3633157 - Basic Guideline for ECSC Migration for NEO to Cloud Foundry (KSA customers ONLY)

Preconditions 

1. Connect SAP SuccessFactors to SAP BTP 
   Register your SAP SuccessFactors system in your global account in SAP BTP to create an integration token. The SAP SuccessFactors system tenant administrator should configure the integration on the SAP SuccessFactors system side.
   1. In the BTP cockpit, go to your global account and then choose System Landscape.
   2. In the Systems tab, choose Add System.
   3. In the Add System dialog box, provide the System Type and System Name to register.
      1. Provide a name for the system you want to register.
         
      2. In the System Type dropdown list, select the system type: SAP SuccessFactors.
      3. Choose Add.
   4. To get a token to register this system with a global account, choose Get Token. You need it to configure the integration on the extended SAP SuccessFactors system side.
   5. Copy the registration token and close the dialog box.
2. Trigger Registration in SAP SuccessFactors company 
   1. In SAP SuccessFactors Admin Center, go to Extension Center. 
   2. On the Extensions on SAP BTP tab, go to the Add Integration with SAP BTP section, and paste the integration token in the Integration Token input field. 
   3. Choose Add.
      The system appears in the integration list within the Multi-Cloud Environment section, and its integration status is displayed in the Integration Status column. To refresh the status of the process, choose the Check Status icon. Wait for the integration to complete. In the SAP BTP cockpit, check the status of the registration process. Go to your global account, and on the System Landscape page, check if the status of the SAP system has been changed to Registered.

Migration Steps

1. Create a sub-account with a name
   1. Navigate to your global account
   2. Click the "Create" button and select "subaccount" in the dropdown list.
   3. Configure it as follows:
      1. Provide a name for Display Name filed
      2. Select a desired region for Region filed
      3. Input a valid and unique id for Subdomain filed -- the shorter, the better
2. Establish trust between SAP SuccessFactors and SAP BTP
   1. Download SAML metadata from the SAP SuccessFactors system. 
      1. Go to https://<sap_successfactors_system>/idp/samlmetadata?company=<company_id>&cert=sha2 where:
         • <sap_successfactors_system> is the hostname of your SAP SuccessFactors system
         • <company_id> is the ID of your SAP SuccessFactors company
      2. When prompted, save the file to your local file system and change its extension to .xml.
   2. Register the SAP SuccessFactors identity provider in the SAP BTP cockpit.
      1. Open the cockpit and navigate to your subaccount.
      2. Choose Security > Trust Configuration.
      3. Choose New SAML Trust Configuration.
         
         
         To upload the SAML metadata you downloaded in step 1, choose Upload. Browse to the XML file you saved and select it. Some of the fields are auto-populated.
         
         
      4. In the Name field, provide a meaningful name for the trust configuration.
      5. Save the changes.
   3. Set the trust configuration for the SAP SuccessFactors identity provider as the only available configuration for user logon. To do this, edit all other configurations and unselect the Available for User Logon option. Save the change
      
3. Register the Assertion Consumer Service of the Subaccount in SAP BTP in SAP SuccessFactors
   1. Download the service provider SAML metadata file from the SAP BTP cockpit:
      1. Go to your subaccount and choose Security Trust Configuration.
      2. Choose Download SAML Metadata to download an XML file that contains the SAML 2.0 metadata describing SAP BTP as a service provider.
      3. Open the XML file in a text editor and copy the following values:
         • The value of the Location attribute of the AssertionConsumerService element with the HTTP-POST binding of the XML file: this is the value of the Assertion Consumer Service.
         • The value of the Location attribute of the SingleLogoutService element with the HTTP-POST binding of the XML file: this is the value of the logout URL.
         • The value of the EntityID attribute of EntityDescriptor element of the XML file: this is the value of the Audience URL.
   2. Log in to SAP SuccessFactors Provisioning for your SAP SuccessFactors system using the following link:
      https://<sap_successfactors_system>/provisioning_login where <sap_successfactors_system> is the hostname of your SAP SuccessFactors system.
   3. Go to your company and choose Authorized SP Assertion Consumer Service Settings under the Service Provider Settings section.
   4. Choose Add another Service Provider ACS and provide the following fields:
      

      Field	Value
      Assertion Consumer Service	This is the value of the Location attribute of the AssertionConsumerService element with the HTTP-POST binding you copied in step 1.
      Logout URL	This is the value of the Location attribute of the SingleLogoutService element with the HTTP-POST binding you copied in step 1.
      Audience URL	This is the value of the EntityID attribute of EntityDescriptor element you copied in step 1
      Application Name	Select SAP Business Technology Platform from the drop-down list.
      SHA-256 Certificate	Select the checkbox if it is not automatically selected when specifying the Application Name value.

   5. Choose Save.
4. Using OAuth Client with SAML Bearer Assertion Authentication
   1. Download the X509 Certificate in SAP BTP:
      1. In the SAP BTP cockpit, go to your extension subaccount in the Cloud Foundry environment.
      2. Choose Connectivity > Destinations.
      3. Choose Download Trust to get the certificate for this subaccount and save it on your local file system.
      4. Open the certificate in a text editor and copy the content between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
   2. Create an OAuth Client in SAP SuccessFactors
      1. In the SAP SuccessFactors system, go to Admin Center and search for OAuth. Choose Manage OAuth2 Client Applications from the search results.
      2. Choose Register Client Application.
      3. In the Application Name, choose a descriptive name for the client of your choice.
      4. In the Application URL field, enter the URL of the extension application, for example, https://hana.ondemand.com
      5. In the X.509 Certificate field, paste the content between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– of the certificate you downloaded in the Download the X509 Certificate in SAP BTP, step 4.
      6. Choose Register to save the OAuth client.
      7. View the created OAuth client and copy the API key.
   3. Create an HTTP Destination Using SAML 2.0 Bearer Assertion Authentication
      1. In the SAP BTP cockpit, navigate to your extension subaccount in the Cloud Foundry environment.
      2. Choose Connectivity >  Destinations.
      3. Choose New Destination and provide the following properties:
         

         Property	Value
         Name	Bizx_Odata
         Type	HTTP
         URL	URL of the SAP SuccessFactors OData API you want to consume. For a list of the API Endpoint URL for the SAP SuccessFactors environments, see About SAP SuccessFactors OData APIs (V2).
         Proxy Type	Internet
         Authentication	OAuth2SAMLBearerAssertion
         Audience	www.successfactors.com
         AuthnContextClassRef	urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
         Client Key	Enter the API Key of the OAuth client you created in SAP SuccessFactors.
         Token Service URL	API Endpoint URL for the SAP SuccessFactors instance followed by /oauth/token. For example, https://apisalesdemo2.successfactors.eu/oauth/token. For a list of the API Endpoint URL for the SAP SuccessFactors environments, see About SAP SuccessFactors OData APIs (V2).

      4. In the Additional Properties, choose New Property to define the following properties:
         
         

         Property	Value
         apiKey	The API Key of the OAuth client you created in SAP SuccessFactors.
         companyId	The ID of your SAP SuccessFactors company.
         nameIdFormat	urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified if the user ID will be propagated to the SAP SuccessFactors application
         product.name	SAP SuccessFactors
         HTML5.DynamicDestination	true

      5. Save the changes 
         
   4. Configure the destinations(such as CloudForCustomer, sap_workzone_odata, OpenSearch_Odata) you need in Connectivity > Destinations page.
   5. Subscribe to the AskHR Saas App with name: SAP SuccessFactors EC Service Center in Services > Service Marketplace page.
      1. If you don’t see the application in the marketplace, you need to configure the entitlements first
         1. go to Entitlements and click the Edit button
         2. Click Add Service Plans and find “AskHR application”
         3. In the Available Service Plans area, select the default service plans, and choose Add 1 Service Plans. Then, you should see the AskHR application in the marketplace.
   6. Set the URL you created in the step in the provisioning
      1. Go to Provisioning and choose your company
      2. Click Company Settings
      3. Set the URL you created for the Target URL Field of ECSC feature