SF
Integration WorkbenchSuccessFactors · OData v2 · OAuth SAML Bearer
Demo mode

A working SuccessFactors integration, not a slide deck.

This workbench runs the real OAuth 2.0 SAML Bearer Assertion handshake server-side, then reads the User roster and UserAccount login signal over OData v2. It runs against a SuccessFactors-shaped OData v2 mock today. Point the same code at your tenant host and OAuth client, and it reads your production data unchanged.

AUTH OAuth 2.0 SAML BearerPROTOCOL OData v2ENTITIES User / UserAccount / EmpEmploymentSWAP config-only to your tenant
01

Authenticate and read

The OAuth client (API Key) signs a SAML assertion; the workbench server exchanges it for a Bearer token and seals it. The browser never sees the token, only an opaque handle.

Browser
Your SaaS / this page
Sends config + receives an opaque handle. Never holds the token.
config -> POST /api/sf/connect
Workbench server (secure)
Integration core
Signs the SAML assertion, exchanges it, seals the token.
build + sign SAML assertion (RSA-SHA256)
seal Bearer token -> AES-256-GCM handle
SuccessFactors
tenant
/oauth/token then /odata/v2 over the Bearer token.
200 OK -> access_token (Bearer)
[ sealed ]Run the handshake to mint and seal a token.
02

User roster

GET /odata/v2/User

Run the handshake in panel 01 to mint a token, then this reads live.
03

Login & activity

GET /odata/v2/UserAccount

Run the handshake in panel 01 to mint a token, then this reads live.
04

Raw OData exchange

The actual request and the OData v2 JSON envelope behind the tables above. No UI sleight of hand.

Run a read to see the raw exchange.
05

APIs, signals & permissions

The map of what to call, what "login data" actually means in SuccessFactors, and the exact role permissions to request.

There is no single User.lastLogin field. The signal you need decides the API surface and the permissions. The two cleanest are read live in panel 03.

Account status (active / disabled)
Per-user, queryable and filterable. The seat-reconciliation workhorse.
UserAccount.accountStatus
Clean OData
Last failed sign-in
A failed-auth timestamp per user. Useful as a security / dormancy signal.
UserAccount.lastLoginFailedDateTime
Clean OData
Record last-changed (activity proxy)
Not a login, but the standard delta-sync anchor for 'changed since'.
User.lastModifiedDateTime
Clean OData
Successful-login / session history
Full human sign-in history lives in the audit framework, not a User field.
Login Audit report (Admin Center)
Audit path
API transaction history
Logs API calls and payloads, not interactive user logins. Different question.
OData API Audit Log
Audit path
Honest about what this is. The workbench reads a SuccessFactors-shaped OData v2 mock that mirrors the real entity and field shapes (User, UserAccount, EmpEmployment), the /Date(ms)/ wire format, the __metadata nodes, and the OAuth 2.0 SAML Bearer token exchange. Set your apiNN.successfactors.com host, OAuth client, and company_idas server secrets and the same client code reads your tenant, no call-site change. Switch to "Your tenant" above to stage that config and see the exact request it would send.