Secure connection configuration in Employee Central and Employee Central Payroll in Grow with SAP

The prerequisites:

1-Check, in which support package your service is available.

2-Parameter icm/HTTPS/verify_client is set to 1 (accept certificates) or 2 (require certificates).

3-Make sure that you’ve maintained the optional fields for System ID and API .

4-Activate SAP Gateway

5-Ensure that the Local Provider follows the format <System ID>_<Client>,

6-Check system alias for OData service id not then create it

Configuration step

1-Certificate generation

1-Login on EC system Go to Admin Center Security Center and choose X509 Certificates

Choose Add to create a New X509 Certificate.

Please create 2 certificate as per below naming format

<EC Instance Name>_<System ID>_<Client>_ADM

<EC Instance Name>_<System ID>_<Client>_ESS

Select SAP Cloud Root CA as Certification Authority (CA

Click on Generate and Save, to save your certificate key and download

2-Configuring OAuth Identity Provider

It will open saml2 screen in new window click on trusted provider then Add Manually

You need to add 2 trusted provider format should be as below-

<EC Instance Name>_ADM,

<EC Instance Name>_ESS

Choose next and Primary Signing Certificate and upload certificate which you have created in SC system and save it you must perform activity for both provider which is mention above

Once both providers created then go to main screen and change it to

In the details section of your newly created Identity Provider, choose Add. In the Supported NameID Formats window, select Unspecified and choose OK.

In the details section of NameID Format “Unspecified”, select Logon ID or login alias as User ID Mapping Mode.If you are using SAP Cloud Identity Services – Identity Authentication for Employee Central Payroll, then select Logon Alias as User ID Mapping Mode.

3-Creating Service Users

Go to transaction SU01 in ECP system and create following service users:

EC_ADM_OAUTH

EC_ESS_OAUTH

4-Registering OAuth Client

EC_ADM_OAUTH

EC_ESS_OAUTH

In the Create OAuth 2.0 Client window, select a OAuth 2.0 Client ID, provide a Description and choose Next.

In the Client Authentication step, ensure SSL Client Certificate is checked and choose Next.

In the Resource Owner Authentication step, ensure Grant Type SAML 2.0 Bearer Active is checked. In the Trusted OAuth 2.0 IdP field, choose the identity provider you already created in the Configuring OAuth Identity Provider section and choose Next.

In the Scope Assignment step, add a OAuth 2.0 Scope ID, according to your client ID and choose Next:

Final screen will be as below-

5-Importing X.509 Certificates

Run strust t-code in ECP system and import previously create certificates from EC system in SSL server standard

6-Mapping X.509 Certificates with Table USREXTID

1 Run transaction SM30, open view VUSREXTID in edit mode.

2 Enter DN in the External ID type field.

3 Choose New Entries and import the certificate.

4 Provide following user names: EC_ESS_OAUTH

5 Set the Activated indicator to activate the client certificate logon for the user.

6 Save your entries and the assignment of External ID to Users will be displayed.

Repeat the same steps for user EC_ADM_OAUTH.

7-Mapping X.509 Certificates with Table CERTRULE

1-Go to transaction CERTRULE.

2-Switch to edit mode and import your certificate in the Subject field.

3-Choose the Explicit Mapping button.

4- Select user EC_ESS_OAUTH and continue.

5-The new entries are displayed in the Explicit Mappings tab.

6-Save your entries.

Repeat the same steps for user EC_ADM_OAUTH.

Now you can check it at ECP system it will ask for EC system credential and authenticate from EC system

Reference-

ahttps://help.sap.com/docs/SAP_SUCCESSFACTORS_EMPLOYEE_CENTRAL_PAYROLL/185f14fbe60d4bbb8d7d5e4f8d89b24b/bb1f11be38134ae3aac6b3139297ffc5.html

As we know that EC(Employee Central) and ECP (Employee Central Payroll) are interdependent and they communicate with each other .Recently I got opportunity to configuration connection between EC to ECP system on SAP on public cloud This blog post describes step-by-step in how to configure connection with help of OAuth 2.0 which is the industry standard protocol for authorization.The prerequisites: 1-Check, in which support package your service is available.2-Parameter icm/HTTPS/verify_client is set to 1 (accept certificates) or 2 (require certificates).3-Make sure that you’ve maintained the optional fields for System ID and API .4-Activate SAP Gateway5-Ensure that the Local Provider follows the format <System ID>_<Client>,6-Check system alias for OData service id not then create itConfiguration step1-Certificate generation1-Login on EC system Go to Admin Center Security Center and choose X509 Certificates Choose Add to create a New X509 Certificate. Please create 2 certificate as per below naming format<EC Instance Name>_<System ID>_<Client>_ADM<EC Instance Name>_<System ID>_<Client>_ESSSelect SAP Cloud Root CA as Certification Authority (CA Click on Generate and Save, to save your certificate key and download 2-Configuring OAuth Identity ProviderLogin on ECP system and run t-code SAML2 It will open saml2 screen in new window click on trusted provider then Add ManuallyYou need to add 2 trusted provider format should be as below-<EC Instance Name>_ADM,<EC Instance Name>_ESSChoose next and Primary Signing Certificate and upload certificate which you have created in SC system and save it you must perform activity for both provider which is mention above Once both providers created then go to main screen and change it toIn the details section of your newly created Identity Provider, choose Add. In the Supported NameID Formats window, select Unspecified and choose OK.In the details section of NameID Format “Unspecified”, select Logon ID or login alias as User ID Mapping Mode.If you are using SAP Cloud Identity Services – Identity Authentication for Employee Central Payroll, then select Logon Alias as User ID Mapping Mode. 3-Creating Service Users Go to transaction SU01 in ECP system and create following service users:EC_ADM_OAUTH EC_ESS_OAUTH 4-Registering OAuth Clientlogin on ECP system and rum t-code SOAUTH2 in OAuth 2.0 Administration choose Create create below 2EC_ADM_OAUTHEC_ESS_OAUTH In the Create OAuth 2.0 Client window, select a OAuth 2.0 Client ID, provide a Description and choose Next.In the Client Authentication step, ensure SSL Client Certificate is checked and choose Next.In the Resource Owner Authentication step, ensure Grant Type SAML 2.0 Bearer Active is checked. In the Trusted OAuth 2.0 IdP field, choose the identity provider you already created in the Configuring OAuth Identity Provider section and choose Next.In the Scope Assignment step, add a OAuth 2.0 Scope ID, according to your client ID and choose Next:Final screen will be as below- 5-Importing X.509 CertificatesRun strust t-code in ECP system and import previously create certificates from EC system in SSL server standard 6-Mapping X.509 Certificates with Table USREXTID1 Run transaction SM30, open view VUSREXTID in edit mode.2 Enter DN in the External ID type field.3 Choose New Entries and import the certificate.4 Provide following user names: EC_ESS_OAUTH5 Set the Activated indicator to activate the client certificate logon for the user.6 Save your entries and the assignment of External ID to Users will be displayed.Repeat the same steps for user EC_ADM_OAUTH. 7-Mapping X.509 Certificates with Table CERTRULE1-Go to transaction CERTRULE.2-Switch to edit mode and import your certificate in the Subject field.3-Choose the Explicit Mapping button.4- Select user EC_ESS_OAUTH and continue.5-The new entries are displayed in the Explicit Mappings tab.6-Save your entries.Repeat the same steps for user EC_ADM_OAUTH. Now you can check it at ECP system it will ask for EC system credential and authenticate from EC system Reference-ahttps://help.sap.com/docs/SAP_SUCCESSFACTORS_EMPLOYEE_CENTRAL_PAYROLL/185f14fbe60d4bbb8d7d5e4f8d89b24b/bb1f11be38134ae3aac6b3139297ffc5.html Read More Technology Blogs by Members articles

#SAP

#SAPTechnologyblog