Set up the SuccessFactors spoke v4.x.x

Release version: Xanadu

Updated August 1, 2024

9 minutes to read

Integrate the ServiceNow instance with your SuccessFactors instance using OAuth client application and API key.

Before you begin

Request Integration Hub subscription
Activate the SuccessFactors spoke
Enable these system properties:
- glide.pf.rest.response_payload_max_size: The maximum value is, 10240.
- com.snc.process_flow.reporting.serialized.val_size_limit: The maximum value is, 16384.
- com.glide.transform.json.max-partial-length: The maximum value is, 65536.
Role required: admin

Note:

This procedure is applicable if you are setting up the SuccessFactors spoke v4.9.1 for the first time. If you are using an earlier version of the SuccessFactors spoke, see Migrate to SuccessFactors spoke v4.9.1 for the migration procedure.

For more information about setting up the spoke, see SAP SuccessFactors Spoke - OAuth Setup & Migration - Pre-Tokyo, Tokyo and beyond in ServiceNow Community.

Register OAuth client application in SuccessFactors

Enable client certificate authentication for the outbound communication by generating the keystore.jks and keystore.cer files.

Before you begin

Generate a valid JKS certificate. For information about creating a JKS certificate, see Creating Java Keystore(JKS) with Private Key and Certificate Chain in SAP Help Portal, or, do the steps.
1. Use the command openssl genrsa -out private.key 2048 to generate the private.key file.
2. Use the private.key to create x.509 certificate (.cer file) that contains your public key.
  Use the command openssl req -new -x509 -key private.key -out publickey.cer -days 365
Convert the public and private key to a .p12 file.
Use the command to do the above step openssl pkcs12 -export -in publickey.cer -inkey private.key -out successfactors.p12 -name "<provide custom name>".
Convert the .p12 file to .jks
Use the command to do the above step keytool -importkeystore -srckeystore successfactors.p12 -srcstoretype pkcs12 -destkeystore successfactors.jks.
Role required: admin.

Procedure

Log in to the SuccessFactors account as an admin.
Navigate to Admin Centre and click Company Settings.
Click Manage OAuth2 Client Applications.
Click Register Client Application.
Provide the required details on the form.
In the X.509 Certificate field, provide contents of the cert.pem file (public key) without the headers.
Click Submit.
API Key is generated and displayed. Copy and record the value for later use.

Upload the JKS certificate in your ServiceNow instance

Enable client certificate authentication for the outbound communication by uploading the JKS certificate in your ServiceNow instance.

Before you begin

Role required: admin

Procedure

Log in to your ServiceNow instance as an admin.
Upload the JKS certificate to your ServiceNow instance.
For instructions to upload the JKS certificate, see Upload a certificate to an instance .

Register SuccessFactors as an OAuth provider

Use the API key generated during the client application configuration to register the application as an OAuth provider.

Before you begin

Role required: admin

Procedure

In your ServiceNow instance, navigate to System OAuth > Application Registry.
Click New.

In the form, fill in these fields.


Field	Description
Name	Unique name to identify the certificate. For example, `SuccessFactors SAML`.
Client ID	Value of the API key you had copied after registering the OAuth client application in SuccessFactors.
Client Secret	Note: Client secret is not needed to register the application as an OAuth provider. You can provide any value for this field.
OAuth API Script	Name of the OAuth API script. Search for `OAuthUtilSuccessFactors` and select it from the list.
Default Grant Type	Default grant type used to establish the token. Select SAML2 Bearer.
Token URL	SuccessFactors OAuth server endpoint URL that includes the Company ID in this format: `https://<SuccessFactors_Instance_Name>/oauth/token?company_id=<Company_ID>`. For example, `https://example.successfactors.eu/oauth/token?company_id=SFCPART123456`.

Click Submit.

Create the SAML2 assertion producer record

Create a SAML2 assertion record to generate the SAML2 assertion and exchange the assertion for the access tokens with the provider.

Before you begin

Role required: admin

Procedure

Create a SAML2 assertion producer record in your ServiceNow instance.

Navigate to All > System OAuth > SAML2 Assertion Producers.
Click New.

On the form, fill these values.


Field	Description
Name	Unique name to identify the SAML2 assertion producer record. For example, `Successfactor SAML OAuth`.
Issuer	Unique identifier for the assertion issuing entity. Provide the ServiceNow instance URL.
Subject NameID	User name to log in to the SuccessFactors instance. For example, `sfadmin`.
Audience	Intended audience for the assertion. Enter the value, `www.successfactors.com`.
Recipient	Intended recipient for the assertion. Enter URL in this format, `https://<SuccessFactors-Instance-Name>/oauth/token`.

Right-click the form header and click Save.
Under the SAML2 Assertion Keystores tab, click New.

On the form, fill these values.


Field	Description
Name	Unique name to identify the SAML2 assertion keystore record. For example, `sap_successfactor`.
Signing Key Alias	Alias of key entry stored in the Keystore used to sign the assertion. For example, `1`.
Signing Key Password	Password of the key entry stored in the keystore used to sign the assertion.
Signing Keystore	Required X.509 certificate record. Select the X.509 certificate record that you had earlier created. For more information, see Upload the JKS certificate in your ServiceNow instance.

Click Submit.
Navigate to All > System OAuth > SAML2 Assertion Producers.
Open the SAML2 assertion producer record that you had created.
For example, Successfactor SAML OAuth.
Under the SAML2 Assertion Attributes tab, click New.

On the form, fill these values.


Field	Description
Name	Name to identify the SAML2 assertion attribute record. Enter `api_key`.
Type	Type of the Value field. Select String.
Value	API key generated after the OAuth client application is created in SuccessFactors.

Click Submit.

Associate the SAML2 assertion producer with the application registry record.
1. Navigate to System OAuth > Application Registry.
2. Open the application registry record that you had created.
  For example, SuccessFactors OAuth Reg. For more information about creating the application registry, see Register SuccessFactors as an OAuth provider.
3. Under the OAuth Entity Profiles tab, open the default OAuth entity profile record.
  For example, Successfactor SAML default_profile.
4. For the Assertion Producer field, select the SAML2 assertion producer record you had created.
  For example, Successfactor SAML OAuth.
5. Click Update.

Create Credential record for the OData API

Create Credential record for the OData APIs in SuccessFactors. The SuccessFactors spoke connection and credential alias uses these credentials to authorize actions using the OData API.

Before you begin

Role required: admin.

Procedure

Navigate to All > Connections & Credentials > Credentials.
Click New.
The system displays the message What type of Credentials would you like to create?.
Select OAuth 2.0 Credentials.
An empty OAuth 2.0 Credentials form is displayed.

On the form, fill these values.


Field	Value required
Name	Name to uniquely identify the record. For example, enter `SAML_SuccessFactors_OData_Cred`.
OAuth Entity Profile	OAuth entity profile record that is associated with the OAuth application registry you had created. For example, `Successfactor SAML default_profile`. For more information about creating the application registry, see Register SuccessFactors as an OAuth provider.
Active	Option to actively use the credential record.
Order	Order to apply this credential. For example, enter `100`.

Click Submit.

Result

The credential record to authorize actions using the OData API is created.

Create Credential record for the SOAP API

Create Credential record for the SOAP APIs in SuccessFactors. The SuccessFactors spoke connection and credential alias uses these credentials to authorize actions using the SOAP APIs.

Before you begin

Role required: admin.

Procedure

Navigate to All > Connections & Credentials > Credentials.
Click New.
The system displays the message What type of Credentials would you like to create?.
Select OAuth 2.0 Credentials.
An empty OAuth 2.0 Credentials form is displayed.

On the form, fill these values.


Field	Value required
Name	Name to uniquely identify the record. For example, enter `SAML_SuccessFactors_SOAP_Cred`.
OAuth Entity Profile	OAuth entity profile record associated with the OAuth application registry you had created. For example, `Successfactor SAML default_profile`. For more information about creating the application registry, see Register SuccessFactors as an OAuth provider.
Active	Option to actively use the credential record.
Order	Order to apply this credential. For example, enter `100`.

Click Submit.

Result

The credential record to authorize actions using the SOAP API is created.

Create Connection record for the OData API

Create a Connection record for the OData API in SuccessFactors. The SuccessFactors spoke connection and credential alias uses these connections to perform actions in SuccessFactors.

Before you begin

Role required: admin.

Procedure

Navigate to All > Connections & Credentials > Connection & Credential Aliases.
Open for the record for SuccessFactors OData.
For example, SuccessFactors_OData.
From the Connections tab, click New.
The system displays an empty HTTP(s) Connection form.

On the form, fill these values.

Table 1. HTTP(s) Connection form
Field	Description
Name	Name to uniquely identify the record. For example, `SAML_SuccessFactors_OData_Conn`.
Credential	Credential record you created for the REST API. For example, `SAML_SuccessFactors_OData_Cred`.
Connection URL	SuccessFactors service root URL in this format: `https://<SuccessFactors_Instance_Name>/odata/v2`. For example, `https://example.successfactors.eu/odata/v2`. Note: If you are using an SAP Cloud account, see List of SAP SuccessFactors API Servers in SAP Help Portal to select the correct endpoint that is needed to target the API server.
Active	Option to actively use the connection record.

Click Submit.

Result

The connection record for the REST API in SuccessFactors is created.

Create Connection record for the SOAP API

Create a Connection record for the SOAP API in SuccessFactors. The SuccessFactors spoke connection and credential alias uses these connections to perform actions in SuccessFactors.

Before you begin

Role required: admin.

Procedure

Navigate to All > Connections & Credentials > Connection & Credential Aliases.
Open for the record for SuccessFactors SOAP API.
For example, SuccessFactors_Comp_Emp.
From the Connections tab, click New.
The system displays an empty HTTP(s) Connection form.

On the form, fill these values.

Table 2. HTTP(s) Connection form
Field	Description
Name	Name to uniquely identify the record. For example, `SAML_SuccessFactors_SOAP_Conn`.
Credential	Credential record you created for the SOAP API. For example, `SAML_SuccessFactors_SOAP_Cred`.
Connection URL	SuccessFactors connection URL. For example, `https://<SuccessFactors_Instance_Name>/sfapi/v1/soap`. For example, `https://example.successfactors.eu/sfapi/v1/soap`. Note: If you are using an SAP Cloud account, see List of SAP SuccessFactors API Servers in SAP Help Portal to select the correct endpoint that is needed to target the API server.
Active	Option to actively use the connection record.

In the Attributes tab, provide these fields.


Field	Description
Company Id	Immutable Company ID of your SuccessFactors instance.
Flow Timeout (seconds)	Maximum time in seconds up to which data can be received from SuccessFactors during the flow execution. If the time taken to retrieve data from SuccessFactors exceeds the timeout duration, the flow or subflow is cancelled. Default value is, `30`.

Click Submit.

Result

The connection record for the SOAP API in SuccessFactors is created.

Synchronize data between SuccessFactors and ServiceNow

Customise the sample flows as per your requirement to synchronize data between your SuccessFactors and ServiceNow instances.

Todo entity

The SuccessFactors spoke provides sample flows to synchronize data bi-directionally for the todo entity. The sample flow, Run SuccessFactors Integration Flow can customised to retrieve data from SuccessFactors, while the Create Todo and Update Todo flows creates or updates the todo records in SuccessFactors when events occur in ServiceNow. While customising the sample flows, ensure that you provide appropriate triggers to retrieve and save future updates using transform maps.

Other default entities

For these entities, the sample flow, Run SuccessFactors Integration Flow, can be customised to retrieve data from SuccessFactors:

Department
Location
Job Profile
Workers Profile
Effective Workers Profile
Job History Including Secondary Assignments

To create or update records in SuccessFactors for these entities when events occur in ServiceNow:

Create flows or subflows as per your choice or customise the sample flows and subflows.
Use Metadata Retrieval and Record Management actions in your flows.
Ensure that you provide appropriate triggers to retrieve and save future updates using transform maps.

Other SuccessFactors entities

Depending on the SuccessFactors permissions and configurations, you can also synchronize data of other entities as per your requirement.