Introduction
This blog post will share step by step activities needed for Configuring SSO(single sign on) between ECP(Employee Central Payroll system) and SF(Success Factor) to enable Pay Statement service to view payslip.
This blog is valid for Employee Central Payroll customers (ECP) and also is applicable for ERP on premise customers.
Image/data in this blog post is from internal systems. Any resemblance to real data is purely coincidental.
Environment
SAP SuccessFactors Employee Central Integration to SAP Business Suite – ERP On premise
SAP SuccessFactors Employee Central Payroll – ECP
Configuration steps
How to activate SAML2 service in your ECP/ERP system?
Go to SICF(t-code), press F8 and activate below 2 services:
/default_host/sap/public/bc/sec/saml2
/default_host/sap/public/bc/sec/cdc_ext_service
Enable Secure Communication by checking in transaction SICF_SESSIONS if Security Session Management is enabled
Download the SAML metadata from ECP / ERP:
- Go to transaction SAML2
- Go to tab Local Provider and choose Metadata
- Click download metadata
Open the metadata and share the following information with SF team and ask them to update in Provisioning,
Single logout service location: https://xxx.xxx.xxx/sap/saml2/sp/slo/<client_number>
Assertion Consumer Service – https://xxx.xxx.xxx/sap/saml2/sp/acs/<client_number>How to Configure the ECP / ERP Service Provider SAML 2.0?
How to generate IDP metadata file,
Enter URL in a web browser’s address line which should be in following pattern and click enter:
https://<server URL>/idp/samlmetadata?company=<companyID>&cert=sha2
paste the url in a browser and download the metadata.
Go to the transaction SAML2 on your ECP or ERP system and click on trusted Provider’s tab and upload the IDP metadata from the metadata file.
Click Add and choose Upload Metadata file from the dropdown menu. And follow the same settings as mentioned in below screenshots,
Choose the metadata downloaded on the previous step,
Please use same settings as above and click next,
Choose HTTP post for Singe Sign-on Endpoints and proceed with next step,
Choose HTTP post for Single Logout Endpoints and click next,
Go to the Identity Federation tab and choose Unspecified,
Set Allow Identity Provider to Create NameID to No
User ID Mapping Mode can be set as Logon Alias or Logon ID. To choose user ID mapping read the following and choose your case.
Case 1: If Employee Central user ID and ECP/ERP user name are same then set value as Logon ID for user ID mapping mode.
Case 2: If Employee Central user ID and ECP/ERP user name are different(alias name used) then set value as Logon Alias for user ID mapping mode.
In order to choose the IDP automatically, make sure the below settings are done,
Establishing an Identity Federation between the SuccessFactors HCM Suite and ECP,
- There are two basic ways to establish an identity federation between the SuccessFactors HCM Suite and ECP.
- If User IDs are identical (Employee Central user ID = ECP/ERP user name). Then ICF nodes PAYSLIP, HRPAO_PAOM_MASTERDATA and NWBC needs to configured to use login with Standard SAP User, as shown below.
- If Employee Central user ID is mapped using the alias name of the Employee Central Payroll user. Then ICF nodes PAYSLIP, HRPAO_PAOM_MASTERDATA and NWBC are configured to use login with Internet User (also known as alias) This is relevant if user names differ from user IDs in the Employee Central system using the IDP.
- we had the following scenario (Employee Central user ID = ECP/ERP user name).
Below Activity needs to be done by SF consultant at SF system,
