Skip to content

SAP SuccessFactors API Integration Connection

SAP SuccessFactors provides a cloud-based Human Capital Management (HCM) solutions for employers. In addition to the Data Extract method offered by Hire2Retire, we have implemented an API based approach to facilitate integration between SAP SuccessFactors and Directory Services. API integration is user-friendly and allows for scheduled data retrieval, enabling daily or interval-based pulls of employee data reports.

Create a Connection

The API integration of SAP SuccessFactors uses OAuth2.0 mechanism for authentication. SuccessFactors requires the following keys to authenticate its clients using this mechanism:

  • Environment - A dropdown field which contains all the list of API-server provided by SuccessFactors. Users can identify their environment by examining the SuccessFactors URL of the page. For instance, in the URL, the required environment is 'Sales Demo 8'.

  • Company ID - The Company ID is a short string of characters that identifies each SAP SuccessFactors system.

  • User ID - This is the user id of the active account.

  • API Key - An API Key is generated and assigned to the user application when the user registers it for OAuth2.0 authentication. It is provided on the SAP SuccessFactors portal when a user registers a new OAuth client application using OData API. One can view the API key by choosing 'View' on the registered application list.

  • Private Key - This is the Private key value copied from X.509 certificate.

Connection page

Figure 1. SAP SuccessFactors API Connection Set Up page - Create Connection

Registering Client Application using OAuth2 on SAP SuccessFactors

  • Log into your instance as an administrator.

    Admin Account

  • Then, select 'API Center' under 'Company Settings'.

    API Center

  • Go to Admin Center API Center OAuth Configuration for OData and choose Register Client Application. You can also access the tool by searching Manage OAuth2 Client Applications in Action Search.


  • On the new OAuth client registration screen, enter the following:

    Enter Required Fields

    • Company - The name of your company. This value is prefilled based on the instance of the company currently logged in.

    • Application name - (Required) A unique name of your OAuth client.

    • Description - (Optional) A description of your application.

    • Application URL - (Required) A unique URL of the page that the client wants to display to the end user.

    • Blind to Users - (Optional) You can enable this option to restrict the access of the application to specific users including business users and technical users.

    • User IDs - (Required if you enabled the Bind to User option) Enter the user IDs separated by comma.

    • X.509 Certificate - (Required) The certificate corresponding to the private and public key used in the OAuth 2.0 authentication process. In this flow, SAP SuccessFactors require the public key and the client application has the private key. To register a client application, you must install the public key in SAP SuccessFactors. You can obtain a certificate from a service provider, or generate a self-signed certificate using a third-party tool. If neither option is available, you can also generate an X.509 certificate in SAP SuccessFactors by entering a common name of the user.

    Generate Certificate Enter Required Fields for Certificate

  • Choose Register to complete your registration.

After you’ve successfully registered your client application for OAuth2 authentication, An API key is generated and assigned to your application. You can view the API key by choosing View on the registered application list and use it for authentication.

Permissions Required

The user must have the following permissions:

  • Employee export and User search permission is required to fetch employee data.
  • Import employee data permission is required for writeback feature.

To grant the permissions, please follow these steps:

  • Go to the Admin Center and find the "Manage Permission Groups" section.

    Manage Permissions Groups

  • If you don't have an existing permission group, create a new one. Then, select the same user used for API integration within that group.

    Permissions Group Assignment

  • Once you've created the permission group, go to the "Manage Permission Roles" section.

    Manage Permissions Roles

  • Create a new role, provide role name and description.

    Permissions Role Page

  • Choose the appropriate permissions:

    • User Search : Locate General User under the User Permissions section and enable the User Search permission.
      User Search Permission

    • Employee Export: Locate Manager User within the Administrator Permissions section and enable the Employee Export permission.
      Employee Export Permission

    • Import Employee Data (For Writeback feature only) : Locate 'Employee Central Import Settings' in the Administrator Permissions section, and then enable the 'Import Employee Data' permission.
      Import Employee Data Permission

  • Now grant this role to user. Search for the permission group having the particular user.

    • For Employees other than Learning and Onboarding employees.
      Grant Permission Roles
    • For Learning and Onboarding employees.
      Grant Permission Roles for Onboarding Users
  • Save the changes.
    Final Draft


Once you have successfully configured the connections, you can continue with the Design section to configure the rest of the workflow following these steps in order.

  1. HR Data Definition
  2. Lifecycle Business Rules
  3. Employment Status
  4. HR to AD Profile Map
  5. Organizational Unit Assignment - Only defined in on-premise Active Directory
  6. Security Group Assignment
  7. Distribution List Assignment


Once your workflow has been setup, you can optionally setup notifications and archival for your workflow.

Otherwise, you can proceed to deploy and test it on the Hire2Retire platform, see Deploy and Test Flow