SF EC and MS Active Directory en-US
SF EC and MS Active Directory en-US
1 Integration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4 Use Cases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
4.1 New Hire/Create a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2 Termination/Disable User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
5 Landscape Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
9 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
This guide is for Professional Services, SAP consultants, and partner consultants to integrate SuccessFactors
Employee Central with Microsoft Active Directory, which is deployed on-premise in the customer landscape inside
their firewall. Integration is through the process library.
Use the following steps as a guideline to successfully integrate Employee Central with Active Directory. After
determining your customer's business requirements, adjust this process as needed.
1. Review the Employee Data Replication (Create User) chapter to understand how employee data from
Employee Central is mapped to data in Active Directory.
2. Set up Employee Central. For more information about Employee Central, see the Employee Central Master
Implementation Guide.
3. Make Active Directory specific settings.
4. Get access to the process library.
5. Set up the standard data integration.
6. Extend the standard data integration.
Active Directory is a directory service that Microsoft developed for Windows domain networks and is included in
most Windows Server operating systems as a set of processes and services.
It is a directory (list) of network objects; it stores information about network components, that is, organizations,
sites, systems, users, or any other network object. It also includes the ability to record different types of
information about objects, for example, who accessed a network object and when.
Active Directory uses LDAP and DNS technology; it relies on DNS to locate objects within Active Directory. (DNS
provides name resolution between common names, that is, raw IP address and component name.)
The Active Directory domain controller authenticates and authorizes all users and computers in a domain type
network. Every employee in an organization should have an account in Active Directory to access the systems
(resources) in the origination network. (For example, when a user logs on to a computer that is part of the
Windows domain, Active Directory checks the submitted password and determines whether the user is allowed to
log on to the network and whether the user is an administrator or normal user.)
In the absence of a standard integration with Employee Central, the creation of an account in Active Directory is a
manual process, that is, a list of new hires for whom system access needs to be provided is emailed to the network
administrator, which involves a couple of approval processes before the accounts are created manually in Active
Directory. Maintaining the information in Active Directory in the case of a master data change, and disabling the
account in Active Directory in the case of an employee termination are also manual processes.
With the integration of Active Directory and Employee Central, the current manual process can be automated to
create a user account in Active Directory after a new hire event occurs in Employee Central, or a user account in
Active Directory can be disabled without manual intervention after an employee is terminated in Employee Central.
When a new employee is hired in Employee Central, a network user account has to be created automatically in
Active Directory for the new employee to log on to the network. The user account credentials for the new
employee need to be emailed to the HR administrator (appropriate contact).
Note
Notification to the employee of the user account credentials is handled by the HR administrator based on the
company process and policies and is outside the scope of this integration.
When an employee is terminated in Employee Central, a network user account in Active Directory has to be
blocked (disabled) automatically so that the network permission for that employee is revoked. The HR
administrator (appropriate contact) is notified of the account termination in Active Directory by email.
Customers must deploy a local Boomi Atom on their local server. This will communicate with on-premise Active
Directory via an SSL connection, that is, through TCP port 636.
If the Boomi Atom is installed on a different server than Active Directory, the TCP port 636 must be opened both
ways on a Boomi local Atom server to communicate with Active Directory.
The local Atom must be able to access Employee Central in the cloud outside the customer firewall.
The local Atom must be able to access the Boomi platform, that is, the local Atom must be able to communicate
with the Boomi platform.
Communication with Active Directory via SSL requires the public certificates of the certificate authority (CA) to be
stored on both Active Directory (trusted root certificate) and in the Java key store of the local Atom server.
A process library is a collection of processes published for the purpose of sharing with managed accounts on a per
account group basis.
Users of managed accounts install copies of library processes in their accounts and typically use the installed
processes as templates for new processes. These activities take place on the Process Library page (Manage →
Process Library).
This solution, when consumed as a process library, makes the current integration process for Active Directory
available as a process in the process library. You can then enhance this process as per the customer's
requirements.
Prerequisites
The user account must have the appropriate permissions to deploy, configure, and monitor a process. The
customer Boomi account must be provisioned for access to both the process library and the Atom cloud where it
will be deployed. It assumes that an environment has been created in the customer account and attached to the
Boomi cloud.
1. Log on to the customer Boomi account at http://platform.boomi.com using the user name and password.
2. On the Deploy tab, click Processes.
3. Search for and choose either of the following processes: o Packaged Integration: EC Microsoft Active Directory
– Create User Account o Packaged Integration: EC Microsoft Active Directory – Disable User Account
4. Choose the environment on the right-hand side and click Save and Deploy to attach the process to the
selected environment.
5. Navigate to Manage → Atom Management.
6. Click the environment on the left-hand side.
7. Click Environment Extensions on the right-hand side. The Extensions pop-up appears.
The EmpJob OData API for Employee Central extracts the employee data from Employee Central. It returns the
employee data in a hierarchically structured response XML.
The Employee Central data is fetched using the Employee Central OData API. To extract this data, you must enable
the OData API.
Prerequisites
You have enabled the OData API via Provisioning. The API user has admin access for the OData API. This
permission can be granted in Admin Tools. For more information about OData API configurations, see the
SuccessFactors HCM Suite OData API Programmer's Guide
Note
Currently, location data is fetched via OData API. If you want to use location data, you must configure the OData
API.
The replication of employee master data from Employee Central to Active Directory uses the OData service from
Employee Central. The data used for replication contains the following elements.
Table 1:
For Information About Compound Employee Element Struc See Employee Central hris-element
ture …
The following tables list the Employee Central fields required to replicate Employee Central data via middle ware to
Active Directory. They also show which fields you need to map manually and the corresponding picklist IDs.
Descriptions are given of the mapping activities required.
Table 2:
Employee Central Description Obligatory for Code Mapping Re Picklist ID Active Directory
hris Field Replication? quired? Attribute
Table 3:
Employee Cen Description Obligatory for Code Mapping Constraint/ Picklist ID/ Active Direc
tral hris Field Replication? Required? Constant Value Cross-Refer tory Attribute
ence ID
These fields are mapped in Boomi to the fields userDN, displayName, cn, and userPrincipalName via the function
Common Name Formatting. This function uses the following to determine the distinguished name: •
The field userDN is determined as a combination of the common name format and the domain name. Domain
names are maintained as a cross-reference table and are defined according to the location of the employee.
The field displayName is determined as a combination of first name and last name.
The field cn is determined according to the value of the process property Common Name Format.
The field userPrincipalName is derived from the combination of the Employee Central field Person ID External and
the domain name maintained in the cross-reference table EC Active Directory Location Code Domain Email against
the employee's location.
Table 4:
Employee Cen Description Obligatory for Code Mapping Constraint Picklist ID/ Active Direc
tral hris Field Replication? Required? Value Cross-Refer tory Attribute
ence ID
Table 5:
Employee Cen Description Obligatory for Code Mapping Constraint Picklist ID/ Active Direc
tral hris Field Replication? Required? Value Cross-Refer tory Attribute
ence ID
email-type
The Employee Central field email-address is mapped to the field mail in the Active Directory request where email-
type is B (business).
Table 6:
Employee Cen Description Obligatory for Code Mapping Constraint/ Picklist ID/ Active Direc
tral hris Field Replication? Required? Constant Value Cross-Refer tory Attribute
ence ID
Location
The Employee Central field Location is used to derive the domain name, domain path where the user accounts
have to be created in Active Directory, and also the email ID of the HR administrator to whom the notifications of
the process are to be sent.
To understand the standard capabilities provided, the integration process as captured in Boomi is described
below.
You need to adjust this process to your customer's needs. The process spans the following four branches:
If an earlier execution is not stored there, this branch sets the last execution date of the process as the current
date; otherwise it fetches the last execution date from the previous execution and sends it to the sub process for
building the query to fetch the data.
1. This process truncates the last 5 digits of the property LOCAL_LAST_MODIFIED_ON and stores the value in
the property TEMP_LAST_MODIFIED_ON.
2. The process checks if Employee Person ID External is set in the extensions by the customer.
○ If set, the process uses the employee configured to define the where clause for the user ID to be fetched.
○ If not set, the process prepares a where clause to fetch the newly hired employee based on the condition
of the last execution timestamp.
OData query:
&$filter=(eventNav/externalCode eq 'H' and ((lastModifiedDateTime ge
datetimeoffset'<LastExecutionDateTime> ' and createdDateTime ge
datetimeoffset'<LastExecutionDateTime> ') or (startDate ge datetime'<LastExecutionDateTime> ' and
startDate le
datetime'<CurrentExecutionDate>')))&fromDate=<CurrentExecutionDate>&toDate=<CurrentExecution
Date>3
Finally, it cleanses the where clause by enclosing the commas with quotes and sets the where clause.
The OData operation has a dynamic filter set as a dynamic process property that is replaced by the WHERE
property set above.
The data fetched as part of the query is now sent for further processing; LOCAL_LAST_MODIFIED_ON is replaced
with the current date and time.
1. The process sets the following local variables: FIRSTNAME, LASTNAME, EMPLOYEEID, LOCATION. These are
used while creating a response message after successful processing of the create user request.
2. The process maps the EMPJOB data to the LDAP create request; it also has logic to format the Employee
Central captured names to the schema of the LDIF output. The rest of the fields are mapped as per the
mapping captured in Integration Specification.
3. The process checks if the mandatory field location is captured in the output field for the LDAP profile
LDAPObject/userDN).
Exception Handling
Any exceptions are caught in the exception branch and a flag is set. This flag is used later in the error handling
branch. The exception is also sent to the notification logs in Boomi for further processing in troubleshooting. You
can also attach the exception to the mail connector if the customer would like someone to be notified of such
exceptions.
This is used to find the delta run for the next execution.
If the process was executed for a specific set of employees (by setting the process property Employee Person ID
External), the last execution timestamp is not updated.
Kindly ensure that the process property Employee Person ID External is cleaned up after execution; otherwise the
process will not take care of delta updates and will continue to process only a specific set of employees. Normally,
the process is run for a set of employees during troubleshooting because some employees were not processed
successfully in previous runs and now need to be sent again.
Keep in mind that this will mark the process as red in process monitoring until all errors are resolved, that is, even
if only one employee was not processed, the process will be red.
Usage of this branch depends on the customer's requirements. Currently, Boomi provides only two kinds of states:
Error or successful. There is no warning state. Customers can therefore treat warnings as success or error.
SF API/OData Connection
To configure the SuccessFactors connection to the identity provider, make the following entries:
Table 7:
Field Entry
Endpoint Datacenter
Username/Password API user and password with permission to retrieve data from
the API
LDAP Connection
Table 8:
Field Entry
Port Number 636 (Active Directory uses TCP port 636 for secured commu
nication)
Mail Connection
To configure the process to connect to the provider’s mail/SMTP server, make the following entries:
Field Entry
The process properties contain customizing options. To configure the process properties you can override the
default values.
Table 10:
Property Description
Full Name Format This option derives the full name formatting in Active Direc
tory. The following Full Name type formatting’s are now al
lowed.
Common Name Format This option derives the common name formatting in Active Di
rectory. Formatting options are:
● FirstName + LastName
● FirstName + MiddleName + LastName
● LastName + FirstName
● LastName + FirstName + MiddleName
● Employee Central Person_ID_External
● FirstName.LastName
Employee’s Person ID External Comma-delimited list filter for specifying the person_id_exter
nals to include in the extract
Default Email Address Default email address for communication. Email notification is
sent to this email address specified at the Process Level when
the employee’s location is not set in the value-lookup table
Advance Replication Period This enables you to replicate the employee data in advance
based on the specified period. This allows you to transfer the
new hire data into the active directory even before the start
date, there-by giving you sufficient time to configure the em
ployee data for the new employee.
Filter Options
To fetch data based on a particular filter, you can change the same under the process properties of the Boomi
process. The following filters are available for the current integration process:
Table 11:
Filter Description
Employee’s Person ID External Comma-delimited list filter for specifying the person_id_exter
nals to include in the extract
The cross-reference tables are translation tables between the Employee Central picklist entries and the Active
Directory values.
To add or override the existing values, fill out the cross-reference tables as follows:
In the first column, enter the Employee Central location code. In the next columns, enter the domain path, HR
email ID, and domain name.
The domain path is used to create the distinguished name. The domain name is used to derive the user principal
name. The HR email ID is used to send the email notifications of the process.
Example
If the distinguished name of the user Carla Grant in Active Directory is CN=Carla
Grant,CN=User,DN=example,DN=com, the UserDN path field contains the path
CN=User,DN=example,DN=com that is, only the path and not the user information.
The replication of employee master data from Employee Central to Active Directory uses the OData service from
Employee Central. The data used for replication contains the following elements.
Table 12:
For Information About Compound Employee Element Struc See Employee Central hris-element
ture …
The following tables list the Employee Central fields required to replicate Employee Central data via middleware to
Active Directory.
They also show which fields you need to map manually and the corresponding picklist IDs. Descriptions are given
of the mapping activities required.
Table 13:
Employee Central Description Obligatory for Code Mapping Re Picklist ID Active Directory
hris Field Replication? quired? Attribute
Table 14:
Employee Cen Description Obligatory for Code Mapping Constraint/ Picklist ID/ Active Direc
tral hris Field Replication? Required? Constant Value Cross-Refer tory Attribute
ence ID
These fields are mapped in Boomi to the field userDN via the function Common Name Formatting. This function
uses the following to determine the distinguished name:
The field userDN is determined as a combination of common name format and domain name. Domain names are
maintained as a cross-reference table and are defined according to the location of the employee.
Table 15:
Employee Cen Description Obligatory for Code Mapping Constraint/ Picklist ID/ Active Direc
tral hris Field Replication? Required? Constant Value Cross-Refer tory Attribute
ence ID
Location
To understand the standard capabilities provided, the integration process as captured in Boomi is described
below.
If an earlier execution is not stored there, this branch sets the last execution date of the process as the current
date; otherwise it fetches the last execution date from the previous execution and sends it to the subprocess for
building the query to fetch the data.
1. This process truncates the last 5 digits of the property LOCAL_LAST_MODIFIED_ON and stores the value in
the property TEMP_LAST_MODIFIED_ON.
2. 2. The process checks if Employee Person ID External is set in the extensions by the customer.
○ If set, the process uses the employee configured to define the where clause for the user ID to be fetched.
○ If not set, the process prepares a where clause to fetch the terminated employee based on the condition of
the last execution timestamp.
OData query:
&$filter=(eventNav/externalCode eq '26' and ((lastModifiedDateTime ge
datetimeoffset'<LastExecutionDateTime> ' and createdDateTime ge
datetimeoffset'<LastExecutionDateTime> ') or (startDate ge datetime'<LastExecutionDateTime> ' and
startDate le
datetime'<CurrentExecutionDate>')))&fromDate=<CurrentExecutionDate>&toDate=<CurrentExecution
Date>3.
The OData operation has a dynamic filter set as a dynamic process property that is replaced by the WHERE
property set above.
The data fetched as part of the query is now sent for further processing; LOCAL_LAST_MODIFIED_ON is replaced
with the current date and time.
1. 1. The process sets the local variables FIRSTNAME, LASTNAME, EMPLOYEEID, LOCATION. These are used
while creating a response message after successful processing of the create user request.
2. 2. The process maps the EMPJOB data to the LDAP disable account request; it also has logic to format the
Employee Central captured names to the schema of the LDIF output. The rest of the fields are mapped as per
the mapping captured in Integration Specification.
3. 3. The process checks if the mandatory field location is captured in the output field for the LDAP profile
LDAPObject/userDN).
○ If the location is not set, it replaces the response payload with the error message Location Code Not
Found. This error message is then routed to the common success error notification map that sets the
response message out for this payload.
○ If the location is set, the data is sent to the configured LDAP server using the update request. If the data is
updated successfully, a response message is created by replacing the <, > tags from the response body of
the LDAP call . The message then follows the map that maps the message to EC Active Directory (Disable)
CSV Response Profile.
4. 4. The process resumes back to the main process branch and combines the individual document response
data sent by the subprocess LDAP Call to Update User Account as defined above.
5. 5. The process handles each document sent to LDAP and, depending on whether the email connector is
configured, sends the response to the email ID configured as part of the process property HR Email ID and
pushes the data to the Boomi logs, or just pushes the data to the Boomi logs.
Exception Handling
Any exceptions are caught in the exception branch and a flag is set. This flag is used later in the error handling
branch. The exception is also sent to the notification logs in Boomi for further processing in troubleshooting. You
can also attach the exception to the mail connector if the customer would like someone to be notified of such
exceptions.
This is used to find the delta run for the next execution. If the process was executed for a specific set of employees
(by setting the process property Employee Person ID External), the last execution timestamp is not updated.
Kindly ensure that the process property Employee Person ID External is cleaned up after execution; otherwise the
process will not take care of delta updates and will continue to process only a specific set of employees.
Normally, the process is run for a set of employees during troubleshooting because some employees were not
processed successfully in previous runs and now need to be sent again.
For individual errors, you can decide whether you want to mark the process as an error, even if only a few
employees were not processed successfully. Keep in mind that this will mark the process as red in process
monitoring until all errors are resolved, that is, even if only one employee was not processed, the process will be
red.
Usage of this branch depends on the customer's requirements. Currently, Boomi provides only two kinds of states:
Error or successful. There is no warning state. Customers can therefore treat warnings as success or error.
Table 16:
Field Entry
Endpoint Datacenter
Username/Password API user and password with permission to retrieve data from
the API
LDAP Connection
To configure the process to connect to the LDAP server, make the following entries:
Table 17:
Field Entry
Port Number 636 (Active Directory uses TCP port 636 for secured commu
nication)
To configure the process to connect to the provider’s mail/SMTP server, make the following entries:
Table 18:
Field Entry
The process properties contain customizing options. To configure the process properties, you can override the
default values.
Table 19:
Property Description
Full Name Format This option derives the full name formatting in Active Direc
tory. The following Full Name type formatting’s are now al
lowed.
LastName(comma) FirstName
Common Name Format This option derives the common name formatting in Active Di
rectory. Formatting options are:
FirstName + LastName
LastName + FirstName
FirstName.LastName
Employee’s Person ID External Comma-delimited list filter for specifying the person_id_exter
nals to include in the extract
Default Email Address Default email address for communication. Email notification is
sent to this email address specified at the Process Level when
the employee’s location is not set in the value-lookup table
Filter Options
To fetch data based on a particular filter, you can change the same under the process properties of the Boomi
process. The following filters are available for the current integration process:
Table 20:
Filter Description
Employee’s Person ID External Comma-delimited list filter for specifying the person_id_exter
nals to include in the extract
The cross-reference tables are translation tables between the Employee Central picklist entries and the Active
Directory values.
To add or override the existing values, fill out the cross-reference tables as follows:
In the first column, enter the Employee Central location code. In the next columns, enter the domain path, HR
email ID, and domain name.
The domain path is used to create the distinguished name. The domain name is used to derive the user principal
name. The HR email ID is used to send the email notifications of the process.
Only the new hire and termination scenarios are supported in the current release.
Rehire, transfer, and data changes are out of scope. Activating an inactive account in Active Directory is not
supported. The distinguished name (that is, the key in Active Directory to uniquely identify the user) is not stored
in the middleware. This means that whenever a user needs to be created or disabled, the distinguished name is
built in the middleware based on the configuration. We therefore strongly recommend not changing the formatting
option once initially decided or set. The common name formatting settings must be the same for both create and
disable user account processes.
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Accessibility
The information contained in the SAP documentation represents SAP's current view of accessibility criteria as of the date of publication; it is in no way intended to be a
binding guideline on how to ensure accessibility of software products. SAP in particular disclaims any liability in relation to this document. This disclaimer, however, does
not apply in cases of willful misconduct or gross negligence of SAP. Furthermore, this document does not result in any direct or indirect contractual obligations of SAP.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see:
http://help.sap.com/disclaimer).