SuccessFactors Integration with SuccessFactors Spoke

This is a great write up and resource! 

An additional note on the credentials setup for spoke v4.x.x - do not use the auto-generated pem file from SuccessFactors. This format will not work. Additionally the private key generated is encrypted, preventing adding it to a key store.

• The client's security team needs to provide a self-signed certificate and corresponding private key.
  • Add this certificate to X.509 certificate section when registering the OAuth client in SuccessFactors.
  • They should generate a corresponding java key store (.jks) file with the certificate and private key. This is the file that the ServiceNow admin will need to setup the X.509 certificate record in ServiceNow.
    • Note the key store password and alias as it will be required later in ServiceNow to create the X.509 certificate record, and the SAML2 Assertion Key store records, along with the API key.

@Seema Hegde I was facing the same issue thanks for adding this info.

I also wanted to check if you faced any error called "Assertion missing in OAuth request" and "Missing required parameters:access_token"

I think my SAML assertion producer is not generating the assertion properly which is the request parameter in OAuth request and may be because of that assertion miss its not generating the access token which is throwing an error saying missing access token 

Please let me know if you faced this issue 

Thanks

Mohith Devatte

@Mohith Devatte I think I recall seeing an error message about access token at one point. But ultimately the issue was my Key store, and making sure that I had the right key store password and alias.

Double-check your SAML2 assertion keystore and attribute:

• Make sure in your assertion keystore you have the correct keystore alias and password. The password should match the one you have on the X.509 keystore (I got errors when I had a mismatch)
• Make sure your API key in the assertion attribute is the same as the client ID in your application registry.

Could you, please, explain how to use SF webhook and Intelligent Services Center?

@Seema Hegde I am trying to connect SuccessFactors using the spoke, but getting the following error when I try to get OAuth token:
"OAuth flow failed. Verify the configurations and try again. Error detail:invalid_request, Missing parameters: access_token"
Could you please suggest how to resolve this. Thank you!

@Mohith Devatte Were you able to get around the "Assertion missing in OAuth request" and "Missing required parameters:access_token" issue. We seem to be encountering the same error.

@Vibhuti4 we were able to solve the issue by generating a new JKS certificate with the help of our certificate team.

As far as I know Assertion is the mandatory key  which will passed to Success factor as a parameter in order to get the OAuth token.

When this assertion key is passed to Success factors correctly, it will return us access token which will be valid for next 24 hours .So the issue  was we did not have a correct certificate generated from open SSL and once we generated correct set of certs with the help of our certificate team and validated the certificate , Assertion producer which is tagged to credentials started working properly and assertion key was produced correctly which in return gave us the access token.

Please verify the certs once and try .That will definitely solve the issue .

Thanks,

Mohith Devatte

@Mohith Devatte ,

We are also facing the same issue - We got .pem file from SuccessFactors, which has couple of encrypted info -

key and end user certificate.

We sent the .pem file to certificate authority team - and got .jks and .cer files;

In the SN configuration setup - I didn't find where the .cer file will be used; 

After following the setup steps - and clicking on "Get OAuth Token" at credentials 

Getting the error -

In the logs :

Signing key is not found for the assertion keystore with sys_id: xxxxxx com.snc.platform.security.oauth.saml2.SAML2AssertionException: Signing key is not found for the assertion keystore with sys_id: xxxxxxx

For everyone's reference, here are the steps I took to configure connectivity once I received the .jks file from the Successfactors side.

• In the filter navigator, under System Definition -> Certificates, create a new record .
  • Format: PEM, Type: Java. Key Store
  • Attach the provided java key store file to the record.
  • Validate the store
• In the filter navigator, under  System OAuth > Application Registry, create a new record "SuccessFactors OAuth Reg"
  • Add the provided API key as Client ID and set the token URL
• In the filter navigator, under  System OAuth > SAML2 Assertion Producers, create a new record "Successfactor SAML OAuth"
  • Set the Subject Name ID to the provided user account in SuccessFactors.
  • Under the SAML2 Assertion Keystores tab, create a new record and set the X.509 Keystore, keystore password, and keystore alias
• In the filter navigator, under  Connections & Credentials > Credentials, create Credential record for the OData API
  • Name: SAML_SuccessFactors_OData_Cred, Type: OAuth 2.0
  • Set OAuth entity profile to record that is associated with the OAuth application registry created
• In the filter navigator, under  Connections & Credentials > Credentials, created Credential record for the SOAP API
  • Name: SAML_SuccessFactors_SOAP_Cred, Type: OAuth 2.0
  • Set OAuth entity profile to record that is associated with the OAuth application registry created
• In the filter navigator, under  Connections & Credentials > Connection & Credential Aliases, update the stub connection record for the OData API "SuccessFactors_OData"
  • Add the related connection record "SAML_SuccessFactors_OData_Conn"
  • Set the credential to the previously created record
  • Set the Connection URL to the successfactors Data API (check with your Successfactors admin)
• In the filter navigator, under  Connections & Credentials > Connection & Credential Aliases, update the stub connection record for the SOAP API "SuccessFactors_Comp_Emp"
  • Add the related connection record "SAML_SuccessFactors_SOAP_Conn"
  • Set the credential to the previously created record
  • Set the Connection URL to the Compound Employee SOAP API (check with your Successfactors admin)
  • Set the attribute Company ID

Now you can test. Don't use the "Get Access Token" related link. Instead, go to flow designer, and search for the action "Login to Successfactors". Run that to test connectivity.

I hope this helps.

Hi All,

This is great Post, BTW did anyone tried using SAP CPI to connect to sucessfactor.If yes, please provide me details regarding the same.Thank you in advance

Great post Apurva, thanks a lot for your kindness to share your real time experience and challenges / issues. Also thank you Seema for adding more details around the issues commonly faced while implementing the spoke. I am not yet implementing this so can't realize the issues wrt assertion and certificates etc, but surely i can imagine it would be super helpful when I do it hands-on.

I have another question though - 

Which system is considered as right system to trigger the lifecycle events.? SuccessFactors or ServiceNow.?

is it different for different events, like Onboarding, Crossboarding (Transfers/ promotions etc) and Offboarding..

or is there some best practice to have just one system for all three.? 

or does it depend on system which is the source of truth.. 

or would that be based on the system that will be used to initiate and complete the activities involved as part of the event.. 

We have a requirement for Onboarding to trigger from SuccessFactors, but crossboarding and offboarding from ServiceNow, but what I understand is that - its not common / standard to initiate Crossboarding from ServiceNow because usually it is initiated from SuccessFactors and data flows through to ServiceNow.

Could you please share any information around this. Thanks.!

Regards,

Sagar

@anandpara_s  - there is no right or wrong way here. It depends on each company's preference on data updates to the HCM. If Onboarding is initiated on the ServiceNow portal, then data is pushed to HCM. It'll be similar for cross boarding. You will need to set up bi-directional integration, and evaluate the processes between systems to maintain data integrity and avoid overwriting.

I have some questions, if you can help me to solve them I would appreciate it, it is related to custom fields in SuccessFactor, what would be the recommendation to follow?

For example, in the flows and subflows that get Locations, departments, do we have to make changes in these flows?

Where are these custom fields stored once we get the data?

In case the custom fields are created automatically in the stagging tables, how can we change the transform map? To correctly map the new fields?

In which other parts of the platform do we have to make modifications related to the customs fields?

@Pablo Sanz ,

If you want to bring custom fields from SucessFactors to ServiceNow then you will need to modify the action, and subflow so that you can bring those data.

You will also need to modify the staging table and the destination table to house the data that you are fetching from SF and ofcourse the transform maps.

Essentiatelly even if there is a 1 field needed which is not OOTB, you will have a cascading effect and will have to modify many tables and flow components.

I hope this helped.

@Apurva16 

Hi Apurva,

We are fetching data from successfactors and transforming that data into ServiceNow(HR Profile table).

While running the complete load, we are getting below error. We are using Successfactors Spoke and copied one of the data stream action(Retrieve Job Profiles) which is available OOB. There are around 55k records that needs to be updated in ServiceNow.

Could you please share any information around this. Thanks.!

Regards,

Ankur

Hi @ankur40 ,

Please see my other article "https://www.servicenow.com/community/hrsd-articles/overcoming-integration-challenges-with-successfac... where we faced similar issue and the solution for it.

Hi @Apurva16 

We are also configuring the SuccessFactors Integration with SuccessFactors Spoke, Can you please help me on Signing Key Alias and Signing Key Password. These details will get from SuccessFactors team? 

@best1  yes, the certificate team should provide this along with the java keystroke (.jks) file.

A basic question, but I would just like to confirm one thing. I was looking at the documents provided by ServiceNow for the SuccessFactors spoke, but could not find it written that when a new account is created in SuccessFactors, this will automatically create a new account in ServiceNow. I am hoping this is the case, but is my understanding correct on this?

@KCH1 - It isn't necessarily automatic. You'll need to check your transform map configurations. When the spoke fetches the data from SF, it's pushed automatically to the staging (import set) table. From here, you can either set your transform maps to create new users, update new users, or neither, and only create/update the HR Profiles as needed.

@Seema Hegde Ah, I see. Thank you.

Hi @Seema Hegde 

while we are running the action from flow designer "Login into SuccessFactors", getting the below error.

Error: Login failure due to the invalid company!

Can you please review and help me to fix this issue/error?

@best1 - Check the "Company_ID" attribute in your SuccessFactors_Comp_Emp connection record. This should match the company id of the SuccessFactors instance that you're trying to connect to.

Hi @Seema Hegde 
Able to retrieve full data from SuccessFactors by clicking "Retrieve All Data"  check box but how delta load will execute?  "Retrieve Job Histories Modified From", Is the date will automatically update by system? Can you help me on this scenario

@best1 after the initial full load, you need to un-check the "Retrieve delta data" flag in the "Run success factors integration" flow. Then the triggered list of sub flows and actions checks the last run date of the corresponding subflow (retrieve_worker_profiles, retrieve_departments etc) and sets that as the value for the "modified from" input for the delta data.

If you are looking to integrate Successfactors for HRSD, check the plugin HSRD Integration with Successfactors as well.

Please reference the below post.

https://www.servicenow.com/community/hrsd-forum/hrsd-successfactors-spoke/m-p/2817453

Hi @Apurva16 

please find the architectural diagram

@Jishnu Jayakris per my understanding as of now only the admin user (system user) can be used to send the API queries. You need to pass the requester's User/person ID in the query to ensure that SF is updating the correct account

Can anyone help? 

We have an integration between ServiceNow and Success Factors using the Spoke. The aim is to a set of information from about users in an XML payload that can then be processed into user records in ServiceNow.

This is initiated by ServiceNow sending a query to Success Factors via SOAP, for example here is the latest query:

<urn:queryString>SELECT

                person

                ,personal_information

                ,address_information 

                ,email_information 

                ,phone_information 

                ,employment_information

                ,job_information 

                from CompoundEmployee 

                where last_modified_on >= to_DateTime('2025-05-22T10:30:00Z')

                and

                isContingentWorker IN ('true','false')

                and

                fromDate = to_date('2025-02-22', 'yyyy-MM-dd')

   and 

       toDate = to_date('2026-05-22', 'yyyy-MM-dd') 

            </urn:queryString>

The issues we have encountered so far on are journey are:

• First we had a query that pulled back recently updated records, this didn't work because for inactive users, that have a start date in the future, we did not get the essential personal and job information.
• To overcome that issue, we have added the fromDate/toDate parameters to the query, which means we now get the missing information, but it ignores the last_modified_on parameter, so we get all records in that date range. Not just the deltas.

So the question remains, what query can we send to SF that does the following:

• Get a user's full details including personal and job information
• Get this data for users with a start date in the future (so are inactive)
• Limit the results to only those that have changed recently. (so respects the last_modified_on parameter)

What we are ideally looking for is to write a query that achieves the above, in a format similar to the current query, that we can use to update the current 'deltaquery' being sent by ServiceNow.

Hello, @Apurva16 !
Awesome post and explanation! Already helped a lot!

However a question arises - how did you manage to trigger the Transform map?
I made a copy, activated - no auto transform. Created a data source with the Data Stream Action as well as a source and the first staging table as source. When I try to test the data source - it is kind of rewriting the staging table and gives error that the coalesce field has no value which is not true. But if you have managed to make it work without data source in a first place I would love to know how.

Thank in advance!

@Apurva16 I'm having this problem. The problem is in the "Login into SuccessFactors" subflow. The configuration is done according to the step-by-step ServiceNow documentation, and the credentials are correct. However, these errors occur, and when the action runs a soap test, it returns a 504 error.

Can you help me, please., with your comments o recommendation.

@JigyasaArorwere you able to solve that problem?

regards.

Hi Everyone,

Having a problem making an oath set up for successfactors.

the client send us the certificate in PEm format, but SNOW requires the jks format.

Is there a quick way to convert the pem file into a jks? Client is not proviiding the jks certificate and asks us to convert ourselves.