This workbench runs the real OAuth 2.0 SAML Bearer Assertion handshake server-side, then reads the User roster and UserAccount login signal over OData v2. It runs against a SuccessFactors-shaped OData v2 mock today. Point the same code at your tenant host and OAuth client, and it reads your production data unchanged.
The OAuth client (API Key) signs a SAML assertion; the workbench server exchanges it for a Bearer token and seals it. The browser never sees the token, only an opaque handle.
GET /odata/v2/User
GET /odata/v2/UserAccount
The actual request and the OData v2 JSON envelope behind the tables above. No UI sleight of hand.
The map of what to call, what "login data" actually means in SuccessFactors, and the exact role permissions to request.
There is no single User.lastLogin field. The signal you need decides the API surface and the permissions. The two cleanest are read live in panel 03.
User, UserAccount, EmpEmployment), the /Date(ms)/ wire format, the __metadata nodes, and the OAuth 2.0 SAML Bearer token exchange. Set your apiNN.successfactors.com host, OAuth client, and company_idas server secrets and the same client code reads your tenant, no call-site change. Switch to "Your tenant" above to stage that config and see the exact request it would send.