Establishing a Connection
Configure a Connection Profile
From the CData ribbon, click Get Data and select From SAP SuccessFactors connection/s to launch the CData Query window. To setup a new connection, you will have to click the New SAP SuccessFactors Connection button. Here you can set the connection settings, test the connection, and save the connection profile.
Connecting to SAP SuccessFactors
The CData Excel Add-In for SAP SuccessFactors communicates to SAP SuccessFactors over the OData API, which is enabled by default. If you need to provide additional permissions, see this SAP Support Site article.You can authenticate to SAP SuccessFactors using Basic authentication (deprecated), Azure AD authentication, SAP IAS authentication or OAuth authentication (preferred).
Important: Basic Authentication is deprecated by SAP and will be permanently removed after November 13, 2026. It is recommended to migrate to OAuth, SAP IAS, or Azure AD authentication as soon as possible.
Required Connection Properties
Regardless of the selected AuthScheme, the following connection properties must be set to identify your SAP SuccessFactors environment:
- URL: The URL of the server hosting Success Factors. Some of the servers are listed here.
- CompanyId: The unique identifier assigned to your SAP SuccessFactors tenant. This value is required for API authentication and is specific to your organization.
These values ensure the driver connects to the correct environment and authenticates against the appropriate tenant.
Basic (Deprecated)
To use Basic authentication, you must set the below connection properties and you must grant access to the API.
- AuthScheme: BASIC.
- User: The account username.
- Password: The account password.
Be aware that in Basic authentication, after your first request to connect, SAP SuccessFactors uses cookies to reuse the session. For all subsequent connection requests, authentication is accomplished using cookies returned from SAP SuccessFactors.
Deprecation Notice: SAP has announced the deprecation of Basic Authentication for API access. This method will no longer be supported after November 13, 2026. It is strongly recommended to transition to OAuth, SAP IAS, or Azure AD to ensure future compatibility.
Granting Access to the API
Once OData is enabled, you must grant access to the API to activate Basic Auth for a given user.For an RBP System:
- Navigate to Administrator Permissions > Manage Integration Tools.
- Assign Allow Admin to Access OData API through Basic Authentication to the user.
For a User-Based System:
- Navigate to Administrative Privileges > Integration Tools.
- Assign Allow Admin to Access OData API Through Basic Authentication to the user.
- Navigate to the Managing Administrative Privilege page.
- Assign Employee Export and Employee Import to the user.
Azure AD
Azure AD is Microsoft’s multi-tenant, cloud-based directory and identity management service. It is user-based authentication that requires that you set AuthScheme to AzureAD.
Desktop Applications
CData provides an embedded OAuth application that simplifies connection to Azure AD from a Desktop application.You can also authenticate from a desktop application using a custom OAuth application. (For further information, see Creating an Entra ID (Azure AD) Application.) To authenticate via Azure AD, set these parameters:
- AuthScheme: AzureAD.
- Custom applications only:
- OAuthClientId: The client Id assigned when you registered your custom OAuth application.
- OAuthClientSecret: The client secret assigned when you registered your custom OAuth application.
- CallbackURL: The redirect URI you defined when you registered your custom OAuth application.
When you connect, the add-in opens SAP SuccessFactors's OAuth endpoint in your default browser. Log in and grant permissions to the application.
The add-in completes the OAuth process, obtaining an access token from SAP SuccessFactors and using it to request data. The OAuth values are saved in the path specified in OAuthSettingsLocation. These values persist across connections.
When the access token expires, the add-in refreshes it automatically.
OAuth
SAP SuccessFactors supports OAuth authentication with two grant types:
- Client grant type for SAP SAP SuccessFactors LMS instances
- SAML-2 Bearer grant type
Note: SAP SuccessFactors does not retrieve a refresh token as part of the API response, therefore it is not surfaced. Instead, the provider uses the expiration time of the access token to detect when to initiate the process of obtaining a new token.
The following subsections describe how to authenticate to SAP SuccessFactors from three common authentication flows. For information about how to create a custom OAuth application, see Creating a Custom OAuth Application. For a complete list of connection string properties available in SAP SuccessFactors, see Connection.
Desktop Applications
To authenticate with the credentials for a custom OAuth application, you must get and refresh the OAuth access token. After you do that, you are ready to connect.Get and Refresh the OAuth Access Token
Set the following properties:
- OAuthClientId: The client Id assigned when you registered your application.
- CallbackURL: The redirect URI that was defined when you registered your custom OAuth application.
- OAuthClientSecret (Client grant type only): The client secret that was assigned when you registered your application.
- PrivateKey (SAML-2 Bearer grant type only): The path of the Private Key certificate you downloaded during the creation of your custom OAuth application OR the base64-encoded content of that certificate.
When you connect, the add-in opens SAP SuccessFactors's OAuth endpoint in your default browser. Log in and grant permissions to the application.
When the access token expires, the add-in refreshes it automatically.
Automatic refresh of the OAuth access token:
To have the add-in automatically refresh the OAuth access token, do the following:
- Before connecting to data for the first time, set these connection parameters:
- InitiateOAuth: REFRESH.
- OAuthClientId: The client Id in your custom OAuth application settings.
- OAuthAccessToken: The access token returned by GetOAuthAccessToken.
- OAuthSettingsLocation: The path where you want the add-in to save the OAuth values, which persist across connections.
- OAuthClientSecret (Client grant type only): The client secret in your custom OAuth application settings.
- PrivateKey (SAML-2 Bearer grant type only): The path of the Private Key certificate you downloaded during the creation of your custom OAuth application OR the base64-encoded content of that certificate.
- On subsequent data connections, set:
SAP IAS
SAP IAS (SAP Identity Authentication Service) is SAP's cloud-based identity provider that enables secure user authentication across SAP and third-party applications. It is a user-based authentication mechanism and requires you to set AuthScheme to SAPIAS or to SAPIASPassword.To enable SAP IAS authentication, you must first register and configure a custom SAP IAS application as described in SAP IAS SAML App Configuration guide.
Desktop Applications
You can authenticate from a desktop application using a custom IAS application registered in SAP Identity Authentication Service (IAS).To authenticate via SAP IAS, set the following connection properties:
- AuthScheme: SAPIAS.
- InitiateOAuth: GETANDREFRESH.
- OAuthClientId: The API Key of your SAP SuccessFactors OAuth2 client application.
- SAPIASBaseURL: The base URL of the SAP Identity Authentication Service (IAS) tenant.
- SSOProperties: A semicolon separated list of key-value pairs containing:
- OAuthClientId: The client Id assigned to your custom SAP IAS application.
- OAuthClientSecret: The client secret assigned to your custom SAP IAS application.
- CallbackURL: The redirect URI you defined when you registered your custom IAS application.
When you connect, the add-in opens the SAP IAS OAuth authorization endpoint in your default browser. Log in and authorize the application.
The add-in completes the OAuth flow by obtaining an SAML assertion from SAP IAS and exchanging it for an SAP SuccessFactors access token. This token is then used to authenticate API requests to SAP SuccessFactors. The OAuth credentials are saved to the location specified by the OAuthSettingsLocation. property and persist across connections.
When the access token expires, the add-in automatically refreshes it using the refresh token provided by SAP IAS.
Connecting to SAP SuccessFactors LMS
When connecting to a SAP SuccessFactors LMS instance using OAuthSAML2, or an SSO-based AuthScheme, you may need to set the LMSTokenURL connection property.
LMS can be hosted under a different subdomain than the main SAP SuccessFactors instance, which handles authentication. In such cases, the Access Token request must be sent to the main instance's OAuth Access Token endpoint. If LMSTokenURL is not set, the add-in tries to resolve the OAuth Access Token token URL from the URL property, which may not work for separately hosted LMS environments.
Connection Properties
The Connection properties describe the various options that can be used to establish a connection.
Managing Connections
After successfully authenticating to SAP SuccessFactors you will be able to customize the data you are importing. To learn more about this, see Managing Connections.
See Also
- Querying Data: Use the data selection wizard to pull data into a spreadsheet. You can also configure scheduled data refresh here.
- Using the Excel Add-In: Find other ways to interact with SAP SuccessFactors data, such as using the available CData Excel Functions.