Introduction

This blog post will share step by step activities needed for Configuring SSO(single sign on) between ECP(Employee Central Payroll system) and SF(Success Factor) to enable Pay Statement service to view payslip.

This blog is valid for Employee Central Payroll customers (ECP) and also is applicable for ERP on premise customers.

Image/data in this blog post is from internal systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors Employee Central Integration to SAP Business Suite – ERP On premise

SAP SuccessFactors Employee Central Payroll – ECP

Configuration steps

How to activate SAML2 service in your ECP/ERP system?

Go to SICF(t-code), press F8 and activate below 2 services:

/default_host/sap/public/bc/sec/saml2

/default_host/sap/public/bc/sec/cdc_ext_service

Enable Secure Communication by checking in transaction SICF_SESSIONS if Security Session Management is enabled

Download the SAML metadata from ECP / ERP:

• Go to transaction SAML2
• Go to tab Local Provider and choose Metadata
• Click download metadata

 

Open the metadata and share the following information with SF team and ask them to update in Provisioning,

Single logout service location: https://xxx.xxx.xxx/sap/saml2/sp/slo/<client_number>

Assertion Consumer Service – https://xxx.xxx.xxx/sap/saml2/sp/acs/<client_number>

How to Configure the ECP / ERP Service Provider SAML 2.0?

How to generate IDP metadata file,

Enter URL in a web browser’s address line which should be in following pattern and click enter:

https://<server URL>/idp/samlmetadata?company=<companyID>&cert=sha2 

paste the url in a browser and download the metadata.

Go to the transaction SAML2 on your ECP or ERP system and click on trusted Provider’s tab and upload the IDP metadata from the metadata file.

Click Add and choose Upload Metadata file from the dropdown menu. And follow the same settings as mentioned in below screenshots,

 

Choose the metadata downloaded on the previous step,

 

Please use same settings as above and click next,

 

Choose HTTP post for Singe Sign-on Endpoints and proceed with next step,

 

Choose HTTP post for Single Logout Endpoints and click next,

 

 

Go to the Identity Federation tab and choose Unspecified,

Set Allow Identity Provider to Create NameID to No

User ID Mapping Mode can be set as Logon Alias or Logon ID . To choose user ID mapping read the following and choose your case.

Case 1: If Employee Central user ID and ECP/ERP user name are same then set value as Logon ID for user ID mapping mode.

Case 2: If Employee Central user ID and ECP/ERP user name are different(alias name used) then set value as Logon Alias for user ID mapping mode.

In order to choose the IDP automatically, make sure the below settings are done,

 

Establishing an Identity Federation between the SuccessFactors HCM Suite and ECP,

• There are two basic ways to establish an identity federation between the SuccessFactors HCM Suite and ECP.

 

• If User IDs are identical (Employee Central user ID = ECP/ERP user name). Then ICF nodes PAYSLIP, HRPAO_PAOM_MASTERDATA and NWBC needs to configured to use login with Standard SAP User, as shown below.

 

• If Employee Central user ID is mapped using the alias name of the Employee Central Payroll user. Then ICF nodes PAYSLIP, HRPAO_PAOM_MASTERDATA and NWBC are configured to use login with Internet User (also known as alias) This is relevant if user names differ from user IDs in the Employee Central system using the IDP.

 

• we had the following scenario (Employee Central user ID = ECP/ERP user name).

Below Activity needs to be done by SF consultant at SF system,

(Image is from SAP Note – 2253359)

Reference

https://launchpad.support.sap.com/#/notes/0002253359

https://launchpad.support.sap.com/#/notes/0001901575

 

Summary

In short we would exchange SAML2 metadata between two systems(ECP systems details will be registered in SF and vice versa for SF), the next step is to establish Identity federation between SF and ECP. Post which we need an SF consultant to add Client payroll system URL and client ID in SF admin center.

Thanks folks!!! That’s my first blog post. Kindly let me know your feedbacks and thoughts on the comments below.

Regards

Magesh G