If you are migrating from on-premise payroll to Employee Central Payroll, one of the first challenges you will have to face is setting up replication to your new payroll system. Lucky for you, setting up the connection can be quite simple!
Since release 1605, the preferred method of integrating SuccessFactors Employee Central with Employee Central Payroll does not involve any middleware such as SAP Cloud Platform or Dell Boomi. Instead, employee data is replicated from Employee Central to Employee Central Payroll through a Point to Point (PTP) replication job.
One of the most common asks I have from clients transitioning from on-premise payroll to ECP is with assistance setting up this initial connection. In this blog I am going to cover the first steps required to successfully setup the PTP connection to Employee Central from within Employee Central Payroll.
I won’t elaborate on the prerequisites, but there are a few items to check before you get started:
In Employee Central Payroll
- Support Pack: New PTP replication features are released nearly every quarter, so SAP recommends having your ECP system upgraded to the highest support pack. The absolute minimum support pack for PTP replication is SAP_HR SP28.
- Feature HCM_SFEC_MDEC2HR: Using Transaction SFW5, ensure that the switch HCM_SFEC_MDEC2HR is turned on.
In SuccessFactors Employee Central
- Provisioning Settings: In Provisioning, a few features need to be enabled. Navigate to Edit Company Settings -> Company Settings and then enable the following features:
- Under Employee Central Payroll, ensure Enable Employee Central Payroll is checked.
- Under Web Services, ensure SFAPI and Employee Central SOAP API are enabled.
More details on the required provisioning settings can be found here: Provisioning Settings for Employee Central Payroll
2. Create an API User in Employee Central
If you have not yet created a dedicated user that can access the SuccessFactors API, that needs to be completed. This will be the user that is used to authenticate against Employee Central whenever the ECP system makes a call to the SuccessFactors Compound Employee API.
In Employee Central, go to Admin Center -> Tools -> Manage Permission Roles. Create a new role with the following permissions assigned:
- Under General User Permissions, select SFAPI User Login
- Under Employee Central API, select Employee Central HRIS SOAP API
Assign the role to a target group that includes the dedicated API user. Typically conventions give the user a name such as SFAPI.
Be sure to keep record of the API User’s username and password as you will need it to put in Employee Central Payroll later.
3. Import Employee Central Certificate to SAP Cloud Payroll
This is the big step that seems to be skimmed over in much of the official documentation. Without importing the SuccessFactors certificate into the ECP system’s keystore – the ECP system will not trust the connection and you’ll get errors when trying to connect to the API.
A. Download Certificates from EC
First you need to download the Employee Central certificates locally. This is possible with multiple web browsers, but I find it easiest with Firefox.
Using Firefox, navigate to the corresponding API URL for your SuccessFactors data center. In this example I am logging into the DC8 data center – so your URL might vary slightly. To find your API URL, see the note here – SAP Note 2215682
You should see a lock symbol to the left of the URL in the address bar. Click on the lock and click “Show Connection Details”.
Click “More Information”
On the Security Tab, click View Certificate
In the Details Tab, you can see the Certificate Hierarchy. Select the .successfactors.com certificate, and at the bottom, select export. Save this file locally. If your file name has a * symbol in it, save it without, as I’ve seen that character cause some issues when importing later.
In addition to downloading the base .successfactors.com certificate, you will need to download the parent certificates as well. Navigate to each certificate individually and download them locally to your computer. There will be up to three certificates which need downloaded.
B. Import Certificates into Employee Central Payroll
If you don’t normally perform BASIS activities in your ECP system, now might be the right time to involve them if you haven’t already.
Navigate to transaction STRUST in ECP. On the left side of the screen you will see all of the available PSEs available to import certificates into. Select SSL client SSL Client (Standard) to see all of the certificates assigned to that PSE.
At the bottom left of the page click the small button to import a certificate from your computer. Navigate to the file you downloaded from SuccessFactors. Once the file is imported, click “Add to Certificate List” to add it to the keystore.
Repeat the above steps for each certificate downloaded from SuccessFactors to the SSL Client SSL Client (Standard) keystore. Then repeat the steps again to add the certificates to the SSL Client SSL Client (Anonymous) keystore also.
4. Now it’s time to connect!
Now that all of the technical prerequisites have been met – it is time to successfully connect the systems.
Go to transaction HRSFEC_PTP_CONFIG. Enter the following details in the “Set Connection Data” screen:
- API Server URL – Depending on your company’s SuccessFactors data center, enter in your API URL here in a format similar to api8.successfactors.com (without any preceding https or ending after .com) . To find your API URL, see the note here – SAP Note 2215682
- Company – Enter your SuccessFactors Company ID for the instance you want to connect to
- User – SuccessFactors API User you set up in step 2.
- Password – Password for SuccessFactors API User.
- “Create Repl. Target System” Box. – Ensure this is checked when executing this program for the first time. This will create a replication target system in Employee Central, which will be used in Employee Central’s Data Replication Monitor to track the status of employee replication to ECP.
After entering these details, execute the program.
Now the connection is all setup, and you should be able to successfully ping the APIs.
In the same transaction, select the “Ping Employee Central APIs” button. Select all three APIs to ping.
When you execute the program again you should get the following results. Congrats – you’re connected!
5. Now what?
Now that your systems are connected, you should be able to complete the necessary master data mappings required to replicate employee data. I will expand on this in a future blog post – but the steps are pretty well covered in the official Employee Central Payroll Implementation Guide.
This replication can (and usually is) enhanced using custom fields and ABAP BADIs to make sure it fits all specific customer requirements. Especially when dealing with complexities such as global assignments and concurrent employment – it is important to have an experienced integration architect to understand how to best customize the replication. For example, on a current engagement we enhanced the replication to support IT712 replication in concurrent employment scenarios.
I hope this is a great start on your PTP replication journey!