0% found this document useful (0 votes)

79 views13 pages

SF ConcurPackageDescription

This document describes a package that transfers employee information from SAP SuccessFactors to SAP Concur. It uses SFTP integration to transfer encrypted CSV files containing employee data on a scheduled basis. The package consists of flows to replicate employee data from SuccessFactors, encrypt and send files to Concur, and handle value mapping and error handling. Configuration is required for networking, encryption keys, and mapping employee statuses between the two systems.

Uploaded by

Ocky Galih Pratama

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

79 views13 pages

SF ConcurPackageDescription

Uploaded by

Ocky Galih Pratama

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 13

SAP SuccessFactors to SAP Concur Employees by delaware

General introduction

SAP SuccessFactors to SAP Concur Employees by delaware package is developed to transfer employee
information from the SAP SuccessFactors to the SAP Concur.
Existing SAP package synchronizes employee data from SAP S/4 to SAP Concur. However in certain
installations SAP S/4 is not a master system for the employee information. For example if there is a SAP
SuccessFactors which handles all the employee information. In this case the employees need to be
synchronized from SAP SuccessFactors to SAP Concur directly. The scope of this package handles this
situation.

SFTP integration was chosen instead of API's since SAP Concur has different types of licenses and API's aren't
available in all of them. SFTP integration on the other hand is available for all. SFTP was chosen in order to
make sure our integration is supported by all customers licenses of SAP Concur.
This package transfers information about employees from SAP SuccessFactors to SAP Concur. It consists of
the following objects:
 Replicate Employees from SAP SuccessFactors – main flow which requests a data, generates a file
message and calls flow Encrypt and Send file to SAP Concur (timer triggered)
 Encrypt and Send file to SAP Concur– supplementary flow which encrypts file and puts it on the SAP
Concur SFTP server
 VM SuccessFactors To Concur – value mapping (maps SF status to Active/Inactive in Concur)
 Get Certificates from SAP Concur– this flow is used for the initial certificate upload from Concur
during initial configuration

The high level overall flow can be represented below:

1 | 13
Flows are using the following logic:
 Flow Replicate Employees from SAP SuccessFactors picks up employees created or changed since
last run. Using this data, it creates a CSV file and call Encrypt and Send file to SAP Concur
 Encrypt and Send file to SAP Concur encrypts a file and upload to the SAP Concur SFTP server.

After that file will be picked up by the regular job in Concur. This is a delta based integration and flow uses the
variable “SF_Concur_Employee_LastRunDateTime” to store the last run date

Outgoing file contains information about employee status, which is mapped to the Active/Inactive status in
Concur. As result terminated employees in SuccessFactors will be made inactive in Concur. On the Concur
side employees are uploaded as Expense users with default password. For more details on this please refer to
the SAP Concur employee upload manual.

Employees changes in SuccessFactors selected based on set of criteria’s:

 New hires are selected on the day equal to the startDate of the employee’s job information (EmpJob
object)
 Changes in PerPerson are selected based on lastModifiedDateTime greater or equal to the last run date
 Changes in UserAccount are selected based on lastModifiedDateTime greater or equal to the last run
date

To complete import into the Concur, import job needs to be configured and started in SAP Concur. Changes
for users will happen only after file processing by SAP Concur. For more information on the configuration of
the import job please refer to the SAP Concur manual.

CPI Tenant configuration

1.1 Send IP range of CPI

According to the Concur documentation all connections must originate from public IP addresses which reside
on their access control list (ACL). Hence the IP range of the CPI tenant should be determined and sent to
Concur to have it whitelisted.
The IP ranges for several datacenters can be found on this SAP Help page:

2 | 13
https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/
350356d1dc314d3199dca15bd2ab9b0e.html#loiof344a57233d34199b2123b9620d0bb41__CF-Enterprise

1.2 Send Public SSH Key to Concur

The SFTP server of Concur only allows authentication via a public SSH key. The following SAP Blog
elaborates on the secure connection between CPI and a SFTP server and has instructions on how to create a
SSH key pair in CPI.
https://blogs.sap.com/2017/08/03/cloud-integration-how-to-setup-secure-connection-to-sftp-server/

Important notes from this blog are:

- Don’t share the private key, each CPI tenant should have their own SSH keys.

1.2.1 Maintain SSH key in CPI

First check whether a SSH key pair is already available on the CPI tenant. Check for id_rsa/id_dsa/id_ecdsa or
any other key pair in the keystore monitor.

If there are no SSH keys available, create one directly in CPI.

It’s also possible to upload SSH keys to the CPI tenant and use these for the communication with Concur.

1.2.2 Extract SSH public from CPI

The public SSH key can easily be exported from CPI in the keystore monitor.

3 | 13
1.3 Add SFTP server to known hosts

SAP Note 2700759 elaborates on why this is required and how to do this.

1.4 Install PGP certificate from Concur

1.4.1 Fetch PGP certificate from the SFTP server

The SAP Concur public PGP key must be used for encrypting files sent to SAP Concur
and can be permanently found in the root file transfer directory. The scope of this package doesn’t include
signing of the message, if this is required, the PGP key used for signing needs to be uploaded to the root
directory of the SFTP server.

The SAP Concur public PGP key can be found as concursolutions.asc in the root directory on the SFTP server.
The package contains a flow to fetch this key and send them as attachment via mail.

1.4.2 Deploy PGP certificate on CPI

To use this PGP key, it should be added to the pubring of CPI. First verify if there’s already a pubring
available on CPI.

When the pubring doesn’t exist, follow 2.4.2.1 to create the pubring from the Concur public key.
When the pubring does exist, follow 2.4.2.2 to update the existing pubring with the Concur public key.

Note that for this setup the 3rd party tool Kleopatra is used which can be downloaded from
https://www.gpg4win.org/index.html.
The installation of the tool isn’t documented in this manual.

1.4.2.1 Create the pubring from the Concur public key

In Kleopatra, inport the Concur public key.

After the import, select the Concur key and click export.

4 | 13
Call the file pubring.pgp.

Then upload the public keyring to the security material of the CPI tenant.

The keyring is now deployed.

5 | 13
1.4.2.2 Update the existing pubring with the Concur public key

The setup is similar to the setup of 2.4.2.2. The only difference is that the public keyring should be
downloaded first from the CPI tenant. Then both the Concur public key and the keyring should be imported in
Kleopatra. When exporting the certificates to the public keyring, include all the relevant certificates in the
selection.

Download the public keyring from the CPI tenant.

Import the public keyring and the Concur public key to Kleopatra.

Select all the relevant certificates when exporting to the public keyring.

6 | 13
Call the file pubring.pgp.
Then upload the public keyring to the security material of the CPI tenant.

The keyring is now deployed.

Flow configuration

For the proper usage of the flow, it is required to make correct configuration matching your system. Both flows
Replicate Employees from SAP SuccessFactors and Encrypt and Send file to SAP Concur needs to be
configured before using the package.

7 | 13
The logic to send data to Concur is the same for all documents. Hence this logic was put into a separate
integration flow which is then called from the functional integration flows. The integration flow encrypts the
incoming data using the public keyring. Then the data is sent to the Concur SFTP server.
A prerequisite is that the fileType is given as a header from the main flow.

Please refer to the list of configuration parameters in Appendix.

Configuration of Replicate Employees from SAP SuccessFactors allows to turn on and off logging for the
flow:
 Log the data received from SuccessFactors – parameter Data_log = YES
 Log the data after the mapping – parameter Mapping_log = YES
Logging data is saved via Persistence steps.

Value Mapping configuration

Value mapping “Value mapping for SAP SuccessFactors Integration with SAP Concur” contains two mapping
fields:
 Employee Status mapping to the Active field in Concur
 CountryCode mapping to from ISO3 to ISO2 format
Employee Status mapping defines which statuses in SuccessFactors needs to be considered as Active. All non-
mapped statuses are considered as Inactive. A list of standard Employee Statuses in SuccessFactors is pre
delivered by SAP during the setup of the system and it is normally not changed. In case you need to add new
statuses to the mapping please use one of the following approaches:

 Manually add the required statuses in the mapping table

 Adapt CSV file and make a massive update

For the massive update, please use attached CSV file:

Exception handling

Flows Replicate Employees from SAP SuccessFactors and Encrypt and Send file to SAP Concur support
several ways of exception handling:
 Skip any handling
 Send mail alerts (triggered by parameter Mail_Alert = ‘YES’)
 Call custom flow via ProcessDirect (Mail_Alert = 'CUSTOM')

If you would like to use custom flow call in error handling, you should define ProcessDirect code for the flow
using parameter customErrorHandler.
For the mail alerts, proper configuration of the mail adapter is required (via externalised parameters).

8 | 13
Usage of custom logic

Flow allows to call custom flow without major changes of the flow. There two points for custom calls
available:
 After mapping, before converting file to CSV. This call is managed by two parameters -
parameterCustomLogic = 'YES' and customCall which contains ProcessDirect code for the custom
flow
 Use custom error handler (see chapter Exception handling)
For the custom call there is a possibility to use specific error handler different from the main flow. It is
configured by the following parameters:
 parameterCustomHandling = YES – switch on custom error handler
 customLogicErrorHandler – parameter should contain ProcessDirect call for the error handler flow.