Introduction
The article is intended to cover all areas which will enable Pay Statement (Direct) in Employee central (Employee Profile), in SuccessFactors Mobile (Payroll), and in the Latest Home Page via Quick Action card View Pay Statement (pay history link).
Please bear the long list of steps, and have patience to follow all the steps. The Pay statement direct when compared to Pay Statement (Arrow based) is much user-friendly and is displayed with pay date, gross, and payout amount. In addition, you can enable custom key figures to be displayed
Preview
NOTE: All Screenshots in the blog are taken from internal partner system.
Employee Profile:
Latest Home Page View Pay statement quick action card
Configuration – Let’s get in details
The configuration has to be done in both the Employee central (EC) and Employee Central Payroll (ECP). I have tagged system as (EC) and (ECP) in the below steps;
The custom pay Statement in tcode HRFORMS is activated as per the country grouping. (ECP)
The feature HRFOR in tcode PE03 is customized with the name of the custom HRFORMS (ECP)
Maintain Payroll System Configuration and (EC)
Search Manage Data and select Payroll System Configuration or choose “Create New”
Add a new portlet with any name like Pay Slip, and click on “Details” and select “Direct Pay Statement” from field Service, and save.
Configure People Profile to Payroll Information block (EC)
Payroll Unified Configuration (EC)
Refer procedure here
Permission role for Administrators, refer here and for employee role refer here
Single Sign-on setup SAML 2.0 using report RP_HRSFEC_SAML_CONFIG to automate the SAML 2.0 Configuration. (ECP)
Open Tcode SE38 and enter program name RP_HRSFEC_SAML_CONFIG, and enter the below information in the selection screen;
Host Address: URL of the Employee Central Data center
Company Instance: Company ID of EC instance(Development, Preview or Production)
Upon execution, the report will generate the below URLS;
Sign on to provisioning and select your company ID. (EC)
Assertion Consumer Service and Logout URL are used to configure the consumer service settings for the company ID.
- Under Service Provider Settings, choose Authorized SP Assertion Consumer Service Settings.
- Enter the URLs for the Assertion Consumer Service and Logout URL fields, as illustrated in the following image.
- Sign on to Employee Central Payroll and go to transaction SICF
- Choose F8
- Activate the following services from tcode SICF:
- /default_host/sap/public/bc/sec/saml2
- /default_host/sap/public/bc/sec/cdc_ext_service
Enable Secure Communication by going to transaction SICF_SESSIONS and verify that Security Session Management is enabled.
The integration setup for Pay Statement (Direct) which involves configuration of OAUTH 2.0 (ECP)
Make sure that SAP System Aliases “LOCAL” is maintained
Activate and Maintain Services in the below SPRO Path (ECP)
Activate ICF Node by clicking on the ICF Node icon (ECP);
Post activation the Status column should be green;
Make sure all the below services have System Aliases LOCAL added
HRSFEC_ECP_INFO_SRV - Payroll system Information.
HRSFEC_INFOTYPE_SRV - Infotype Existence
HRSFEC_PAY_OVERVIEW_SRV - Direct Pay Statement.
Click on Add System Alias
- Click on “New Entries”
- Type LOCAL in the “SAP System Alias” field and press enter to auto-fill the remaining fields.
- Save your entries.
Open tcode SICF and activate the below services, (ECP)
HRSFEC_ECP_INFO_SRV - Payroll system Information.
HRSFEC_INFOTYPE_SRV - Infotype Existence
HRSFEC_PAY_OVERVIEW_SRV - Direct Pay Statement.
Enter “HRSFEC_ECP_INFO_SRV” in service name field and click on execute;
Right click on the service name, and click on “Activate Service”, do the same for other services.
SuccessFactors X509 certificate generation (EC)
Goto Admin center, company setting and click on “Security Center” or from Search field
Click on X509 Certificates
Add new certificate by clicking the Add button
Enter the below details;
The Certificate after saving, should now be downloaded by clicking on the Download button; The certificate would be in .crt extension.
Configuring OAuth Identity Provider (ECP)
Pre-requisite SAML 2 configurations should be auto generated refer STEP 7
Configure service provider and identity provider in Employee Central Payroll as one of multiple steps, to be able to use OAuth 2.0.
Procedure
- Start the transaction SAML2 in the corresponding tenant.
- Switch to the Trusted Providers tab and select OAuth 2.0 Identity Providers. To create the Identity Provider,
choose Add Manually . and provide the X509 file downloaded from the previous step.
- In the SAML 2.0 Configuration window, enter a Name and choose Next.
- Choose Browse, next to the Primary Signing Certificate field and upload the file that you downloaded.
Creating OAuth X505 Keys.
- Choose Finish.
- Choose Edit in the main configuration screen.
- In the details section of your newly created Identity Provider, choose Add. In the Supported NameID Formats window, select Unspecified and chooseOK.
- In the details section of NameID Format Unspecified, select Assertion Subject NameID as User ID Source and Logon Alias as User ID Mapping Mode.
- Save your entries and choose Enable
Creating Service Users in Employee Central Payroll (ECP)
Create a service user in Employee Central Payroll as one of multiple steps, to be able to use OAuth 2.0.
Procedure
- Go to transaction SU01 and create following service users:
EC_ADM_OAUTH
EC_ESS_OAUTH
- In the Maintain Users screen, provide a Last Name on the Address
- On the Logon Data tab under User Type, select System and provide a password.
15. Registering OAuth Client (ECP)
- Go to transaction SOAUTH2.
- In the OAuth 2.0 Administration screen, choose Create and for each of the following client IDs follow the steps described.
- EC_ADM_OAUTH
- EC_ESS_OAUTH
- In the Create OAuth 2.0 Client window, select a OAuth 2.0 Client ID, provide a Description and choose Next.
- In the Client Authentication step, ensure SSL Client Certificate is checked and choose Next.
- In the Resource Owner Authentication step, ensure Grant Type SAML 2.0 Bearer Active is checked. In the Trusted OAuth 2.0 IdP field, choose the identity provider you already created in the Configuring OAuth Identity Provider section and choose Next.
- In the Scope Assignment step, add a OAuth 2.0 Scope ID, according to your client ID and choose Next:
| Client ID | OAuth 2.0 Scope ID |
| EC_ADM_OAUTH | HRSFEC_ECP_INFO_SRV_0001 (for Payroll System Information) |
| HRSFEC_INFOTYPE_SRV_0001 (for Infotype Existence) | |
| EC_ESS_OAUTH | HRSFEC_PAY_OVERVIEW_SRV_0001 (for Pay Statement) |
| HRSFEC_PAYCTRL_REC_SRV_0001 (for Payroll Control Record Information) |
3. Review your entries in the Summary step and choose Finish to save your entries.
Configuring Outbound OAuth (EC)
Go to Admin Center Security Center and select the OAuth Configurations tab.
Select Add and enter following information:
| Field Name | User Entry |
| Configuration Name | Create two separate configurations for ecp and ecp_ess. ( case sensitive, DON’T enter the name in capital letters) |
| OAuth Type | Select OAuth 2.0 with SAML Flow. |
Client ID | For configuration name, ecp provide EC_ADM_OAUTH as Client ID. ○ For configuration name, ecp_ess provide EC_ESS_OAUTH as Client ID. |
Client Secret | Provide the password for EC_ADM_OAUTH or EC_ESS_OAUTH respectively. |
| Token URL | Provide the URL of your Employee Central Payroll system. Example https://myXXXXXX.payroll.ondemand.com |
Token Method | Select POST |
Audience | Enter the Provider Name from the Local Provider, which you’ve created as a prerequisite in the Getting SuccessFactors HCM Suite IDP ready for SAML 2.0 section. |
Issuer | Enter the Identity Provider name, that you created in the Configuring OAuth Identity Provider section. |
Subject Name ID | Leave this field blank. |
Subject Name ID Format | Select Unspecified. |
X509 Keys | Enter the X509 key you already created from the dropdown. |
- When you’re finished, save your data.
Assign the roles for all ESS user. (ECP)
The below standard roles should be copied, generated and activated. This activity can be done in transaction code PFCG, ask basis team member for help;
ESS Users should have the below roles;
- SAP_CLOUD_ESS_OAUTH
- SAP_CLOUD_EMPLOYEE_ESS_PAYSLIP
Payroll Administrator
- SAP_CLOUD_ADMIN_OAUTH
- SAP_CLOUD_MANAGER_ESS_PAYSLIP
Note : The role assignment can be done through program HRSFEC_ESS_USER_UPDATE. The above roles complied in composite role, and assigned in the variant for the user creation program.
Conclusion
The pay statement (direct) can now be tested by “Proxy Now” functionality in Employee central. Please note the authorization role for the proxy user should have the above roles.
Lastly, I would like to share a very important Knowledge Base Article (KBA): 2900830
which will help you with any frequent errors faced while deploying the solution.
Please share your thoughts in the comments below, and feel free to ask for any clarifications!
- SAP Managed Tags:
19 Comments
