ml-connector
SAP ECCSAP SuccessFactors

SAP ECC and SAP SuccessFactors integration

SAP ECC runs finance and supply chain on-premises. SAP SuccessFactors runs HR and payroll in the cloud. Connecting the two keeps employee records, cost center hierarchies, and organizational structures in agreement across your enterprise. New hires in SuccessFactors become vendors and employees in ECC; cost center changes propagate to both systems so payroll allocations land on valid GL accounts. ml-connector bridges the on-premises ECC gateway with the cloud HCM API and handles the very different transport and auth schemes on each side.

How SAP ECC works

SAP ECC exposes employee data, cost centers, GL accounts, vendors, and purchase orders through BAPI function modules (BAPI_EMPLOYEE_GETDATA, BAPI_COSTCENTER_GETLIST, BAPI_VENDOR_GETLIST, BAPI_GL_ACC_GETLIST), OData v2 via SAP Gateway, or outbound IDoc XML pushed over HTTP to a WE21 port configured by SAP Basis. Reads use Basic Auth (username and password) for OData and IDoc, or RFC Basic Auth via on-premises agent running SAP .NET Connector or Java Connector. Writes require explicit BAPI_TRANSACTION_COMMIT to avoid locked documents. ECC has no native webhook registry; polling via RFC_READ_TABLE or scheduled IDoc outbound is the standard pattern. RFC calls are rate-limited to 10-50 concurrent threads; exceeding this causes SYSTEM_FAILURE exceptions.

How SAP SuccessFactors works

SAP SuccessFactors Employee Central exposes employee records, job assignments, cost centers, departments, and organizational structure via OData V2 and V4 REST APIs at datacenter-specific URLs (api4.successfactors.com for US East Virginia, api12.sapsf.com for EMEA Rotterdam, etc.). Authentication uses OAuth 2.0 SAML Bearer assertion - register an OAuth2 client in Admin Center, sign a SAML assertion with a private key, POST to the token endpoint, and use the 24-hour Bearer token on each request. Role-Based Permissions in Admin Center control which entities each client can read or write. Intelligent Services event push fires HTTP POST callbacks for HR lifecycle events, or pull via delta sync using lastModifiedDateTime filters on PerPerson and EmpJob. Default page size is 20 records; must request $top=1000 to avoid silently missing data.

What moves between them

The main flow moves from SuccessFactors into ECC. ml-connector polls SuccessFactors for new hires, terminations, and job changes on a schedule aligned with your HR calendar, and writes matching employee and vendor records into ECC via BAPI_EMPLOYEE_CREATE and BAPI_VENDOR_CREATE, committed with BAPI_TRANSACTION_COMMIT. Cost center updates flow both directions so SuccessFactors cost allocation codes map to ECC cost center dimensions. Org structure and job code changes propagate into ECC so the chart of accounts reflects your current organizational hierarchy. ECC data is read-only to SuccessFactors, so ml-connector never writes GL accounts, invoices, or POs back to HR.

How ml-connector handles it

ml-connector stores the on-premises ECC connection details (host, port, RFC username, password) and the SuccessFactors OAuth2 credentials (RSA private key, client ID, company ID, datacenter URL) encrypted in its database. On each poll, it generates a fresh SAML assertion, calls the SuccessFactors OAuth token endpoint, and uses the 24-hour Bearer token for all subsequent PerPerson and EmpJob queries. For ECC, it routes RFC calls through the on-premises agent on the customer network; the agent translates BAPIs to NCo or JCo calls and returns results. SuccessFactors returns OData V2 with timestamps in /Date(milliseconds)/ format, so ml-connector converts these to ISO 8601 before matching against ECC dates. Cost centers and departments are mapped first so every new hire writes to an ECC cost center that already exists. SuccessFactors can throttle with HTTP 429 or 503; ml-connector backs off exponentially and retries. ECC BAPIs require an explicit BAPI_TRANSACTION_COMMIT call on success; omitting this leaves the document in locked state. SuccessFactors hard deletes are not supported - deactivated employees remain in the system and are marked inactive in ECC on subsequent syncs. Every record carries a full audit trail with the BAPI return codes and the SuccessFactors delta token, so failed writes can be replayed.

A real-world example

A multinational manufacturing company runs SAP ECC on-premises for finance, supply chain, and manufacturing across three plants. HR and payroll operate in SAP SuccessFactors cloud with employees in multiple cost centers and departments per plant. Before the integration, new hires were created in SuccessFactors, then manually entered into ECC by HR, often days later and missing cost center assignments. Month-end close revealed discrepancies between HR's headcount in SuccessFactors and the employee master in ECC, and payroll allocations landed on cost centers that no longer existed. With SuccessFactors and ECC connected, each new hire flows into ECC automatically with the correct cost center from the HR record, cost center changes propagate in both directions so allocations always land on valid accounts, and the two systems stay in sync without manual re-keying.

What you can do

  • Sync new hires, terminations, and rehires from SuccessFactors into ECC employee and vendor records via BAPI calls.
  • Map SuccessFactors cost centers and departments to ECC cost center dimensions so payroll allocations land on valid accounts.
  • Propagate organization structure and job code changes from SuccessFactors to ECC so the chart of accounts reflects current HR hierarchy.
  • Authenticate SuccessFactors with OAuth 2.0 SAML Bearer assertion on a 24-hour refresh cycle, and route ECC BAPI calls through the on-premises RFC agent.
  • Poll SuccessFactors on a schedule tied to your HR calendar, handle OData V2 datetime conversion, and replay failed writes with full audit trail.

Questions

How does ml-connector route BAPI calls to an on-premises ECC system from the cloud?
ml-connector stores the on-premises agent address and ECC connection credentials encrypted, then routes all RFC and BAPI calls through the customer's on-premises agent running SAP .NET Connector or Java Connector. The agent translates BAPIs to native RFC calls and returns results to ml-connector. This keeps ECC data secure inside the customer network without exposing the ECC system directly to the cloud.
What does the SAML Bearer assertion do, and how often does it need to be refreshed?
The SAML Bearer assertion is a signed XML document that proves the client's identity to SuccessFactors without sharing a password. ml-connector generates a fresh assertion for each token request, signs it with the client's private RSA key, and posts it to the SuccessFactors OAuth endpoint. The returned access token lasts 24 hours, so ml-connector refreshes it once per day per customer.
What happens if SuccessFactors throttles ml-connector with HTTP 429?
ml-connector detects 429 and 503 responses, calculates an exponential backoff delay (starting at 1 second, doubling up to 60 seconds), waits, and retries the same request. If throttling persists after 5 retries, ml-connector surfaces the error to the audit log so the support team can investigate rate-limit configuration on the SuccessFactors tenant.

Related integrations

More SAP ECC integrations

SAP ECC and Adobe CommerceSAP ECC and ADPSAP ECC and AdyenSAP ECC and AirbaseSAP ECC and Amazon Seller CentralSAP ECC and AnaplanSAP ECC and SAP AribaSAP ECC and AsanaSAP ECC and AvalaraSAP ECC and AvidXchangeSAP ECC and BambooHRSAP ECC and Basware

Other systems that connect to SAP SuccessFactors

Acumatica and SAP SuccessFactorsDATEV and SAP SuccessFactorsDeltek and SAP SuccessFactorsMicrosoft Dynamics 365 Business Central and SAP SuccessFactorsMicrosoft Dynamics 365 F&O and SAP SuccessFactorsMicrosoft Dynamics GP and SAP SuccessFactorsMicrosoft Dynamics NAV and SAP SuccessFactorsEpicor Kinetic and SAP SuccessFactorsExact Online and SAP SuccessFactorsFreshBooks and SAP SuccessFactorsIFS Cloud and SAP SuccessFactorsInfor CloudSuite and SAP SuccessFactors

Connect SAP ECC and SAP SuccessFactors

Free to use. Add your credentials, ping your real systems, and see if we fit.

Get started