Connector for SAP HCM

DEMO 07
The SAP Connector is built on the Web Services Connector. Please refer to the
TechNet documentation for the Web Services Connector for additional information.

Summary
Features
Connected data source
versions
Scenarios

Operations
Schema

Supported variants
SAP ECC 5.0
SAP ECC 6.0
Object Lifecycle Management
Password Management
Full import
Export (Add, Remove, Replace)
Employee

Permissions in connected data source

To create or perform any of the supported tasks in Web Service connector for all the supported data
sources, you must have following permissions.
1. SAP_BC_WEBSERVICE_ADMIN: Administration authorizations for Web Services in AS ABAP
2. SAP_BC_WEBSERVICE_CONSUMER: Web Service user
For more details, see Generate Authorization Profiles.

Ports and protocols

This depends upon SAP installation and configuration.

Connector update history

Build
5.0.458.0

Release
2012 June

Revision list
First release of the Web Services Connector.

Requirements, before you begin, and installation

Installation of Default Projects
The default project installer file is available at the Microsoft Download Center. Download the
installer file and run to install.
Double click the downloaded project file to begin installation.
a. The following screen appears, click Yes.

b. Next license agreement screen appears; click Yes to accept the terms and conditions.
c. The next screen prompts to specify the location for installing the default project. Specify the location:
%FIM_INSTALL_DIR\2010\Synchronization Service\Extensions and click OK.

d. The installation starts and the successful completion is reported. Click OK to exit setup wizard.

The default project consumes the exposed BAPIs in the form of web service through WSDL path. Ensure
that the web service is exposed correctly and includes all the required native BAPIs. For more
information, see Exposing Web Service for SAP ECC 6 Connector.

Content of Default Project

Web Services
The discovery operation retrieves the endpoint ZSAPConnectorWebService and all
the BAPIs that have been exposed through the web service at SAP. The exposed web
service here includes only the native BAPIs listed below:

BAPI_ADDRESSEMP_CHANGE
BAPI_ADDRESSEMPGETDETAILEDLIST
BAPI_EMPLCOMM_CHANGE
BAPI_EMPOYEE_DEQUEUE
BAPI_EMPLOYEE_ENQUEUE
BAPI_PERSDATA_CHANGE
BAPI_PERSDATA_GETDETAILEDLIST
BAPI_TRANSACTION_COMMIT
BAPI_USER_CHANGE
BAPI_USER_CREATE1
BAPI_USER_DELETE
BAPI_USER_GET_DETAIL
BAPI_USER_GETLIST
BAPI_USER_UNLOCK
SUSR_USER_CHANGE_PASSWORD_RFC

Important:
There are few attributes that are defined for the default projects of each of the supported data source
These are mandatory for calling the BAPIs/CIs/APIs successfully.
Below is the list of these mandatory attributes:
Functions
Attributes

BAPI_PERSDATA_GETDETAIL

BAPI_ADDRESSEMP_GETDETAI
L

employeeID
personalDataFromDate

personalDataToDate

personalDataRecordNu
mber
employeeID
addrDataFromDate
addrDataToDate
addrDataRecordNumbe
r

Workflows
A native BAPI in SAP is used to perform a single task. There are certain operations for which native
BAPIs are not available and hence the default project does not have support them.
But they can be configured with the help of custom BAPIs by including them in the web service and then
configuring the required workflow. Following are the workflows that are supported for:

Employee Object
FIM Operation
Full Import
Delta Import
Export Add
Export Delete
Export Replace
Set Password
Change Password

Implemented through native web service (BAPI) operation

Yes
No
No
No
Yes
N/A
N/A

Exposing Web Service for SAP ECC 5 Connector

Web Service Configuration Tool discovers the Web service through a WSDL (Web Services Description
Language) and retrieves its services, endpoints and operations (BAPIs) it provides. Services, endpoints
and operations (BAPIs) are used by the Web Service Connector to access the SAP server and
synchronize identities with Forefront Identity Manager (FIM) 2010.

For a web service to be discovered, it is first required to be exposed at the SAP ECC 5. This topic
describes the process of exposing the web service from SAP ECC 5 workbench.
Login to SAP ECC 5 and enter the ABAP workbench using Transaction Code SE80. This will open the
Object Navigator screen, where you maintain different SAP application components like packages,
viewing function groups, BSP programs etc.
To create a Web service that can be utilized by Web Service Configuration Tool, you must first create a
package so that all the objects can easily navigate through different systems.

1. Create a new Package through T.code SE80.

Open T.code SE80. Give the package name and hit enter. Following screen appears:

Click yes to proceed for package creation. Give the required details in the following
screen and click create button.

It will prompt for a transport request. Save it a transport request.

Now right click on the Package name and select Enterprise Service.

Click continue

Give the Virtual Interface name its short description and select the endpoint as
Function Group and click continue.

The function group chosen in the example is already defined and encapsulates the
BAPIs related to users.

Add the required BAPIs in the function group and select those required BAPIs and
click continue.

Now, give the name of the Webservice and its short description and the Profile as
Basic authorization and click continue.

Once you click continue Webservice and the Virtual interface are created.

Request where the Webservice is saved.

After the Web Service is created, you must change the Profile settings of the Service
definition. Under Features Tab, check the Select Feature checkbox and activate the
Service definition. This will enable Stateful communication.

Note: A Stateful service retains its status within the framework of a HTTP session throughout several calls
form the same service consumer. The standard value for services is Stateless. If you require stateful
communication, you can choose this instead.

Configuring a Web Service

Goto T.code WSCONFIG. Give the webservice name and press enter. You can see the
webservice with green icon. Green icon indicates that the webservice is released.

If the Webservice is marked with red icon then Double click on Service it will take
you to the following screen and click on ICF Details.

Right click on the service and select activate service.

Click Yes and the service gets activated and click back button and now you can the
service with green icon.

Goto T.code WSADMIN. Select your web service. You can find this under SOAP
Application for RFC-Compliant FMs tree. Expand that and click on your webservice
name. To test the URL click on WSDL icon and URL will open in a new browser.

Details of the Webservice.

Exposing Web Service for SAP ECC 6 Connector

Web Service Configuration Tool discovers the Web service through a WSDL (Web Services Description
Language) and retrieves its services, endpoints and operations (BAPIs) it provides. Services, endpoints
and operations (BAPIs) are used by the Web Service Connector to access the SAP server and
synchronize identities with Forefront Identity Manager (FIM) 2010.
For a web service to be discovered, it is first required to be exposed at the SAP ECC 6. This topic
describes the process of exposing the web service from SAP ECC 6 workbench.
Login to SAP ECC 6 and enter the ABAP workbench using Transaction Code SE80. This will open the
Object Navigator screen, where you maintain different SAP application components like packages,
viewing function groups, BSP programs etc.
To create a Web service that can be utilized by Web Service Configuration Tool, you must first create a
package so that all the objects can easily navigate through different systems.
1. Select dropdown Package, give new package name and press enter. Following screen appears if the
object is not available in the system. Click Yes to proceed with package creation.

Provide the required details in the Create Package screen and click Create button. You can choose to
specify the Application Component. This would restrict the scope of object created only to the application
(SAP module, for ex: ABAP, MM, PS, LW etc.) specified. It is recommended that you do not specify the
application component which makes the object global.

The system prompts for a transport request. Click Save button to save the transport request.

Transport request number: EC6K900034

The transport request is generated using transaction code SE10.
2. Once the package is created under Object Name; to start creating the web
service, right click on the Package name and select Enterprise Service.

3. The screen to select Object Type is displayed. Select Service Provider as

object type and click Continue.

4. On Service Provider screen, select Existing ABAP Objects (Inside Out) and
press Continue. With inside out you start at the backend with an existing
application and enable service for a particular functionality. It means that you
start with the implementation and move out towards the interface.

5. For the selected Object Type, provide the Service Definition name,
description and Endpoint Type as Function group. You must choose
Function Group as Endpoint type since the Web Service configuration tool for
FIM requires a single URL for all the selected BAPIs.

Click Continue.
6. On Choose Endpoint screen, select the required Function Group name and
press Continue. The web service configuration tool works with HR data and
hence, extracts all the data related to users. The function group chosen in the
example is already defined and encapsulates the BAPIs related to users.

7. On Choose Operations screen, select all the required BAPIs and add the BAPIs
that are not included in the function group. Click Continue.

8. On Configure Service screen, choose a profile for Security Settings. There are
four profiles defined by SAP for selection. Select one profile as per requirement.
PRF_DT_IF_SEC_HIGH
Authentication using certificates and transport guarantees
PRF_DT_IF_SEC_MEDIUM
Authentication using UserID and password and transport guarantee
PRF_DT_IF_SEC_LOW
Authentication using User ID and password, no transport guarantee
PRF_DT_IF_SEC_NO
No authorization and no transport guarantee.
Check Deploy Service checkbox and press Continue.

Important:
It is mandatory to check the box for Deploy Service. This will ensure that the newly created web service
is automatically deployed as well i.e. the service and endpoint will be created.

While in case, when the checkbox for Deploy Service is not checked then the endpoint and service will
not be created.

In the absence of endpoint, SOA Manager screen will look like this.

In this scenario, you must create a Service first, by going to the Configurations tab.
For detailed steps to create a service in SOAMANAGER, see Create Service in SOAMANAGER.

9. On the Enter Package/Request, enter the Package name and Transport

Request where you want to save the service definition. Click Continue.

10.Click Complete button and Web Service will be created.

After the Web Service is created, you must change the Profile settings of the Service
definition. Under Configuration Tab, select Stateful communication properties and
activate the Service definition.

Note:
A Stateful service retains its status within the framework of a HTTP session throughout several calls form

the same service consumer. The standard value for services is Stateless. If you require stateful
communication, you can choose this instead.

The next step is to configure the service created using SOA manager and defining
the security level.

Configuring a Web Service using SOA Manager and defining the

Security level
Follow below steps to configure the Web Service.
Open the Transaction SOAMANAGER. Select Application and Scenario
Communication tab.

1. Click on Single Service Administration.

2. Provide the Service Definition name in the box Service Pattern and click Go.

3. Select the Service definition and click Apply Selection.

4. Go to Configurations tab and click Edit.

Under Security tab you can define Transport Security setting and Authentication
Security setting.

Security at transport level can be ensured by means of mechanisms used on the Internet.
HTTPS sets up an encrypted connection between the client and the server and is suitable for
simple situations for example, when a client communicates directly with a single server. Every
single message that is exchanged is sent through an encrypted channel.

Security at message level is possible through an encryption and signature concept. Here, not the
transport channel but the message itself is protected.
WS Security is a security model based on SOAP message transmission. WS Security essentially
integrates XML Encryption and XML Signature.
To use a Web service, the user (or another client) sends a document to a server using the Simple
Object Access Protocol (SOAP). It is sent through the network using the HTTP protocol. The
document transmission is safeguarded through the use of HTTP or SSL, or by applying
signatures and/or encryption to SOAP documents.

Authentication for Web Services .

Using the security profile settings for high, medium, and low, you can set
strong or basic
authentication levels.

Security profile High means authentication level Strong

Strong Authentication (X.509 Client Certificate)
Strong authentication authenticates the user through mutual SSL authentication. An SSL
client certificate must be provided for this.
Strong authentication can refer to the HTTP header or the document.

Security profile Medium or Low means Authentication level Basic

Basic Authentication (user name / password)
This authentication authenticates the user based on the user ID and password in the
HTTP header.
This option is supported for HTTP and HTTPS.
The user is authenticated on the basis of the user name and the password .

Security profile None means Authentication level None

No authentication during transport .

In the example, Basic authentication is chosen at Transport Channel. Click Save.

Go to Overview tab and get the URL by clicking Display selected Bindings WSDL URL.

Important:
Certificate Authentication is not implemented for the Beta release of Web Service Configuration Tool for
FIM Synchronization Service.

Binding the Web Service

By default the Web Service is generated with security policy also known as custom binding. It is
recommended to use Basic HTTP Binding when exposing web service to be consumed by Web Service
Configuration Tool.
Follow below steps for Basic HTTP binding.

Open the Transaction SOAMANAGER. Select Application and Scenario

Communication tab.

1. Click on Single Service Administration.

2. Provide the Service Definition name in the box Service Pattern and click Go.

3. Select the Service definition and click Apply Selection. Then click Show WSDL

Options.
4. Under WSDL Document Options, by default the WSDL Format is WS Policy that implements
custom binding for the generated web service.

5. Change the WSDL Format to Standard to implement the Basic HTTP binding.

6. Click on Display selected Bindings WSDL URL.

This will display the generated URL for the exposed Web Service.

Performance Testing
Scale
Topology

SAP ECC 6.0

10000
Employees

FIM Synchronization
Service and FIM
Synchronization database
collocated on one server.
(Test Machine)

Hardware
Test Machine hardware
configuration.

2-gigabyte (GB) SDRAM

Intel Xeon 2.27GHz

Processor

Hard disk volumes:

o

Single volume

Note: The server hardware used is not representative for a large organization. The numbers presented
should be used to understand the difference between different operations. You are encouraged and
expected to configure your own test environments to more accurately estimate capacity and performance.
Microsoft cannot guarantee that organizations will experience the same capacity or performance
characteristics, even if the FIM Synchronization service components are deployed and configured
identically to the components that are described in this guide,

The tests and results shown in the following table were performed using scripted provisioning code.

Elapsed
Operati
time
on
(minutes:
seconds)
Web
Service
Connector
Full Import
(Employee
Object)
Web
Service
Connector
Export
-Replace
(Employee
Object)

Warm up
Time
(minutes:
seconds)

Statistics

Rate

41:45

00:30

Staging:
10000
Employee

4 Employee
objects
read/second

166:47

00:20

Staging:
10000
Employee

1 Employee
Object
exported/Secon
d

Reference information