Skip to main content
Skip to article
  • Qualtrics Platform
    Qualtrics Platform
  • Customer Journey Optimizer
    Customer Journey Optimizer
  • XM Discover
    XM Discover
  • Qualtrics Social Connect
    Qualtrics Social Connect

Configuring SuccessFactors Tasks with OAuth Credentials

Was this helpful?


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The feedback you submit here is used only to help improve this page.

That’s great! Thank you for your feedback!

Thank you for your feedback!

About Configuring SuccessFactors Tasks with OAuth Credentials

You can pull employee data directly from SuccessFactors into the Qualtrics platform through the use of workflows extraction tasks. However, SuccessFactors requires the configuration of an OAuth2 client in order for Qualtrics to retrieve data from their system. Prerequisite actions must be performed via the SuccessFactors Admin Portal in order to set up Qualtrics extraction tasks for the first time.

Step 1: Create an X.509 Certificate

Attention: If you already have an X.509 certificate that you can use for configuring the OAuth2 Application Client, you can skip this step.

To generate a new certificate, SuccessFactors recommends using OpenSSL with the following command:

openssl req -nodes -x509 -sha256 -newkey rsa:2048 -keyout private.pem -out public.pem
Qtip: Values used for some certificate properties like Organization Name and Email Address are not validated and can be left empty.

Shows certificate generation in OpenSSL panel.

After running this program, two text files will be generated: public.pem and private.pem, which are highlighted above. To view the contents of these files, you can open them in any text file editor. Alternatively, use the “ls” and “cat” commands in the OpenSSL terminal.
Shows the generated certificate keys to be copied in Step 1.

  1. public.pem: Contains the public key for the X.509 certificate. This will be used in the Successfactors OAuth client configuration.
  2. private.pem: Contains the private key for the X.509 certificate. This will be used while configuring the Qualtrics workflow tasks.
Qtip: These values must be enclosed in the “—–BEGIN PRIVATE KEY—–” and “—–END PRIVATE KEY—–” delimiters.
Attention: Qualtrics Support cannot help configure SuccessFactors authentication keys. If you need extra help, reach out to the SuccessFactors’ support team or read their documentation here.

Step 2: Register an OAuth2 Client Application

  1. Login to your SuccessFactors Admin Center. Note the API Domain, Company ID, and Username.
    Successfactors login screen with key IDs highlighted.
  2. Click API Center.
    Successfactors API center
  3. Click OAuth Configuration for OData.
    Successfactors OAuth configuration menu item.
  4. Click Register Client Application.
    Successfactors button for registering a new client for authentication.
  5. Paste the public key generated from the X.509 Certificate into the space provided.
    Setup menu for OAuth configuration, highlights where to input the public key generated in step 1.
  6. Click Register.
  7. View the newly registered OAuth2 Client Application.
    Where to view the newly created successfactors authenticator client.
  8. Copy and save the API Key. This will be used in the third step.
    HIghlights the API key created from SuccessFactors. This will need to be copied.

Step 3: Configure the SuccessFactors Account in the Qualtrics Task

The above steps have provided you with the information needed to follow the Qualtrics data extraction workflow instructions:
Shows the information required to input into a Qualtrics Data Extraction Task.

  1. Name: Descriptive name for the connection.
  2. Username: Your SAP User ID.
  3. API Key: Generated by the registered OAuth2 application.
  4. Datacenter domain: Domain part of the SuccessFactors Admin Center URL, shown in the first step of registering an OAuth2 application.
  5. 509 Certificate Private Key: Private Key value generated by the X.509 certificate set-up. The private key should be in PKCS8 format.
  6. Company ID: Company ID for SuccessFactors instance, shown in the first step of registering an OAuth2 application.

Updating SuccessFactors Credentials

You cannot edit a connection once it is added to the workflow. To update the connection settings, you must create a new account and incorporate the necessary edits. Open your workflows task and click Add a user account.
Shows how to add a new account to the worflows task pane.

If you are no longer using your previous connection, you can delete it by clicking the three dots on the right-hand side and selecting Remove account.
Shows how to remove an account from the workflows task pane.

Troubleshooting Authentication Errors

If the OAuth connection settings are misconfigured, an error message will show when you try to save your credentials. To resolve these issues, reconfigure the task with the corrected credentials following the steps above.

Error Code Error Message Explanation
SFSF_2 You’re not allowed to access APIs using Basic Authentication or OAuth on this server. Please use the API server instead. The server URL provided in the connection configuration is not supported with OAuth connections and needs to be updated. New credentials will need to be configured using a server from this list.

If you do not see your domain on this list, please reach out to SuccessFactors support.
SFSF_3 The domain “{Domain}” associated with the task’s credential is not a valid SuccessFactors domain The domain field of the credential configuration is not valid. New credentials will need to be configured.
SFSF_5 Credentials not found The credentials associated with the configuration could not be found. New credentials need to be configured.
SFSF_6 Credentials missing fields The credentials are not configured correctly. To resolve, create a new configuration following the steps above.
SFSF_7 Authorization Scheme not supported Indicates the use of Basic Auth scheme credentials. Basic Auth credentials are deprecated and will no longer work. To resolve, create new credentials following the steps above.
SFSF_8 Private key must be in PKCS8 format The X.509 certificate private key provided is not in the required PKCS8 format. The private key should have the format:

-----BEGIN PRIVATE KEY-----
[key data]
-----END PRIVATE KEY-----

If the key does not have this fromat, copy and paste the OpenSSL command:

openssl req -nodes -x509 -sha256 
-newkey rsa:2048 -keyout 
private.pem -out public.pem
SFSF_8 Unexpected response code from request to url: https://successfactors.com/oauth/token, response status:401, error: Unable to authenticate the client (Login failed – invalid user)

OR

Unexpected response code from request to url: https://successfactors.com/oauth/token, response status:401, error: Unable to map “{User ID” to a valid BizX User ID

 The username provided in the connection configuration is not a valid SAP User ID in the company’s SuccessFactors instance. In SAP, usernames can be different from the User ID and Person ID, although they are often the same.
SFSF_8 Invalid client credentials

OR

Unable to validate “api_key” in the SAML assertion

 The API key provided in connection configuration is incorrect.

Troubleshooting Non-Authentication Errors

If the workflow run shows a different error, it could indicate a misconfiguration issue unrelated to OAuth.

Error Code Error Message Explanation
SFSF_1 Error messages could vary based on context of issue An unexpected error occurred. Reach out to Qualtrics support.
SFSF_2 Unexpected response from SuccessFactors. Please check your configuration and try again We received an error that we do not recognize from SuccessFactors. This indicates a configuration issue, so check your configuration and reach out to Qualtrics support if the error persists.
SFSF_2 Properties “{PropertyName}” are not accessible The “{PropertyName}” in SuccessFactors is not available via the SuccessFactors OData API. To resolve, remove the property from the configuration and try again.
SFSF_2 Invalid property names: “{PropertyName}” “{PropertyName}” does not exist in your SuccessFactors instance. Remove the property from the configuration and try again.