Connector for SAP HCM

The SAP Connector is built on the Web Services Connector. Please refer to the TechNet documentation
for the Web Services Connector for additional information.

Summary
Features Supported variants
Connected data source versions  SAP ECC 5.0
 SAP ECC 6.0
Scenarios  Object Lifecycle Management
 Password Management
Operations  Full import
 Export (Add, Remove, Replace)
Schema  Employee

Permissions in connected data source

To create or perform any of the supported tasks in Web Service connector for all the supported data
sources, you must have following permissions.

1. SAP_BC_WEBSERVICE_ADMIN: Administration authorizations for Web Services in AS ABAP

2. SAP_BC_WEBSERVICE_CONSUMER: Web Service user
For more details, see Generate Authorization Profiles.

Ports and protocols

This depends upon SAP installation and configuration.

Connector update history

Build Release Revision list
5.0.458.0 2012 June First release of the Web Services Connector.

Requirements, before you begin, and installation

Installation of Default Projects
The default project installer file is available at the Microsoft Download Center. Download the installer file
and run to install.

Double click the downloaded project file to begin installation.

a. The following screen appears, click Yes.

b. Next license agreement screen appears; click Yes to accept the terms and conditions.
c. The next screen prompts to specify the location for installing the default project. Specify the location:
%FIM_INSTALL_DIR\2010\Synchronization Service\Extensions and click OK.

d. The installation starts and the successful completion is reported. Click OK to exit setup wizard.

The default project consumes the exposed BAPIs in the form of web service through WSDL path. Ensure
that the web service is exposed correctly and includes all the required native BAPIs. For more
information, see Exposing Web Service for SAP ECC 6 Connector.

Content of Default Project

Web Services
The discovery operation retrieves the endpoint ZSAPConnectorWebService and all the BAPIs that have
been exposed through the web service at SAP. The exposed web service here includes only the native
BAPIs listed below:
 BAPI_ADDRESSEMP_CHANGE
 BAPI_ADDRESSEMPGETDETAILEDLIST
 BAPI_EMPLCOMM_CHANGE
 BAPI_EMPOYEE_DEQUEUE
 BAPI_EMPLOYEE_ENQUEUE
 BAPI_PERSDATA_CHANGE
 BAPI_PERSDATA_GETDETAILEDLIST
 BAPI_TRANSACTION_COMMIT
 BAPI_USER_CHANGE
 BAPI_USER_CREATE1
 BAPI_USER_DELETE
 BAPI_USER_GET_DETAIL
 BAPI_USER_GETLIST
 BAPI_USER_UNLOCK
 SUSR_USER_CHANGE_PASSWORD_RFC
 Important:
There are few attributes that are defined for the default projects of each of the supported data source
These are mandatory for calling the BAPIs/CIs/APIs successfully.
Below is the list of these mandatory attributes:
Functions Attributes
BAPI_PERSDATA_GETDETAIL  employeeID
 personalDataFromDate
 personalDataToDate
 personalDataRecordNumber
BAPI_ADDRESSEMP_GETDETAIL  employeeID
 addrDataFromDate
 addrDataToDate
 addrDataRecordNumber

Workflows
A native BAPI in SAP is used to perform a single task. There are certain operations for which native
BAPIs are not available and hence the default project does not have support them.
But they can be configured with the help of custom BAPIs by including them in the web service and then
configuring the required workflow. Following are the workflows that are supported for:

Employee Object
FIM Operation Implemented through native web service (BAPI) operation
Full Import Yes
Delta Import No
Export Add No
Export Delete No
Export Replace Yes
Set Password N/A
Change Password N/A

Exposing Web Service for SAP ECC 5 Connector

Web Service Configuration Tool discovers the Web service through a WSDL (Web Services Description
Language) and retrieves its services, endpoints and operations (BAPIs) it provides. Services, endpoints
and operations (BAPIs) are used by the Web Service Connector to access the SAP server and
synchronize identities with Forefront Identity Manager (FIM) 2010.

For a web service to be discovered, it is first required to be exposed at the SAP ECC 5. This topic
describes the process of exposing the web service from SAP ECC 5 workbench.
Login to SAP ECC 5 and enter the ABAP workbench using Transaction Code SE80. This will open the
Object Navigator screen, where you maintain different SAP application components like packages,
viewing function groups, BSP programs etc.
To create a Web service that can be utilized by Web Service Configuration Tool, you must first create a
package so that all the objects can easily navigate through different systems.

1. Create a new Package through T.code SE80.

Open T.code SE80. Give the package name and hit enter. Following screen appears:

Click yes to proceed for package creation. Give the required details in the following screen and click
create button.

It will prompt for a transport request. Save it a transport request.

Now right click on the Package name and select Enterprise Service.

Click continue
Give the Virtual Interface name its short description and select the endpoint as Function Group and click
continue.
The function group chosen in the example is already defined and encapsulates the BAPIs related to
users.
Add the required BAPI’s in the function group and select those required BAPI’s and click continue.
Now, give the name of the Webservice and its short description and the Profile as Basic authorization
and click continue.
Once you click continue Webservice and the Virtual interface are created.
Request where the Webservice is saved.
After the Web Service is created, you must change the Profile settings of the Service definition. Under
Features Tab, check the Select Feature checkbox and activate the Service definition. This will enable
Stateful communication.

Note: A Stateful service retains its status within the framework of a HTTP session throughout several
calls form the same service consumer. The standard value for services is Stateless. If you require stateful
communication, you can choose this instead.

Configuring a Web Service

Goto T.code WSCONFIG. Give the webservice name and press enter. You can see the webservice with
green icon. Green icon indicates that the webservice is released.

If the Webservice is marked with red icon then Double click on Service it will take you to the following
screen and click on ICF Details.
Right click on the service and select activate service.
Click Yes and the service gets activated and click back button and now you can the service with green
icon.

Goto T.code WSADMIN. Select your web service. You can find this under SOAP Application for RFC-
Compliant FMs tree. Expand that and click on your webservice name. To test the URL click on WSDL icon
and URL will open in a new browser.

Details of the Webservice.

Exposing Web Service for SAP ECC 6 Connector
Web Service Configuration Tool discovers the Web service through a WSDL (Web Services Description
Language) and retrieves its services, endpoints and operations (BAPIs) it provides. Services, endpoints
and operations (BAPIs) are used by the Web Service Connector to access the SAP server and
synchronize identities with Forefront Identity Manager (FIM) 2010.

For a web service to be discovered, it is first required to be exposed at the SAP ECC 6. This topic
describes the process of exposing the web service from SAP ECC 6 workbench.
Login to SAP ECC 6 and enter the ABAP workbench using Transaction Code SE80. This will open the
Object Navigator screen, where you maintain different SAP application components like packages,
viewing function groups, BSP programs etc.
To create a Web service that can be utilized by Web Service Configuration Tool, you must first create a
package so that all the objects can easily navigate through different systems.

1. Select dropdown Package, give new package name and press enter. Following screen appears if the
object is not available in the system. Click Yes to proceed with package creation.
Provide the required details in the Create Package screen and click Create button. You can choose to
specify the Application Component. This would restrict the scope of object created only to the application
(SAP module, for ex: ABAP, MM, PS, LW etc.) specified. It is recommended that you do not specify the
application component which makes the object global.

The system prompts for a transport request. Click Save button to save the transport request.

Transport request number: EC6K900034

The transport request is generated using transaction code SE10.

2. Once the package is created under Object Name; to start creating the web service, right click on the
Package name and select Enterprise Service.

3. The screen to select Object Type is displayed. Select Service Provider as object type and click
Continue.
4. On Service Provider screen, select Existing ABAP Objects (Inside Out) and press Continue. With
inside out you start at the backend with an existing application and enable service for a particular
functionality. It means that you start with the implementation and move out towards the interface.
5. For the selected Object Type, provide the Service Definition name, description and Endpoint Type
as Function group. You must choose Function Group as Endpoint type since the Web Service
configuration tool for FIM requires a single URL for all the selected BAPI’s.
Click Continue.

6. On Choose Endpoint screen, select the required Function Group name and press Continue. The web
service configuration tool works with HR data and hence, extracts all the data related to users. The
function group chosen in the example is already defined and encapsulates the BAPIs related to
users.
7. On Choose Operations screen, select all the required BAPIs and add the BAPIs that are not included
in the function group. Click Continue.
8. On Configure Service screen, choose a profile for Security Settings. There are four profiles defined by
SAP for selection. Select one profile as per requirement.
 PRF_DT_IF_SEC_HIGH
Authentication using certificates and transport guarantees
 PRF_DT_IF_SEC_MEDIUM
Authentication using UserID and password and transport guarantee
 PRF_DT_IF_SEC_LOW
Authentication using User ID and password, no transport guarantee
 PRF_DT_IF_SEC_NO
No authorization and no transport guarantee.
Check Deploy Service checkbox and press Continue.
Important:
It is mandatory to check the box for Deploy Service. This will ensure that the newly created web service
is automatically deployed as well i.e. the service and endpoint will be created.

While in case, when the checkbox for Deploy Service is not checked then the endpoint and service will
not be created.
In the absence of endpoint, SOA Manager screen will look like this.

In this scenario, you must create a Service first, by going to the Configurations tab.
For detailed steps to create a service in SOAMANAGER, see Create Service in SOAMANAGER.
9. On the Enter Package/Request, enter the Package name and Transport Request where you want to
save the service definition. Click Continue.

10. Click Complete button and Web Service will be created.

After the Web Service is created, you must change the Profile settings of the Service definition. Under
Configuration Tab, select Stateful communication properties and activate the Service definition.

Note:
A Stateful service retains its status within the framework of a HTTP session throughout several calls form
the same service consumer. The standard value for services is Stateless. If you require stateful
communication, you can choose this instead.

The next step is to configure the service created using SOA manager and defining the security level.

Configuring a Web Service using SOA Manager and defining the Security level
Follow below steps to configure the Web Service.

Open the Transaction SOAMANAGER. Select Application and Scenario Communication tab.

1. Click on Single Service Administration.

2. Provide the Service Definition name in the box Service Pattern and click Go.
3. Select the Service definition and click Apply Selection.

4. Go to Configurations tab and click Edit.

Under Security tab you can define Transport Security setting and Authentication Security setting.

 Security at transport level can be ensured by means of mechanisms used on the Internet.
HTTPS sets up an encrypted connection between the client and the server and is suitable for
simple situations – for example, when a client communicates directly with a single server. Every
single message that is exchanged is sent through an encrypted channel.

 Security at message level is possible through an encryption and signature concept. Here, not the
transport channel but the message itself is protected.
WS Security is a security model based on SOAP message transmission. WS Security essentially
integrates XML Encryption and XML Signature.

To use a Web service, the user (or another client) sends a document to a server using the Simple
Object Access Protocol (SOAP). It is sent through the network using the HTTP protocol. The
document transmission is safeguarded through the use of HTTP or SSL, or by applying
signatures and/or encryption to SOAP documents.

 Authentication for Web Services .

Using the security profile settings for high, medium, and low, you can set strong or basic
authentication levels.

 Security profile High means authentication level Strong

 Strong Authentication (X.509 Client Certificate)
 Strong authentication authenticates the user through mutual SSL authentication. An SSL
client certificate must be provided for this.
 Strong authentication can refer to the HTTP header or the document.

 Security profile Medium or Low means Authentication level Basic

  Basic Authentication (user name / password)
 This authentication authenticates the user based on the user ID and password in the
HTTP header.
 This option is supported for HTTP and HTTPS.
The user is authenticated on the basis of the user name and the password .
 Security profile None means Authentication level None
 No authentication during transport .

In the example, Basic authentication is chosen at Transport Channel. Click Save.

Go to Overview tab and get the URL by clicking Display selected Binding’s WSDL URL.
Important:
Certificate Authentication is not implemented for the Beta release of Web Service Configuration Tool for
FIM Synchronization Service.

Binding the Web Service

By default the Web Service is generated with security policy also known as custom binding. It is
recommended to use Basic HTTP Binding when exposing web service to be consumed by Web Service
Configuration Tool.
Follow below steps for Basic HTTP binding.
Open the Transaction SOAMANAGER. Select Application and Scenario Communication tab.

1. Click on Single Service Administration.

2. Provide the Service Definition name in the box Service Pattern and click Go.

3. Select the Service definition and click Apply Selection. Then click Show WSDL Options.
4. Under WSDL Document Options, by default the WSDL Format is WS Policy that implements
custom binding for the generated web service.

5. Change the WSDL Format to Standard to implement the Basic HTTP binding.
6. Click on Display selected Binding’s WSDL URL.

This will display the generated URL for the exposed Web Service.

Performance Testing
Scale Topology Hardware
 SAP ECC 6.0  FIM Synchronization Service and Test Machine hardware configuration.
FIM Synchronization database
 10000 Employees collocated on one server. (Test  2-gigabyte (GB) SDRAM
Machine)
 Intel® Xeon® 2.27GHz
 Processor

 Hard disk volumes:

o Single volume

Note: The server hardware used is not representative for a large organization. The numbers presented
should be used to understand the difference between different operations. You are encouraged and
expected to configure your own test environments to more accurately estimate capacity and performance.
Microsoft cannot guarantee that organizations will experience the same capacity or performance
characteristics, even if the FIM Synchronization service components are deployed and configured
identically to the components that are described in this guide,

The tests and results shown in the following table were performed using scripted provisioning code.

Elapsed time Warm up Time

Operation (minutes: (minutes: Statistics Rate
seconds) seconds)
Web Service 41:45 00:30 Staging: 4 Employee objects
Connector  10000 read/second
Full Import Employee
(Employee
Object)
Web Service 166:47 00:20 Staging: 1 Employee Object
Connector  10000 exported/Second
Export - Employee
Replace
(Employee
Object)

Reference information