SailPoint ISC SuccessFactors web services OAuth 2.0 SAML Bearer Assertion

vili0006 · March 26, 2025, 12:42pm

My team is trying to set up a web services connector to SuccessFactors. For reasons I will not go into, we can not rely on the out of the box SuccessFactors connector.

The connection requires Authentication Type OAuth 2.0 and Grant Type SAML Bearer Assertion.

We managed to establish the connection with custom authentication and in Postman but would like to transition the authentication method to use the OAuth 2.0.

I believe I’ve managed to figure out what most of the fields shall be filled out with.
However, the “SAML Request Body” is a question mark and the documentation is not sufficient:
OAuth 2.0 Authentication

If anyone has managed to configure a web services connection with OAuth 2.0 and SAML Bearer Assertion, please enlighten me how you accomplished it.

vili0006 · March 26, 2025, 2:23pm

Regardless of how I configure, it always results in this:

vishal_kejriwal1 · March 26, 2025, 2:26pm

I would recommend to trying the connectivity using postman or some other client before configuring to ISC .
Error handling in ISC is not great.

vili0006 · March 26, 2025, 2:26pm

It’s working in Postman and with custom authentication.

Sivakrishna1993 · April 1, 2025, 9:16pm

Hi @Viktor,

You have to use the custom authentication along with after operation rule to generate assertion and to pass the assertion to token url.

Custom authentication for SAML Assertion
In the body key and values by using Form data

Header is Content-type. - application/x-www-form-urlencoded
Use after operation rule to get response object
Rule-
Map m new HashMap();
m.put(“assertion”,assertionVal);
processedResponseObject(m);

In response mapping
aschema Attribute is assertion - attribute path is $rawResponseObject$

Custom authentication to get token

Header is Content-type. - application/x-www-form-urlencoded

Provide token generation details into the body by selecting Raw type

In response mapping read token

Schema attribute is access_token and attribute path is access_token

For test connection and other operations use Bear $application.access_token$

Thanks,
Siva.K

vili0006 · April 2, 2025, 7:23am

So what is the purpose of this:

If I have to resort to custom authentication?

As I mentioned, we’ve made it work with custom authentication and a WebServiceBeforeOperationRule.

I’d just much prefer to not rely on custom authentication and rule as it seems SailPoint are offering OAuth 2.0 in the Webservice connector itself.

Can anyone give an example where they’ve made it work with OAuth 2.0 and SAML Bearer Assertion in a Web Services connector?

Sivakrishna1993 · April 2, 2025, 7:54am

For SuccessFactors headers are form unlencoded format which is not supported it from direct OAuth2.0 configuration.

vili0006 · April 2, 2025, 10:04am

I’ve managed to use raw body in Postman like this:
client_id={{client_id}}&user_id={{user_id}}&token_url=https%3A%2F%2F{{api-server}}%2Foauth%2Ftoken&private_key={{private_key}}

Do you mean that this is not supported then?

Do you have any documentation that states that this is not supported?
What Content types are supported?

Sivakrishna1993 · April 2, 2025, 10:34am

You can also follow the same in SailPoint ISC as well. Keep all the required information in the Custom Authentication Operation body by selecting the raw. But make sure need to add headers should be application/x-www-form-urlencoded.
If you try the same by selecting Oauth2.0 it won’t work.
I don’t have any document. But for the same issue i connected with SailPoint support team they mentioned the same.

Thanks,
Siva.K

Chaithu9110 · April 2, 2025, 10:34am

** 1. Configure the Base URL and Authentication:

In the Connection settings, set the Base URL.
Choose a valid Authentication method:
If you have an API key and secret -
- If you have an API token, select API Token authentication.
- If you don’t have an API token, select Custom Authentication and save the configuration with only the Base URL.

Configure the HTTP Operation:

When testing the connection, pass the API key and secret in the request headers.
Set the context URL as the exact endpoint of the target URL.
Example:
- Full API URL: https://api.xyz.com/users
- Base URL: https://api.xyz.com/
- Context URL: users

Save the Changes and Test the Connection.

If the connection is successful, proceed with configuring the aggregation HTTP operation following the same steps.
Ensure attribute mapping is set according to the JSON response structure.