> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up a SAP SuccessFactors SCIM connector
> C1 provides identity governance for SAP SuccessFactors. Integrate your SAP SuccessFactors instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Which SAP SuccessFactors connector should I use?
C1 offers two SAP SuccessFactors connectors. Which one you should set up depends on what data you need to bring into C1.
* **[SAP SuccessFactors connector](/baton/successfactors-odata)**: This connector uses the SAP OData v2 API and is the best choice if you need rich user profile data, including custom fields exposed via OData navigation properties (such as department, cost center, or job title). It is also the right choice if your SAP SuccessFactors instance does not have SCIM enabled.
* **[SAP SuccessFactors SCIM connector](/baton/successfactors-scim)**: This connector uses the SCIM API and is the best choice if you need visibility into group memberships in addition to users. It follows the SCIM standard, which makes it simpler to configure if your instance already has SCIM provisioning enabled.
| Resource | SAP SuccessFactors connector (OData) | SAP SuccessFactors SCIM connector |
| :----------------- | :----------------------------------- | :-------------------------------- |
| Users | Sync | Sync |
| Groups | | Sync |
| Custom user fields | Sync | |
## Capabilities
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :-------- |
| Users | | |
| Groups | | |
## Gather SAP SuccessFactors credentials
Configuring the connector requires you to pass in credentials generated in SAP SuccessFactors. Gather these credentials before you move on.
A user with **Admin** permissions in SAP SuccessFactors must perform this task.
### Register an OAuth application
Log into your SAP SuccessFactors account and navigate to the **Admin Center**.
Search for the **API Center** module.
Click on **OAuth Configuration for OData**, or search directly for **Manage OAuth2 Client Applications**.
Click **Register Client Application**.
Enter the **Application Name**, the **Application URL**, and provide your X.509 Certificate without the header or footer.
Do **not** use the certificate generated by SAP SuccessFactors. The private key generated by the built-in capability is corrupted. Use your own X.509 certificate.
Click **Register**.
Find the application you just created in the list and click **View**.
Copy the value in the **API Key** field. This will be used as the **SAML API Key** when configuring the connector.
### Grant the admin user the necessary permissions
Navigate to **Admin Center** > **Manage Permission Groups** and create a new permission group that includes the admin user.
Navigate to **Manage Permission Roles** and create a new permission role.
Grant the permission role the following **Manage Identity Account and Group** permissions:
* Read Access to SCIM User API
* Read Access to SCIM Group API
Assign the newly created permission role to the permission group you created.
### Look up your Company ID
Navigate to your profile menu and select **Show version information**.
Carefully copy and save the **Company ID**.
### Look up your Instance URL
Refer to the SAP SuccessFactors documentation and look up your API server.
Carefully copy and save the API server URL (for example, `https://api4.successfactors.com`).
**Done.** Next, move on to the connector configuration instructions.
## Configure the SAP SuccessFactors SCIM connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of SAP SuccessFactors credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **SAP SuccessFactors** and click **Add**.
Choose how to set up the new SAP SuccessFactors connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Fill in the following fields:
* **Company ID**: Your SAP SuccessFactors company ID
* **SAML API Key**: The API key from your registered OAuth application
* **Certificate**: Upload your PEM-encoded X.509 certificate file
* **Private Key**: Upload your PEM-encoded RSA private key file
* **Instance URL**: Your SAP SuccessFactors API server URL
* **Issuer URL**: Your SAML issuer domain
* **Admin user ID**: The ID of the admin user configured with SCIM permissions
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your SAP SuccessFactors SCIM connector is now pulling access data into C1.
**Follow these instructions to use the SAP SuccessFactors SCIM connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [GitHub repository](https://github.com/conductorone/baton-successfactors-scim): Access the source code, report issues, or contribute to the project.
### Step 1: Set up a new SAP SuccessFactors SCIM connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new SAP SuccessFactors SCIM connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your SAP SuccessFactors SCIM connector deployment:
#### Secrets configuration
```yaml theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-successfactors-scim-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-successfactors-scim-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# SAP SuccessFactors credentials
BATON_COMPANY_ID:
BATON_SAML_API_KEY:
BATON_INSTANCE_URL:
BATON_ISSUER_URL:
BATON_ADMIN_ID:
---
# baton-successfactors-scim-pem-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-successfactors-scim-pem-secrets
type: Opaque
stringData:
certificate.pem: |
private_key.pem: |
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-successfactors-scim.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-successfactors-scim
labels:
app: baton-successfactors-scim
spec:
selector:
matchLabels:
app: baton-successfactors-scim
template:
metadata:
labels:
app: baton-successfactors-scim
baton: true
baton-app: successfactors-scim
spec:
containers:
- name: baton-successfactors-scim
image: ghcr.io/conductorone/baton-successfactors-scim:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-successfactors-scim
- name: BATON_CERTIFICATE
value: /etc/baton/certs/certificate.pem
- name: BATON_PRIVATE_KEY
value: /etc/baton/certs/private_key.pem
envFrom:
- secretRef:
name: baton-successfactors-scim-secrets
volumeMounts:
- name: pem-certs
mountPath: /etc/baton/certs
readOnly: true
volumes:
- name: pem-certs
secret:
secretName: baton-successfactors-scim-pem-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the SAP SuccessFactors SCIM connector to. SAP SuccessFactors data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your SAP SuccessFactors SCIM connector is now pulling access data into C1.