SAP Knowledge Base Article - Public

3639388 - Configuring Employee Central Service Center Card in SAP SuccessFactors Work Zone after KSA Migration

Symptom

In our efforts to keep out customer with the most modern landscape. SAP ia performing a datacenter migration which will affect DC23 customers to GCP platform.

As a result of this migrations, customers are required to perform a series of steps to keep a smooth transition.

The below KBA will address the activities that needs to for you to configure the ECSC card in your SAP SuccessFactors Workzone 

Resolution

 
  1. Assemble IdP Metadata for Workzone Subaccount

    1. Download the X.509 certificate of the workzone subaccount. For instructions, see Set up Trust Between Systems. The content of the file is shown as:
      ----BEGIN CERTIFICATE-----<content>-----END CERTIFICATE-----
      Below, we refer to the value of <content> as ${S1_CERTIFICATE}.

    2. In the cockpit, go to the overview page of workzone subaccount. For details, see Navigate in the Cockpit. Here you can see the landscape domain, subaccount ID and subdomain. Below, we refer to the landscape domain as ${S1_LANDSCAPE_DOMAIN}, to the subaccount ID as ${S1_SUBACCOUNT_ID} and to the subdomain as ${S1_SUBDOMAIN}.

    3. In your browser, call https:// ${S1_SUBDOMAIN}.authentication. ${S1_LANDSCAPE_DOMAIN}/saml/metadata and download the XML file. Within the XML file, you can find the following structure:

      Assemble the new IdP metadata for the workzone subaccount by replacing the ${...} placeholders in the following template with the values determined in the previous steps:

  2. Establish Trust between Workzone Subaccount and ECSC Subaccount
    1. In the cockpit, navigate to the overview page for the ECSC subaccount.
    2. From the left panel, select Security Trust Configuration. Choose New Trust Configuration.
    3. Paste the assembled IdP metadata of the workzone subaccount in the <Metadata> text box and uncheck Available for User Logon option.
    4. Choose Parse.
    5. Provide a <Name> for the trust configuration and choose Save.
  3. Create Askhr Saas reuse service Instance in ECSC Subaccount
    1. Subscribe "AskHR saas reuse service" in Services>Service Marketplace page.
    2. Create an oauth2 client of Askhr Saas reuse service with the name "ecsccard"
    3. Get clientid and clientsecret from "ecsccard" 's view page
  4. Create an OAuthSAMLBearerAssertion Destination for Workzone
    1. In the cockpit, navigate to the overview page to view the landscape domain, subaccount ID and subdomain for the ECSC subaccount.
    2. Here you can see the landscape domain, subaccount ID and subdomain of ECSC subaccount. Below, we refer to the landscape domain as ${S2_LANDSCAPE_DOMAIN}, to the subaccount ID as ${S2_SUBACCOUNT_ID} and to the subdomain as ${S2_SUBDOMAIN}.
    3. In your browser, call https:// ${S2_SUBDOMAIN}.authentication. ${S2_LANDSCAPE_DOMAIN}/saml/metadata and download the XML file. Within the XML file, you can find the following structure. It contains the <audience> and the <alias> variables:

      Below, we refer to the value of <alias> as ${S2_ALIAS} and <audience> as ${S2_AUDIENCE}.

    4. In the cockpit, navigate to the ECSC subaccount.
    5. From the left panel, select Connectivity Destinations.
    6. Choose New Destination and configure the values as described below. Replace the ${…}placeholders with the values you determined in the previous steps and sections.
PropertyValue
Name

EmployeeCentralServiceCenter_API

TypeHTTP

URL

The URL of the Ask HR application, copy and paste the URL from ECSC askhr-javaproxy overview page( URL of application routes).

Proxy TypeInternet
Authentication

OAuth2SAMLBearerAssertion

Audience

${S2_AUDIENCE}

Client Key

The clientid of the Ask HR saas reuse service auth client in ECSC subaccount. Can be acquired via a binding or service key.

Token Service URL

https:// ${S2_SUBDOMAIN}.authentication. ${S2_LANDSCAPE_DOMAIN}/oauth/token/alias/`${S2_ALIAS}

Token Service URL TypeDedicated
Token Service User

The clientid of Ask HR saas reuse service auth client in ECSC subaccount. Can be acquired via a binding or service key.

Token Service Password

The clientsecret of Ask HR saas reuse service auth client in ECSC subaccount. Can be acquired via a binding or service key.

authnContextClassRef

urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession

Additional PropertiesValue

HTML5.DynamicDestination

true

userIdSource

$['user_attributes']['employee_number'][0]

Keywords

KBA , LOD-SF-INT-AHR , Ask HR - Employee Central Service Center (ECSC) , How To

Product

SAP SuccessFactors HCM Suite all versions