SAP SuccessFactors setup guide
This guide describes the steps to integrate the Open Content Network (OCN) provider SoSafe into the SAP SuccessFactors Learning Management System (LMS). The guide covers the necessary preparations, configurations, and the connection to SAP Identity Authentication Service (IAS) and SuccessFactors (BizX). Note that while we have worked hard to make this document as thorough as possible, your personal SAP SuccessFactors implementation might require you to deviate from this guide.Y ou may thus need an SAP SF expert (internal or third-party partner) for assistance with this. Any costs or arrangements for your SAP SF configuration are handled directly between you and your chosen partner.
1. Overview
These will be the key steps:
Preparation and information gathering
Creating roles and permission groups in BizX:
OCN_ADMINS
OCN_API_USERS
Creating the following users in BizX:
SOSAFE_OCN_ADMIN
SOSAFE_OCN_API_USER
Creating roles in LMS
Creating administrators in LMS
OCN_ADMINS are used to log in to BizX and LMS. They are LMS administrators. This access is used in development and testing environments to perform and verify integration. In production, this account can be omitted. OCN_API_USERS are used for accessing the OCN and BizX APIs.
1.1 Preparation and information gathering
Before starting the integration, the following information about your system is required:
System overview: Existing SuccessFactors modules and their configuration
Is Employee Central (EC) used?
User synchronization: Check whether LMS is directly synchronized with BizX or if all LMS-relevant permissions are assigned only within LMS. If permissions are configured exclusively in LMS, the OCNADMIN can be created as an "empty" user in BizX without roles (CSV import).
Authentication mechanisms: Review of OAuth2 and IAS configuration
1.2 Different setups of user provisioning and SSO implementation
There are various ways user provisioning can be implemented in your environment. It can affect the usernames used in Single Sign-On (SSO) and where the application obtains its token from and must be registered as an OAuth application. This guide assumes that SuccessFactors (BizX) is always the leading system, and that the external application is registered there as an OAuth2 application. There may be other scenarios where the token must be obtained from Cloud Identity Service or EntraID.

1.3 Checking user synchronization in the Integration Center

2. Configuration of SuccessFactors (BizX)
Process overview:
Create permission groups
Create permission roles
Create users
Register OAuth2 client application
2.1 Creating users
Importing users via CSV
Creating the CSV template
Log in to BizX as an administrator and navigate to Admin Center → Employee Export.
Select the Export Template button. The other two buttons, Export User Fil and Export External 360 Raters, are not used.
Pay attention to possible settings and adjust them according to your operating system and CSV editor (Excel, OpenOffice, Numbers), as special characters (such as umlauts) may not display correctly otherwise.
Open the exported csv-template and add the following users:
Status | USERID | USERNAME | FIRSTNAME | LASTNAME | MANAGER | HR | DEFAULT_LOCALE |
---|---|---|---|---|---|---|---|
active | SOSAFE_API_USER | SOSAFE_API_USER | SOSAFE | API_USER (TU) or (TA) | NO_MANAGER | NO_HR | en_US (or de_DE) |
active | SOSAFE_OCN_ADMIN | SOSAFE_OCN_ADMIN | SOSAFE | OCN_ADMIN | NO_MANAGER | NO_HR | en_US (or de_DE) |
Save the file and export it as a CSV file.
Navigate to BizX → Admin Center → Import Employee Data
Select Import Data under Select the action you want to perform
Choose Basic Import under Select an Entity
Select the previously exported CSV file under Choose File
Adjust File Encoding and File Locale to match the export settings.
Select Validate Import File Data at the bottom of the page. Adjust the CSV file until the validation is successful.
Finally, click Import.
Verify that the two users were created:
Verify that the users are synchronized from BizX to the LMS:
Open Integration Center and click on My Integrations.
Depending on the synchronization interval, the job may need to be run manually.
Afterwards, check the LMS admin area to confirm that users were created successfully.
Manually creating users in BizX
Manually create OCN admin user in BizX
First Name:
SOSAFE
Last Name:
OCN-ADMIN
Assign Permissions: OCN_Integration_Admin_Role
Manually create API user in BizX
Username:
SOSAFE_API_USER
Assign Role:
SOSAFE_API_USER_ROLE
Setting a Password for the added users
A password is not required for SOSAFE_API_USER
because API calls use OAuth2 authentication with SAML Bearer Assertion. For SOSAFE_OCN_ADMIN
, a password is only set in BizX if NO identity provider (IAS / EntraID) is used.
Setting password in BizX

Please note that for SSO users, the new password entered here only impacts basic authentication and token-based SSO. To reset passwords for SSO users, go to the identity provider administrator panel.

Sretting password in IAS
Open IAS (Example: https://a0w8gjlxv.accounts.cloud.sap/admin)
Navigate to Identity Provisioning → Source Systems
Select Jobs → Read Job → Run now
Verify that the users were synchronized
Two users should be synchronized
Go to User Management and search for
SOSAFE_OCN_ADMIN
Select Authentication
Set an initial password for
SOSAFE_OCN_ADMIN
The user can now log in to SuccessFactors (BizX) and access Learning Administration.
2.2 Creating permission groups
Search for Manage Permission Groups

OCN_Admins

Create the following group:
Group name:
OCN_ADMINS
Contains User:
SOSAFE_OCN_ADMIN
Assigned Role:
OCN_Integration_Admin_Role

NOTE: The “Granted Permissions Roles” shown in the screenshot will be added later through the “Manage Permissions Roles” step.
Add the imported user to the appropriate permission group:
OCN-ADMINS
for administratorsOCN-API-USERS
for API Users


OCN_API_USERS

Create the following group:
Group name:
OCN_API_USERS
Contains User:
SOSAFE_API_USER
Assigned Role:
OCN_API_USER_ROLE
2.3 Creating permission roles
Search for Manage Permission Roles

OCN Integration Admin Role
Create the following role:
Name:
OCN_Integration_Admin_Role
Permissions
Learning → Enable Learning Access Permission
Administrator Permissions → Enable Learning Admin Access Permission




Add Role Assignment for OCN_ADMIN_USER_ROLE
Click on Add Role Assignment
Add basic information
Choose from Groups, followed by Select Group


Add group
OCN_ADMINS
Define Target Population
SFSF (BizX) API User Role
Create the following role:
Name:
OCN_API_USER_ROLE
API Access Permissions
Recommended minimum permissions for
OCN-API-USER
User Permissions
Learning
Learning Access Permission
Options menu (only works if set to use RBP in provisioning)
Administrator Permissions
Manage Learning
Learning Admin Access Permission




Add Role Assignment for OCN_API_USER_ROLE
Add Role Assignment
Basic Information
Grant Access to

Select Group
OCN_API_USERS
2.4 Adding OAuth2 Client Application
Navigate to Admin Center → Manage OAuth2 Client Applications
Create application:
OCN SOSAFE
Bind to User
SOSAFE_API_USER
undSOSAFE_OCN_ADMIN
Generate and upload X.509 certificate:
openssl req -nodes -x509 -sha256 -newkey rsa:2048 -keyout private.pem -out public.pem -days 3650

3. Configuration of the Learning Management System (LMS)
3.1 Basic configuration
Completion status
ONLINE_COMPLETED
: completedONLINE_EXAM_PASSED
: passed
ItemType / ComponentType
ONLINE
: Online training without an examONLINE_EXAM
: Online training with an exam
Define labels
label.u.SOSAFE
→ “Sosafe OCN Learning Provider”
3.2 Configuration of the OCN provider in LMS
Register the provider by navigating to System Administration → Content → Open Content Network
New Provider: SOSAFE
Enter API credentials
Configure system properties
System Administration → Configuration → System Configuration → OPEN_CONTENT_NETWORK
Example Configuration:
providers[SOSAFE].enabled=true
providers[SOSAFE].syncCourses=true
providers[SOSAFE].name=Sosafe
providers[SOSAFE].label=label.ProviderSosafe
providers[SOSAFE].baseLaunchUrl=https://sosafe.de
providers[SOSAFE].pricingModel=SUBSCRIPTION
defaultValues.autoImportOCNCourseEnabled[SOSAFE]=true
3.3 User management in LMS
Check if the integration job has already synchronized the users. If not, run the job manually.
Creating users in LMS without synchronization
If you do not use an integration job to synchronize users between BizX and LMS, the two users SOSAFE_API_USER
and SOSAFE_OCN_ADMIN
must be created manually in LMS.
Creating the role “OCNADMIN”
Navigate to System Administration → Security → Role Management → Add New
Role ID:
OCNADMIN
Description: Admin role for Open-Content-Network (OCN) Providers
Select the security domain according to your security concept.
Assign permissions
Creating the OCN administrator in LMS
Navigate to System Administration → Security → Administrators
Create a new administrator
Admin ID:
SOSAFE_OCN_ADMIN
Last Name:
OCN_ADMIN
First Name:
SOSAFE
Role: Learning Administrator: Assign the role
OCNADMIN
Creating the OCN API user as an administrator in LMS


4. Implementation of Single Sign-On (SSO)
5. Important notes
API limits and performance optimization
Observe throttling limits for Learning OData APIs Recommended documentation:
2804267 - SAP SuccessFactors Learning Product Guidelines & Best Practices
2318296 - Implementing Open Content Network (OCN) with SuccessFactors Learning (LMS)
6. Glossary
Acronym | Full name | Explanation |
---|---|---|
OCN | Open Content Network | A platform that allows integration of third-party learning content providers with SuccessFactors LMS. |
MODC | Massive Online Open Course | A type of online course aimed at unlimited participation and open access via the web. |
LMS | Learning Management System which is attached to the BizX | A system attached to BizX that manages learning content, tracking, and user training. |
API | Application Programming Interface | |
ODATA | Industry standard protocol to invoke API Calls | A RESTful API standard used to query and update data from SAP and other systems. |
Token | A security artifact used for authentication and authorization | In OAuth2 and OIDC, tokens (e.g., access tokens, ID tokens) grant secure access to resources. |
BizX | The SuccessFactors System | SAP SuccessFactors Business Execution (BizX) Suite, which includes various HR and talent management modules. |
OIDC | OpenID Connect | An authentication layer on top of OAuth2 that allows clients to verify user identity based on authentication performed by an authorization server. |
OAuth2 | Open Authorization 2.0 | A widely used authorization framework enabling secure access delegation without exposing credentials. |
SAML | Security Assertion Markup Language | An XML-based open standard for exchanging authentication and authorization data between parties, commonly used for single sign-on (SSO). |