SAP Knowledge Base Article - Public

2850646 - How to register for OAuth 2.0 authentication - SuccessFactors Integrations


How to register and create the configuration for OData API OAuth authentication?


  • SuccessFactors
    • Integrations
      • OData API


OAuth 2.0 lets all users log in regardless of whether they are SSO users. If you are planning to use OAuth 2.0 for authentication, you will first need to register your OAuth client, and set up the permissions required for this registration. Then you can register your OAuth client application.


RBP System:

From the admin menu Manage Permission Roles, select the desired role for which you want to add the permission. As a best practice, create role named "API Administrator". Under the Manage Integration Tools link, select the Manage OAuth2 Client Applications checkbox.

After you have done this, you will see a link, Manage OAuth2 Client Applications under the Company Settings category in the new admin tools, and under Integration Tools in the older administration tools interface.

User-based system:

From the Admin Menu click on Manage Security -> Administrative Privileges. For the user you are logged in as, look under Integration Tools and check the box under Access to OAuth 2 Management.

After you have done this, you will see a link under Integration Tools to where you can register your OAuth client.

Registering the OAuth Client Application

To register an OAuth client, log into your application instance with an administrator account. From the Admin menu, click on Manage OAuth2 Client Applications -> Register New Client Application. After you register an OAuth client, any user of the registered client can connect to SuccessFactors HCM Suite using this method.

Find the fields definitions:

Field Description


The name of your company. This value is pre-filled based on the instance of the company currently logged in.

Application Name

 A unique name of your OAuth client.

Description (optional)


 An optional description of your application.

Application URL


 A unique URL of the page that the client wants to display to the end-user. The page might contain more information about the client application. This is needed for 3-legged OAuth, however it is not currently supported.

X.509 Certificate


 The certificate corresponding to the private and public key used in the OAuth 2.0 authentication process. In this flow, the SuccessFactors HCM Suite system will need the public key (the certificate) and the client application will have the private key. To register a client application, you will need to install the public key (aka certificate) in SuccessFactors HCM Suite. If you supply that certificate, you must use the RSA-SHA1 signature type for authenticating. As an optional feature, you can generate a public and private key pair with the Generate X.509 CertLʥcate button. If you do this, you must download the private key (or key pair) and install it into your client application.

Generate X.509 Certificate Button

 A button that generates an X.509 certificate if the customer doesn't have one already. When clicked, a dialog box is displayed, in which the customer can enter the following information then click "Generate" to generate a selfsigned certificate:

  • Issued By : Value set to SuccessFactors
  • Common Name: The name or IP address for which the certificate is valid.
  • Organization (optional): The entity to which the certificate is issued.
  • Organization Unit (optional): The organization unit of the entity to which the certificate is issued.
  • Locality (optional): Name of Locality of the entity to which the certificate is issued.
  • State/Province (optional): Name of State or Province of the entity to which the certificate is issued.
  • Country (optional): Name of Country of the entity to which the certificate is issued.
  • Validity: The number of days for which you want the X.509 certificate to be valid.

* We do not recommend generating the X-509 certificate in API Center and downloading the private key. This method is less secure as downloading the private key will increase the risk of exposing it. This method should only be used if the client is unable to generate an X-509 certificate. The private key must be kept secure under all circumstances. Do not share the private key with others.

If you have generated the X-509 Certificate, you must download the private key to use it in your client application to make token requests. The system saves the public key. You will need to regenerate the private key if you lose it.

You will need to save the private key before you register you client. Only the public key is available for viewing when the client is registered. You will have the API key and private key available to you in the generated certificate.

Note: The system do not store who added the tokens. You can see only the Date Added.

See Also

For more information, please check the OData API Developer Guide

KBAs related to this topic:

2800150 - How to test OAuth authentication via Postman - SuccessFactors Integrations

2639941 - How to use OAuth 2.0 step by step in Boomi

2511864 - Validity of the keypair generated via Successfactors for the OAuth

2840298 - What is the use of the Application URL to create the bearer token - SuccessFactors Integrations

2668018 - Error message: "Unable to authenticate the client (Login failed - invalid user)" for Oauth Authentication


How to; enable OAuth; Authentication; OAuth 2.0 configuration; Client Application; OData API; Bearer Token. , KBA , LOD-SF-INT , Integrations , LOD-SF-INT-ODATA , OData API Framework , How To


SAP SuccessFactors HXM Suite all versions