Update employee details from SAP SuccessFactors (SF) Employee Central (EC) to Active Directory via LDAP adaptor (with Global assignment scenario)

How to update employee details from SAP SuccessFactors (SF) Employee Central (EC) to Active Directory via LDAP adaptor.

Scenario – The employee on-premise PERNR which is stored in a custom field in the SF Employee Central needs to be updated in Active Directory (AD) along with other Organization details whenever there’s a change to any of those fields in SFSF EC. This is required to support sign in for the employees to the Payroll system where employee can login from Company’s portal via Single Sign on (SSO).

System diagram to support this interface –

Details –

Sap Cloud Connector acts as a gateway between the SAP Cloud Platform and the on-premise system. Cloud connector is installed in the DMZ of the customer’s on-premise network. This is usually done by the Basis team. You need to define the Back-end systems in the SAP Cloud Platform which you want to expose. Example shown below. The virtual url is shown here which is mapped to actual url in the Cloud connector configuration. The LDAP adapter supports version 2.9 or higher of the SAP Cloud Connector.

SAP Cloud Platform Integration (CPI) is a cloud middleware which is a Integration service of SAP Cloud Platform. Interface Flow is created in SAP CPI where Java query can be built to pass the employee details to AD.

SFSF receiver adaptor is used to read employee data from SAP SFSF system.

SAP CPI has an LDAP receiver adaptor which uses TCP/IP as Transport protocol and LDAP as message protocol as shown below.

Connection details of this adaptor can be configured as shown below.

Address should start wih ldap://<virtual url from SAP Cloud Platform for this back-end system>

As we are using SAP Cloud Connector to connect to AD the proxy type has to be On Premise only.

Authentication will be Simple where credentials to login AD are stored in Security material in SAP CPI.

LDAP adaptor supports only 2 operations as shown below.

We are using ‘Modify’ in our scenario as Employee record will always exist in the Active Directory. In our case Employee record is created in active directory by another User account system.

Insert can be used if you want to create an employee record which doesn’t already exist in AD.

Note: It is not possible to read data from AD via LDAP adaptor.

LDAP supports 2 forms of input i.e. Java and XML. You can build the query in SAP CPI accordingly.

Data is present in AD in a tree like structure called Direct Information tree (DIT) as shown below.

All the above nodes will be clear when you build Distinguished name (DN) in SAP CPI.

DC represent the top of LDAP tree that is defined by DNS. The designator of an AD domain with DNS name Company.com will be dc = Company, dc = com

OU act as containers to hold other objects below the Company.

DN can be considered the full path to the root of LDAP namespace. You can get the structure from the LDAP team and then build the DN.

We are using username as CN (Common Name). CN is the name of the entity for whom we are querying. This makes sure correct employee details are updated in AD.

We are using Java Script as shown below.

How Global assignment (GA) is taken care while interfacing SFSF EC with LDAP?

Let’s take an example an employee goes on GA from US (home) to China (host). Username in SFSF EC gets a hyphen (-) after the home username. Ex. If in US username is ‘user’ then username by default in SFSF EC will be user-1 when host record is created. Now it depends whether AD has both the employee records i.e. home and host.

Usually it will only have home record for employee because employee will use home country username for SSO purpose even while on GA.

Scenario 1 – AD has both home and host records for employee. Now interface will query with user-1 to update the employee record. As ‘user-1’ exists in AD you can update the host record employee details in AD whenever there’s a change to host record fields (as shown in Java script) in SFSF EC.

Scenario 2 – AD has only home record of the employee. When you try to update the host record in AD via SAP CPI it will fail because host record doesn’t exist in AD. If you want to update the home record details with host record details when employee goes on GA then use the home record username in CN to query the record and update its attributes with host record.

In this case when employee will go back from host to home country you need to make sure the AD is updated with home record. You can look for jobinfo portlet for event ‘Back from GA’ for this update.

The user id which is used to update the AD should have appropriate roles assigned. For example, if Role allows to update only users of APAC then you can’t update user belonging to Americas or any other region.

To test this interface, you need to work with LDAP team if you don’t have access to login LDAP system to check the results.