SAP SuccessFactors setup guide

This guide describes the steps to integrate the Open Content Network (OCN) provider SoSafe into the SAP SuccessFactors Learning Management System (LMS). The guide covers the necessary preparations, configurations, and the connection to SAP Identity Authentication Service (IAS) and SuccessFactors (BizX). Note that while we have worked hard to make this document as thorough as possible, your personal SAP SuccessFactors implementation might require you to deviate from this guide.Y ou may thus need an SAP SF expert (internal or third-party partner) for assistance with this. Any costs or arrangements for your SAP SF configuration are handled directly between you and your chosen partner.

1. Overview

These will be the key steps:

• Preparation and information gathering

• Creating roles and permission groups in BizX:

  • OCN_ADMINS

  • OCN_API_USERS

• Creating the following users in BizX:

  • SOSAFE_OCN_ADMIN

  • SOSAFE_OCN_API_USER

• Creating roles in LMS

• Creating administrators in LMS

OCN_ADMINS are used to log in to BizX and LMS. They are LMS administrators. This access is used in development and testing environments to perform and verify integration. In production, this account can be omitted. OCN_API_USERS are used for accessing the OCN and BizX APIs.

1.1 Preparation and information gathering

Before starting the integration, the following information about your system is required:

• System overview: Existing SuccessFactors modules and their configuration

  • Is Employee Central (EC) used?

  • User synchronization: Check whether LMS is directly synchronized with BizX or if all LMS-relevant permissions are assigned only within LMS. If permissions are configured exclusively in LMS, the OCNADMIN can be created as an "empty" user in BizX without roles (CSV import).

• Authentication mechanisms: Review of OAuth2 and IAS configuration

1.2 Different setups of user provisioning and SSO implementation

There are various ways user provisioning can be implemented in your environment. It can affect the usernames used in Single Sign-On (SSO) and where the application obtains its token from and must be registered as an OAuth application. This guide assumes that SuccessFactors (BizX) is always the leading system, and that the external application is registered there as an OAuth2 application. There may be other scenarios where the token must be obtained from Cloud Identity Service or EntraID.

1.3 Checking user synchronization in the Integration Center

2. Configuration of SuccessFactors (BizX)

Process overview:

• Create permission groups

• Create permission roles

• Create users

• Register OAuth2 client application

2.1 Creating users

Importing users via CSV

Creating the CSV template

• Log in to BizX as an administrator and navigate to Admin Center → Employee Export.

  • Select the Export Template button. The other two buttons, Export User Fil and Export External 360 Raters, are not used.

  • Pay attention to possible settings and adjust them according to your operating system and CSV editor (Excel, OpenOffice, Numbers), as special characters (such as umlauts) may not display correctly otherwise.

    

  • Open the exported csv-template and add the following users:

    

• Save the file and export it as a CSV file.

  • Navigate to BizX → Admin Center → Import Employee Data

    

    

  • Select Import Data under Select the action you want to perform

  • Choose Basic Import under Select an Entity

  • Select the previously exported CSV file under Choose File

  • Adjust File Encoding and File Locale to match the export settings.

  • Select Validate Import File Data at the bottom of the page. Adjust the CSV file until the validation is successful.

  • Finally, click Import.

• Verify that the two users were created:

  

  

• Verify that the users are synchronized from BizX to the LMS:

  • Open Integration Center and click on My Integrations.

    

  • Depending on the synchronization interval, the job may need to be run manually.

    

  • Afterwards, check the LMS admin area to confirm that users were created successfully.

Manually creating users in BizX

• Manually create OCN admin user in BizX

  • First Name: SOSAFE

  • Last Name: OCN-ADMIN

  • Assign Permissions: OCN_Integration_Admin_Role

• Manually create API user in BizX

  • Username: SOSAFE_API_USER

  • Assign Role: SOSAFE_API_USER_ROLE

Setting a Password for the added users

A password is not required for SOSAFE_API_USER because API calls use OAuth2 authentication with SAML Bearer Assertion. For SOSAFE_OCN_ADMIN, a password is only set in BizX if NO identity provider (IAS / EntraID) is used.

Setting password in BizX

Please note that for SSO users, the new password entered here only impacts basic authentication and token-based SSO. To reset passwords for SSO users, go to the identity provider administrator panel.

Sretting password in IAS

• Open IAS (Example: https://a0w8gjlxv.accounts.cloud.sap/admin)

• Navigate to Identity Provisioning → Source Systems

  

• Select Jobs → Read Job → Run now

  

• Verify that the users were synchronized

  

• Two users should be synchronized

  

• Go to User Management and search for SOSAFE_OCN_ADMIN

  

  

• Select Authentication

  

• Set an initial password for SOSAFE_OCN_ADMIN

  

  

• The user can now log in to SuccessFactors (BizX) and access Learning Administration.

2.2 Creating permission groups

Search for Manage Permission Groups

OCN_Admins

Create the following group:

• Group name: OCN_ADMINS

• Contains User: SOSAFE_OCN_ADMIN

• Assigned Role: OCN_Integration_Admin_Role

• Add the imported user to the appropriate permission group:

  • OCN-ADMINS for administrators

  • OCN-API-USERS for API Users

OCN_API_USERS

Create the following group:

• Group name: OCN_API_USERS

• Contains User: SOSAFE_API_USER

• Assigned Role: OCN_API_USER_ROLE

2.3 Creating permission roles

Search for Manage Permission Roles

OCN Integration Admin Role

Create the following role:

• Name: OCN_Integration_Admin_Role

• Permissions

  • Learning → Enable Learning Access Permission

  • Administrator Permissions → Enable Learning Admin Access Permission

Add Role Assignment for OCN_ADMIN_USER_ROLE

• Click on Add Role Assignment

  

• Add basic information

  

Choose from Groups, followed by Select Group

• Add group OCN_ADMINS

• Define Target Population

  

SFSF (BizX) API User Role

Create the following role:

• Name: OCN_API_USER_ROLE

• API Access Permissions

• Recommended minimum permissions for OCN-API-USER

  • User Permissions

• Learning

  • Learning Access Permission

  • Options menu (only works if set to use RBP in provisioning)

• Administrator Permissions

  • Manage Learning

  • Learning Admin Access Permission

Add Role Assignment for OCN_API_USER_ROLE

• Add Role Assignment

  

• Basic Information

  

• Grant Access to

• Select Group OCN_API_USERS

  

2.4 Adding OAuth2 Client Application

• Navigate to Admin Center → Manage OAuth2 Client Applications

• Create application: OCN SOSAFE

• Bind to User SOSAFE_API_USER und SOSAFE_OCN_ADMIN

• Generate and upload X.509 certificate:

  • openssl req -nodes -x509 -sha256 -newkey rsa:2048 -keyout private.pem -out public.pem -days 3650

3. Configuration of the Learning Management System (LMS)

3.1 Basic configuration

Completion status

• ONLINE_COMPLETED: completed

• ONLINE_EXAM_PASSED: passed

ItemType / ComponentType

• ONLINE: Online training without an exam

• ONLINE_EXAM: Online training with an exam

Define labels

• label.u.SOSAFE → “Sosafe OCN Learning Provider”

3.2 Configuration of the OCN provider in LMS

Register the provider by navigating to System Administration → Content → Open Content Network

New Provider: SOSAFE

Enter API credentials

Configure system properties

System Administration → Configuration → System Configuration → OPEN_CONTENT_NETWORK

Example Configuration:

providers[SOSAFE].enabled=true

providers[SOSAFE].syncCourses=true

providers[SOSAFE].name=Sosafe

providers[SOSAFE].label=label.ProviderSosafe

providers[SOSAFE].baseLaunchUrl=https://sosafe.de

providers[SOSAFE].pricingModel=SUBSCRIPTION

defaultValues.autoImportOCNCourseEnabled[SOSAFE]=true

3.3 User management in LMS

Check if the integration job has already synchronized the users. If not, run the job manually.

Creating users in LMS without synchronization

If you do not use an integration job to synchronize users between BizX and LMS, the two users SOSAFE_API_USER and SOSAFE_OCN_ADMIN must be created manually in LMS.

Creating the role “OCNADMIN”

• Navigate to System Administration → Security → Role Management → Add New

  

  

  • Role ID: OCNADMIN

  • Description: Admin role for Open-Content-Network (OCN) Providers

  • Select the security domain according to your security concept.

• Assign permissions

  

Creating the OCN administrator in LMS

• Navigate to System Administration → Security → Administrators

• Create a new administrator

  

  • Admin ID: SOSAFE_OCN_ADMIN

  • Last Name: OCN_ADMIN

  • First Name: SOSAFE

  • Role: Learning Administrator: Assign the role OCNADMIN

    

Creating the OCN API user as an administrator in LMS

4. Implementation of Single Sign-On (SSO)

5. Important notes

API limits and performance optimization

Observe throttling limits for Learning OData APIs Recommended documentation:

• 2804267 - SAP SuccessFactors Learning Product Guidelines & Best Practices

• 2318296 - Implementing Open Content Network (OCN) with SuccessFactors Learning (LMS)

6. Glossary