Human Capital Management Blogs by SAP
Get insider info on SAP SuccessFactors HCM suite for core HR and payroll, time and attendance, talent management, employee experience management, and more in this SAP blog.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert



Getting SFSF Employee Central (EC) talk to SFSF Employee Central Payroll (ECP) is well covered in the official SAP help pages.

However, another common integration scenario that has emerged and is becoming quite popular is rather delegate this task to a SFSF EC digital twin deployed [as a micro-service] on SAP BTP platform and let it talk to S/4HANA ECPayroll instead.

This approach is explained in more details here.

In either case the integration mechanism is OAuth2.0 with the OAuth2SAMLBearerAssertion flow. OAuth2SAMLBearerAssertion combines user authentication (principal propagation) and user authorisations (scopes).

And precisely, the main complexity with this integration is on the SFSF ECPayroll (ABAP) side as this requires a rather intermediate/advanced understanding of SAP S/4HANA ABAP OAuth2 configuration steps.

In order to make it easier and more comprehensive, I have designed a 3-step solution blueprint.


  • This is not a tutorial. Always refer to official SAP documentation as applicable.

  • Please note all the code snippets are provided “as is”.

  • All the x509 certificates, bearer access and refresh tokens and the likes have been redacted.

  • Images/data in this blog post is from SAP internal sandbox, sample data, or demo systems. Any resemblance to real data is purely coincidental.

The blueprint.

The solution blueprint is a sequence of three tasks as depicted below:

Task 1 and 3 rely on the destination service to broker the access to SFSF ECPayroll ODATA resources.

Task 2 refers to the steps 1-2-4-3 as described in the ECP ABAP OAuth2 communication configuration blog namely:

Good to know:

  • Every step above offers a reference to official SAP help pages….in case you needed further insight or additional support from SAP.

  • The step 5 is no longer required. It was replaced with a single call to a destination service OAuth2SAMLBearerAssertion destination (and that includes support of a cloud connector if your ECP instance were not exposed to the public internet).

  • Given the destination service can talk to SFSF ECPayroll instance across a firewall that also eliminates the need of having a SFSF EC <--> SFSF ECPayroll VPN connection.


And in lieu of conclusion BonVoyage