> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a SAP SuccessFactors connector
> C1 provides identity governance for SAP SuccessFactors. Integrate your SAP SuccessFactors instance with C1 to run user access reviews (UARs) and gain visibility into your workforce identities.
## Which SAP SuccessFactors connector should I use?
C1 offers two SAP SuccessFactors connectors. Which one you should set up depends on what data you need to bring into C1.
* **[SAP SuccessFactors connector](/baton/successfactors-odata)**: This connector uses the SAP OData v2 API and is the best choice if you need rich user profile data, including custom fields exposed via OData navigation properties (such as department, cost center, or job title). It is also the right choice if your SAP SuccessFactors instance does not have SCIM enabled.
* **[SAP SuccessFactors SCIM connector](/baton/successfactors-scim)**: This connector uses the SCIM API and is the best choice if you need visibility into group memberships in addition to users. It follows the SCIM standard, which makes it simpler to configure if your instance already has SCIM provisioning enabled.
| Resource | SAP SuccessFactors connector (OData) | SAP SuccessFactors SCIM connector |
| :----------------- | :----------------------------------- | :-------------------------------- |
| Users | Sync | Sync |
| Groups | | Sync |
| Custom user fields | Sync | |
## Capabilities
The SAP SuccessFactors connector syncs the following resources:
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :-------- |
| Users | | |
## Gather SAP SuccessFactors credentials
To configure the SAP SuccessFactors connector, you need administrator access to your SAP SuccessFactors instance.
The connector authenticates using **OAuth 2.0 with SAML 2.0 bearer assertions**. You will need to create an OAuth client application in SAP SuccessFactors and generate a certificate/private key pair to sign the assertions.
### Step 1: Find your Company ID
Your Company ID appears in the URL when you log in to SAP SuccessFactors:
`https://.successfactors.com/sf/start#/...?company=`
It is also visible in **Admin Center** > **Company System and Logo Settings**.
### Step 2: Create an OAuth client application
In SAP SuccessFactors, navigate to **Admin Center** > **OAuth 2.0 Client Applications** (search for "OAuth" in the admin search bar).
Click **Register Client Application**.
Fill in the required fields:
* **Application Name**: `C1`
* **Description**: `C1 identity sync`
* **Application URL**: your C1 tenant URL
Note the **API Key** generated for this client — this is your `app-api-key`.
### Step 3: Generate a certificate and private key
You must create and sign your own certificate. Certificates generated by SAP SuccessFactors cannot be used by the connector.
Generate a self-signed certificate and RSA private key pair (PEM format). You can use OpenSSL:
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
openssl req -x509 -newkey rsa:2048 -keyout private-key.pem -out certificate.pem \
-days 365 -nodes -subj "/CN=C1"
```
### Step 4: Register the certificate with the OAuth client
In the OAuth client application you created, click **Add Certificate**.
Upload or paste the contents of `certificate.pem`. When uploading, remove the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` lines, leaving only the base64-encoded body.
### Step 5: Identify the admin username
Provide the SAP SuccessFactors username of the admin account that will be used to authenticate API requests. This user must have API access permissions.
***
## Configure the SAP SuccessFactors connector
Follow these instructions to use a built-in, no-code connector hosted by C1.
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **SAP SuccessFactors** and click **Add**.
Choose how to set up the new SAP SuccessFactors connector:
* Add the connector to a currently unmanaged app
* Add the connector to a managed app
* Create a new managed app
Set the owner for this connector.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter the required configuration:
* **Company ID**: Your SAP SuccessFactors company identifier
* **Instance URL**: Your SAP SuccessFactors API base URL, e.g. `https://api10.sapsf.com`. Refer to the [SAP SuccessFactors API server list](https://help.sap.com/docs/successfactors-platform/sap-successfactors-api-reference-guide-odata-v2/list-of-sap-successfactors-api-servers) to find your server.
* **SAML Issuer URL**: The issuer URL for your SAML assertion, e.g. `https://yourcompany.com`
* **Admin Username**: The SAP SuccessFactors username of the admin account used for API access
* **SAML API Key**: The API key from the OAuth client application you registered
* **Certificate**: The PEM-encoded X.509 certificate registered with the OAuth client
* **Private Key**: The PEM-encoded RSA private key corresponding to the certificate
Optionally, configure **User Custom Fields** to sync additional fields into user profiles.
Each entry maps the path to a field in the SAP SuccessFactors user entity, to the name it will appear under in the user's profile in C1. For example, to include the user's department:
| OData field path | Profile key |
| :------------------- | :----------- |
| `departmentNav/name` | `Department` |
**Finding available fields**
The connector is based on the `EmpJob` entity in the SAP SuccessFactors OData API. To explore what fields are available:
1. In your SAP SuccessFactors instance, go to **Admin Center** and search for **API Center**.
2. Open the **OData API Data Dictionary**.
3. Search for the `EmpJob` entity — this is the starting point for user data.
4. From there, you can navigate to sub-entities (for example, `departmentNav`, `jobCodeNav`, `locationNav`) and inspect the fields they contain.
Use the entity path relative to `EmpJob` as the **OData field path**. For example, `departmentNav/name` refers to the `name` field inside the `departmentNav` navigation property.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your SAP SuccessFactors connector is now pulling user data into C1.
Follow these instructions to use the [SAP SuccessFactors](https://github.com/ConductorOne/baton-successfactors-odata) connector, hosted and run in your own environment.
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.
### Step 1: Set up a new SAP SuccessFactors connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new SAP SuccessFactors connector:
* Add the connector to a currently unmanaged app
* Add the connector to a managed app
* Create a new managed app
Set the owner for this connector.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your SAP SuccessFactors connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-successfactors-odata-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-successfactors-odata-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# SAP SuccessFactors credentials
BATON_COMPANY_ID:
BATON_INSTANCE_URL:
BATON_ISSUER_URL:
BATON_ADMIN_USERNAME:
BATON_APP_API_KEY:
BATON_CERTIFICATE:
BATON_PRIVATE_KEY:
```
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-successfactors-odata.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-successfactors-odata
labels:
app: baton-successfactors-odata
spec:
selector:
matchLabels:
app: baton-successfactors-odata
template:
metadata:
labels:
app: baton-successfactors-odata
baton: "true"
baton-app: successfactors-odata
spec:
containers:
- name: baton-successfactors-odata
image: public.ecr.aws/conductorone/baton-successfactors-odata:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-successfactors-odata
envFrom:
- secretRef:
name: baton-successfactors-odata-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the SAP SuccessFactors connector to. User data should be visible on the **Accounts** tab.
**Done.** Your SAP SuccessFactors connector is now pulling user data into C1.
***
All versions of this connector are available at [dist.conductorone.com](https://dist.conductorone.com/ConductorOne/baton-successfactors-odata).