as an OAuth provider.
      Active Option to actively use the credential record.
      Order Order to apply this credential. For example, enter 100.
      OAuth 2.0 credentials
    5. Click Submit.

    Result

    The credential record to authorize actions using the OData API is created.

    Create connection record for the OData API

    Create a connection record for the OData API in SuccessFactors. The SuccessFactors spoke connection and credential alias uses these connections to perform actions in SuccessFactors.

    Before you begin

    Role required: admin

    Procedure

    1. Navigate to All > Connections & Credentials > Connection & Credential Aliases.
    2. Open for the record for SuccessFactors OData.
      For example, SuccessFactors_OData.
    3. From the Connections tab, click New.
      The system displays an empty HTTP(s) Connection form.
    4. On the form, fill these values.
      Table 3. HTTP(s) Connection form
      Field Description
      Name Name to uniquely identify the record. For example, SAML_SuccessFactors_OData_Conn.
      Credential Credential record you created for the OData API. For example, SAML_SuccessFactors_OData_Cred.
      Connection URL SuccessFactors service root URL in this format: https://<SuccessFactors_Instance_Name>/odata/v2. For example, https://apisalesdemo2.successfactors.eu/odata/v2.
      Active Option to actively use the connection record.
    5. Click Submit.

    Result

    The connection record for the OData API in SuccessFactors is created.

    Create an SAP SuccessFactors integration profile

    Create an SAP SuccessFactors integration profile to track software subscriptions and optimize licensing for your SAP SuccessFactors applications.

    Before you begin

    The Software Asset Management - SaaS License Management plugin (sn_sam_saas_int) must be installed from the ServiceNow Store.

    Change the application scope to Global.

    ServiceNow Role required: sam_integrator or admin

    About this task

    If you are using Software Asset Workspace, the option to create the SuccessFactors integration profile in Core UI is inactive.

    Procedure

    1. Navigate to the integration profile.
      InterfaceAction
      Core UI
      1. Navigate to All > Software Asset > SaaS License > Direct Integration Profiles.
      2. Select New.
      3. Select SuccessFactors Integration Profile.
      Software Asset Workspace
      1. Navigate to License operations > User Subscriptions > Direct integration profiles.
      2. Select New.
      3. Select SuccessFactors from the drop-down list.
      4. Select Continue.
    2. On the form, fill in the fields.
      Table 4. Integration Profile form
      Field Value
      Display Name Name of the integration profile. For example, SuccessFactors Integration.
      Connection & Credential Connection and credential alias for SAP SuccessFactors. This field populates automatically.
      Status Status of the integration profile.
      • If you have not published the integration profile, this field is automatically set to Draft.
      • If you have already published the integration profile, this field is automatically set to Published.
      Profile Type Type of integration profile. This field is automatically set to SuccessFactors Subscription.
    3. On the Download Subscription Subflow tab, verify that the Subflow field is set to SuccessFactors Download Subscriptions Subflow.
    4. On the Calculate Activity Subflow tab, verify that the Subflow field is set to SuccessFactors Update User Activity Subflow.
    5. On the Reclaim Subscription Subflow tab, verify that the Subflow field is set to SuccessFactors Reclaim Subscription Subflow.
    6. Select Save.
      Your ServiceNow instance creates a draft integration profile. The integration profile uses the SuccessFactors Download Subscriptions, SuccessFactors Update User Activity, and SuccessFactors Reclaim Subscription subflows to retrieve user data from the SAP SuccessFactors application.
    7. Generate and add the SAP SuccessFactors user login report to your integration profile.
      This report is required for retrieving the last activity date of your SAP SuccessFactors users. You must generate and add the latest version of this report every time you want to update the last activity date of your SAP SuccessFactors users in the Software Subscriptions [samp_sw_subscription] table.
      1. Log in to your SAP SuccessFactors instance using the admin credentials.
      2. On the page header of your instance, select Home > Admin Center.
      3. On the page header of the Admin Center, select Reporting.
      4. Select New to create a report.
      5. When prompted to select the type of report that you want to create, select Report - Table > Select.
      6. Under How would you like your data to be structured?, select Single Domain.
      7. Under What data would you like to start with?, select Login Data.
      8. Click Select.
        The Creating Login Data report page opens.
      9. On the General Info tab, fill in the fields.
        Table 5. General Info tab
        Field Description
        Domain Domain from which you are retrieving data. This field is automatically set to Login Data.
        Report Name Name of the report.
        Description Description of the report.
        Report Priority Priority of the report.
        Remove Styling Deselect this check box.
      10. On the People tab, select Refine criteria.
      11. In the Define Team dialog box, fill in the fields.
        Table 6. Define Team dialog box
        Field Description
        Team Manager Manager of the team for which you want to create this report. Select Logged In User.
        Team Reporting Type Type of report that you want to create for the team. Select Other Filters. When you select this report type, you can define report scopes to filter the user groups that you want to include in the report. See step 14 for more details.
        Include inactive users Option to include all inactive team members in the report. Leave this option unselected.
      12. Select OK.
        The dialog box closes and you return to the People tab.
      13. Optional: In the Define Report Scope section of the People tab, select the Division, Department, and Location report scopes to define filter criteria for the user groups that you want to include in the report.
        By default, all filter criteria for these report scopes are enabled.
      14. On the Columns tab, click + Select Columns to specify the data columns that you want to include in the report.
        You can sort, group, or rearrange the columns as needed.
      15. Select the Last Login and User Sys ID check boxes so that the first column is Last Login and the second column is User Sys ID on the report.
      16. Optional: On the Configuration tab, specify whether you want your data columns to display data in either the date only or the date and time format.
        For each applicable data column, select either Date (date only) or Timestamp (date and time). After you select the format for each data column, select OK.
      17. On the Filters tab, select filters to refine the data that is displayed on the report.
      18. Select Refine Criteria > Employee Login Detail > Last Login.
        A pop-up displays with Define last login filter.
      19. Select By Rule > Add rule tab.
      20. From the drop-down list, select the Greater than option.
      21. Enter the date from when you want to generate the report.
        You must select a date not older than a couple of weeks to keep the file size within allowed limits.
      22. Select Done after you select the filters.
      23. Select Generate.
      24. In the Download section of the generated report, select Excel to export the report as an Excel file.
        Note:
        The Excel file must not be greater than 5 MB.
      25. Return to your ServiceNow instance and navigate to SaaS License > Administration > Direct Integration Profiles.
      26. Select your SAP SuccessFactors integration profile.
      27. On the Integration Profile form header, select the Manage Attachments icon (Manage attachments icon.).
      28. In the Attachments dialog box, select Choose file to locate and select your user login report.
      29. After the report uploads successfully, close the dialog box to return to the integration profile form.
    8. After the form reloads, select Publish.
    9. In the Publish Confirmation dialog box, select OK.
      Note:

      By default, the activity job runs every one hour and deletes the file attached to the integration profile as part of the clean-up. If the file isn't found, the activity job fails indicating no new attachment. The job failure has no impact on the already updated last activity.

      If you plan to attach the file once everyday or once a week, you can update the run time of the SAM - Refresh Success Factors Activity scheduled job accordingly. You can also run this job on demand whenever you attach a file.

      You must attach a file every time for the job to run because SAP SuccessFactors does not have an API for activity data pull.

    What to do next

    After the integration connects, your ServiceNow instance automatically creates software models, reclamation rules, and software subscriptions that are refreshed daily.

    If you want to set up multiple integration profiles with unique connections, create child aliases to manage different configurations and settings for each integration profile. For more information, see Create a child alias to set up multiple integration profiles.

    Review all automatically generated reclamation rules to reclaim user subscriptions. For more information, see Review a software reclamation rule.

    Create software entitlements for the automatically generated software models to track used software against owned software.
    Reconciliation also runs on your subscriptions as a scheduled job or on-demand. You can view your reconciliation results in the License Workbench (Software Asset Management classic application) or the License usage view (Software Asset Workspace). Use these results to determine your license compliance position and to remediate any non-compliance.