Set up Microsoft Entra ID using SAP SuccessFactors (preview)

[This article is prerelease documentation and is subject to change.]

This guide walks you through how to set up Microsoft Entra ID using the SAP SuccessFactors authentication method in the SAP OData connector for Power Platform. The goal is to enable token-based Single Sign-On (SSO) between Microsoft Entra ID and SAP SuccessFactors.

Prerequisites

Set up SAP OData Connector.
Admin access to SAP SuccessFactors with an SSO-enabled subscription.
Admin access within the Azure portal where you can manage Microsoft Entra ID.

Tip

Consider using an API Management solution to govern and secure your SAP APIs. For more information, see Set up Microsoft Entra ID, Azure API Management, and SAP for SSO from SAP OData connector and the SAP Community blog post Perform SAP Principal Propagation with Microsoft Entra ID for SAP SuccessFactors.

Named values

This section lists named values to make the examples easier to follow. These values are reused throughout the article and referenced in later sections. When following the examples in this article, be sure to replace the named values with your own values.

Name	Sample value	Description
Success Factors token URL	`https://\<api-server name\>/oauth/token`	SuccessFactors SAML token Recipient field
Service Provider Client ID	`API key`	SuccessFactors OAuth API key
OData Base URI	`https://\<odata-sf name\>/odata/v2`	SuccessFactors OData base URI
Microsoft Entra Resource URL (Application ID URI)	`api://33135bc6-be6a-4cdc-9c96-af918e367425`	A unique string that identifies the SAML service provider
Company ID	`SFSALES012345`	SuccessFactors Company ID

Important

The named values detailed in this guide are essential for setting up SSO. Ensure your values match your specific SuccessFactors and Microsoft Entra ID configurations.

High-level overview

You can enable users to access SAP SuccessFactors securely through Power Platform by using single sign-on (SSO) and OAuth. The process involves:

Adding an enterprise application in Microsoft Entra ID.
Creating an OAuth 2.0 client application in SAP SuccessFactors.
Establishing trust between Microsoft Entra ID and SAP SuccessFactors by using SAML.
Mapping users from Microsoft Entra ID to SAP SuccessFactors to enable seamless SSO.

In short, you configure the apps on both sides, establish trust, match users, and enable token-based access for API integrations.

Step 1: Set up SAP SuccessFactors as a Microsoft Entra ID enterprise application

Create Microsoft Entra ID enterprise application:
1. Sign in to the Azure portal, search for and select Microsoft Entra ID.
2. In the left navigation pane, expand Manage > Enterprise applications.
3. Select New application.
4. Search for and select SAP SuccessFactors from the gallery.
5. Enter a name for the application and select Create.
Configure Basic SAML Configuration:
1. Go to the Single sign-on section and select SAML as the sign-on method.
2. Identifier (Entity ID): Set to api://\<enterprise app ID\>. (for example,api://33135bc6-be6a-4cdc-9c96-af918e367425). Save this value as Microsoft Entra Resource URL (Application ID URI) in the named values table.
3. Reply URL: Use the SuccessFactors SAML token Recipient field. (for example, https://\<api-server name\>/oauth/token).
4. Sign-On URL: Recommended format: https://<your-sf-url>/sf/start?company=CompanyID&logonMethod=SSO. Be sure to confirm the correct server URL with your SuccessFactors IT admin if unsure.
5. Select Save.
Confirm the correct attribute is set:
1. Go to the Attributes & Claims section.
2. Select Edit.
3. Confirm that Claim name Unique User Identifier (Name ID) is set to user.userprincipalname [nameid="{email address}"].
Download the certificates:
1. Go to the SAML Certificates section.
2. Select the download link for:
  - Certificate (Base64).
Add users and groups:
1. Go to the Users and groups section.
2. Select Add users/group.
3. Select Users and groups.
4. Search for and select ALL Company and then select assign.

Step 2: Create an OAuth 2.0 client application in SuccessFactors

Sign in to the SuccessFactors Web UI by using an admin account.
Go to Manage OAuth2 Client Applications.
Select Register Client Application.
Fill in the required fields:
1. Company: Auto-populates. Copy the value and save it as the Company ID in the Named values table.
2. Application Name: Enter any descriptive name.
3. Description: Enter any descriptive text.
4. API Key: Auto-populates. Copy the value and save it as the Service Provider Client ID in the Named values table.
5. Application URL: Update this value with the Microsoft Entra Resource URL (Application ID URI) from the Named values table.
6. X.509 Certificate: Open the certificate you downloaded in step one by using a text editor (for example, Visual Studio Code). Copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, and paste it.
Select Save.

Step 3: Create or update a user in SuccessFactors to map to a Microsoft Entra user

Ensure the Unique User Identifier claim for the Microsoft Entra ID user is an exact one-to-one match with their SuccessFactors user alias.

To learn how to configure SSO in SuccessFactors, see Configure SuccessFactors SSO.

Step 4: Update Microsoft Entra ID enterprise application

Search for and select Microsoft Entra ID.
In the left navigation pane, expand Manage > Enterprise applications.
Locate and select the enterprise application you created in step one.
1. Go to Manage > Single sign-on.
2. Go to Attributes & Claims, and then select Edit.
3. Select Add new claim, and configure it as follows:
- Name: api_key
- Source: Attribute
- Source attribute: Paste the Service Provider Client ID from the Named values table.

Step 5: Configure Microsoft Entra ID app registrations

Search for and select Microsoft Entra ID.
In the left navigation pane, go to Manage > App Registrations.
Under the All applications tab, locate and select the application you created in step one.
1. Go to Manage > Expose an API. Under Application ID URI, select Add, and enter the Microsoft Entra Resource URL (Application ID URI) from the Named values table.
2. Under Authorized client applications, select Add a client application.
3. Enter the Client ID for SAP OData connector: 6bee4d13-fd19-43de-b82c-4b6401d174c3.
4. From the Authorized scopes list, select the existing scope.
5. Select Add application.

Step 6: Test the connection

Open Power Automate in your browser.
Create a new manual-trigger type flow.
Add an SAP OData action.
Select Microsoft Entra ID using SuccessFactors as the connection.
Fill in the required parameters gathered from Named values table.
Choose an Entity from the dropdown to test.
Save your flow.
Run your flow to test the connection.
Verify the run history for successful authentication and data retrieval.

Tip

If the test fails, verify your connection parameters and ensure you completed all previous configuration steps correctly.
If the Entity dropdown doesn't populate, recheck your connection parameters, the OAuth 2.0 app configuration in SuccessFactors, and the enterprise app configuration.

SAP OData connector
SAP OData connector now supports OAuth2 and SAP Principal Propagation | Power Automate community blog
Azure API Management policy for SAP SuccessFactors | GitHub
SAP OData connector for SAP SuccessFactors | SAP community blog
What is application management in Microsoft Entra ID?
The SAP Business Accelerator Hub also offers content related to the SAP integration suite policy for SuccessFactors and NetWeaver. You must have an SAP account to access this content.

Feedback

Was this page helpful?

Last updated on 2026-03-18