![]() ![]() Moreover, it allows to import Postman’s Collection files, which speeds up the tool onboarding. And what a pleasant surprise! Their plugin concept is quite powerful and allowed me the usage of external npm libraries to develop a Template Tag for generating the SAML Assertion right before the request is send to the endpoint – exactly what I wanted! Besides, the seamlessly integrated Chrome V8 JS engine made debugging way easier, which was key during the plugin development process. Would that then be a reason to lose sleep?Īt this point I decided to give another API test tool called Insomnia a try. Even when I somehow managed to workaround it, Postman’s Node.js sandbox has limited cryptographic capabilities, which turned the signature of the SAML Assertions impossible. Unfortunately, it was easier said than done… The Node.js sandbox of Postman is quite restrictive and does not allow the usage of well-established npm libraries for SAML Assertion / XML signature. Postman is the ubiquitous test tool for API’s nowadays and it I was decided to embed the SAML Assertion routines in its Pre-Request Scripts. The challenge is then set: how to integrate this process of generating SAML Assertions to the API test clients? Or even worse: you might be using the /oauth/idp API from SuccessFactors to get your SAML Assertions generated, which is also going to be deprecated due to security risks! Check this SAP Documentation to more information on that: Deprecation of OAuth IdP API /oauth/idp | SAP Help Portal. However, if you are using the SAP SuccessFactors Offline SAML Generator, then you are probably relying on the external Java tool available in the SAP Note 3031657 – SAP SuccessFactors SAML Assertion format demonstration using SAP Provided offline tool – SAP ONE Support Launchpad, which might not be well-integrated to your API test tool as you have to manually copy/paste the externally generated SAML assertion to your test cases. The steps involved in enabling an OAuth2 client are described in the SFSF Documentation and this blog is focused on the step 2 – Request SAML assertion of the flow diagram that is depicted in there:Īssuming that you use a third-party Identiy Provider (short IdP) to issue SAML Assertions, then you might have already adjusted your SFSF test cases and authentication flows according to your IdP request/response expectations. If you regularly call the SuccessFactors’ OData API’s for test purposes using your API test tool of choice, chances are that you are already aware that the Basic Authentication is deprecated and must not be used instead, the authentication using OAuth 2.0 is the preferred method to access SFSF’s API’s.
0 Comments
Leave a Reply. |