Stay up-to-date with every new feature in Qualtrics XM

LEARN MORE

Ready to try Qualtrics?

GET STARTED

Configuring SuccessFactors Tasks with OAuth Credentials

Suite

Employee Experience

Product

Qualtrics

What's on this page

About Configuring SuccessFactors Tasks with OAuth Credentials

You can pull employee data directly from SuccessFactors into the Qualtrics platform through the use of workflows extraction tasks. However, SuccessFactors requires the configuration of an OAuth2 client in order for Qualtrics to retrieve data from their system. Prerequisite actions must be performed via the SuccessFactors Admin Portal in order to set up Qualtrics extraction tasks for the first time.

Step 1: Create an X.509 Certificate

Attention: If you already have an X.509 certificate that you can use for configuring the OAuth2 Application Client, you can skip this step.

To generate a new certificate, SuccessFactors recommends using OpenSSL with the following command:

openssl req -nodes -x509 -sha256 -newkey rsa:2048 -keyout private.pem -out public.pem

Qtip: Values used for some certificate properties like Organization Name and Email Address are not validated and can be left empty.

Shows certificate generation in OpenSSL panel.

After running this program, two text files will be generated: public.pem and private.pem, which are highlighted above. To view the contents of these files, you can open them in any text file editor. Alternatively, use the “ls” and “cat” commands in the OpenSSL terminal.

Shows the generated certificate keys to be copied in Step 1.

public.pem: Contains the public key for the X.509 certificate. This will be used in the Successfactors OAuth client configuration.

private.pem: Contains the private key for the X.509 certificate. This will be used while configuring the Qualtrics workflow tasks.

Qtip: These values must be enclosed in the “—–BEGIN PRIVATE KEY—–” and “—–END PRIVATE KEY—–” delimiters.

Attention: Qualtrics Support cannot help configure SuccessFactors authentication keys. If you need extra help, reach out to the SuccessFactors’ support team or read their documentation here.

Step 2: Register an OAuth2 Client Application

Successfactors login screen with key IDs highlighted.

Click API Center.

Click OAuth Configuration for OData.

Successfactors OAuth configuration menu item.

Click Register Client Application.

Successfactors button for registering a new client for authentication.

Paste the public key generated from the X.509 Certificate into the space provided.

Setup menu for OAuth configuration, highlights where to input the public key generated in step 1.

Click Register.

View the newly registered OAuth2 Client Application.

Where to view the newly created successfactors authenticator client.

Copy and save the API Key. This will be used in the third step.

HIghlights the API key created from SuccessFactors. This will need to be copied.

Step 3: Configure the SuccessFactors Account in the Qualtrics Task

The above steps have provided you with the information needed to follow the Qualtrics data extraction workflow instructions:

Shows the information required to input into a Qualtrics Data Extraction Task.

Name: Descriptive name for the connection.

Username: Your SAP User ID.

API Key: Generated by the registered OAuth2 application.

Datacenter domain: Domain part of the SuccessFactors Admin Center URL, shown in the first step of registering an OAuth2 application.

509 Certificate Private Key: Private Key value generated by the X.509 certificate set-up. The private key should be in PKCS8 format.

Company ID: Company ID for SuccessFactors instance, shown in the first step of registering an OAuth2 application.

Updating SuccessFactors Credentials

You cannot edit a connection once it is added to the workflow. To update the connection settings, you must create a new account and incorporate the necessary edits. Open your workflows task and click Add a user account.

Shows how to add a new account to the worflows task pane.

If you are no longer using your previous connection, you can delete it by clicking the three dots on the right-hand side and selecting Remove account.

Shows how to remove an account from the workflows task pane.

Troubleshooting Authentication Errors

If the OAuth connection settings are misconfigured, an error message will show when you try to save your credentials. To resolve these issues, reconfigure the task with the corrected credentials following the steps above.

Error Code	Error Message	Explanation
SFSF_2	You’re not allowed to access APIs using Basic Authentication or OAuth on this server. Please use the API server instead.	The server URL provided in the connection configuration is not supported with OAuth connections and needs to be updated. New credentials will need to be configured using a server from this list. If you do not see your domain on this list, please reach out to SuccessFactors support.
SFSF_3	The domain “{Domain}” associated with the task’s credential is not a valid SuccessFactors domain	The domain field of the credential configuration is not valid. New credentials will need to be configured.
SFSF_5	Credentials not found	The credentials associated with the configuration could not be found. New credentials need to be configured.
SFSF_6	Credentials missing fields	The credentials are not configured correctly. To resolve, create a new configuration following the steps above.
SFSF_7	Authorization Scheme not supported	Indicates the use of Basic Auth scheme credentials. Basic Auth credentials are deprecated and will no longer work. To resolve, create new credentials following the steps above.
SFSF_8	Private key must be in PKCS8 format	The X.509 certificate private key provided is not in the required PKCS8 format. The private key should have the format: `-----BEGIN PRIVATE KEY----- [key data] -----END PRIVATE KEY-----` If the key does not have this fromat, copy and paste the OpenSSL command: `openssl req -nodes -x509 -sha256 -newkey rsa:2048 -keyout private.pem -out public.pem`
SFSF_8	Unexpected response code from request to url: https://successfactors.com/oauth/token, response status:401, error: Unable to authenticate the client (Login failed – invalid user) OR Unexpected response code from request to url: https://successfactors.com/oauth/token, response status:401, error: Unable to map “{User ID” to a valid BizX User ID	The username provided in the connection configuration is not a valid SAP User ID in the company’s SuccessFactors instance. In SAP, usernames can be different from the User ID and Person ID, although they are often the same.
SFSF_8	Invalid client credentials OR Unable to validate “api_key” in the SAML assertion	The API key provided in connection configuration is incorrect.

Troubleshooting Non-Authentication Errors

If the workflow run shows a different error, it could indicate a misconfiguration issue unrelated to OAuth.

Error Code	Error Message	Explanation
SFSF_1	Error messages could vary based on context of issue	An unexpected error occurred. Reach out to Qualtrics support.
SFSF_2	Unexpected response from SuccessFactors. Please check your configuration and try again	We received an error that we do not recognize from SuccessFactors. This indicates a configuration issue, so check your configuration and reach out to Qualtrics support if the error persists.
SFSF_2	Properties “{PropertyName}” are not accessible	The “{PropertyName}” in SuccessFactors is not available via the SuccessFactors OData API. To resolve, remove the property from the configuration and try again.
SFSF_2	Invalid property names: “{PropertyName}”	“{PropertyName}” does not exist in your SuccessFactors instance. Remove the property from the configuration and try again.

Was this helpful?

The feedback you submit here is used only to help improve this page.

That's great! Thank you for your feedback!

Thank you for your feedback!