|QUESTIONS & ANSWERS||Expand all|
If your consumer application is a Data Connector app, it must use the OAuth 2.0 Client Credentials Grant to obtain an access token.
The process to obtain an access token consists of the following steps.
ADP uses the OAuth 2.0 Authorization model to control access to ADP’s Web APIs. The authorization model depends on the type of the application you are building. If your application is an end-user based Web or Business to Consumer (B2C) application, your application should use the OAuth 2.0 Authorization Code Grant. If your application is a system-to-system or Business-to-Business (B2B) application with no end-users, then your application should use the OAuth 2.0 Client Credentials Authorization Grant.
The authorization model requires your application to obtain access authorization before it can use any APIs. The authorization step verifies the authenticity of your application, its access scope and provides the credentials required to access an API. For example, an access token.
End-user applications require end-users to be authenticated. ADP enforces end-user authentication during the authorization step. ADP also obtains consent from the end-user to access the user’s information stored at ADP from your application.
Your application must authenticate with ADP to obtain an access token. Your application must use Transport Client Authentication (For example, Mutual TLS Authentication) with the X.509 authorized for your application and the account credentials assigned to your application.
Once the application obtains an access token, it can use the access token in multiple API requests. Your application must use HTTPS and the HTTP Authorization header with the OAuth “Bearer” authentication scheme. Your application uses this authentication scheme to pass the access token as the authentication credential.
Your application can also use the OpenID Connect protocol to manage authentication and single sign-on of users with their ADP credentials.
If your consumer application is an end-user based End User application, it must use the OAuth 2.0 Authorization Code Grant to obtain the access token required for invoking APIs.
The process to obtain and use an access token consists of the following steps.
Note: The Developer Resources (Library) offers basic code for OpenID integration and UserInfo retrieval for all ADP API integrations.
The ADP Client Connection Library is intended to simplify and aid the process of authenticating, authorizing and connecting to the ADP API Gateway. The library includes a sample application that can be run out-of-the-box to connect to the ADP API test gateway.
ADP Client Connection Library supports OAuth2 Authorization Code and Client Credentials flows. ID token retrieval via OpenID Connect based Authorization Code flow is also supported. The following table shows the availability of the library for various languages.
Connection Library Repos
For your Business-to-Business (B2B) consumer application, it is up to you to manage client credentials (Client ID / Client Secret) for each client. In order to retrieve data for Client A, you will need to use Client A’s client credentials to retrieve an access token, and then use that token to call an ADP API. In order to retrieve data for Client B, you will need to use Client B’s client credentials to retrieve an access token, and then use that token to call an ADP API. Each access token is bound to a single organization for a limited period of time.
After a client purchases your application on the Marketplace, we will send the client’s credentials to you via secure email (after the client has provided ADP consent to release their credentials to you).
ADP’s APIs support both Business-to-Business (B2B) and Business-to-Consumer (B2C) transactions. In B2B transactions, a business executes transactions with another business. B2B transactions are very common in the supply chain domain where a business sells products to another business in support of its operations. In B2C transactions, an individual consumer executes transactions directly with a business. B2C transactions are very common in the commerce domain where a business sells products directly to the consumers for their personal use.
There are two types of applications that use ADP’s Web APIs.
All clients need to "purchase" your application on the App Store so that proper provisioning can occur. We can generate a coupon code for existing clients that have already purchased your product to use when checking out on the App Store (https://apps.adp.com).
Note: Partner security certification is not necessary if you are only developing a Single Sign-On (SSO) integration with ADP.
To prepare your app for the ADP Marketplace, it must go through our security certification review process. Our corporate security team will perform an assessment of your app to make sure it follows our strict security policies. Your app will be approved for publishing to the ADP Marketplace after it successfully passes our tests for security vulnerabilities.
Use the following procedure to begin the security certification review process.
Clients will purchase your application on the App Store (https://apps.adp.com). Assuming that you are integrated with the App Store, you will receive a subscription notification each time a client purchases your application. At the same time, ADP will receive a similar notification and will subscribe the client to your consumer application, whereby credentials (Client ID / Client Secret) are generated. With your Data Connector consumer application, each client will have their own Client ID / Client Secret.
Your app must undergo both a Static App Security Test (SAST) and a Dynamic App Security Test (DAST) before it can be approved for publishing to the ADP Marketplace. You may choose to have ADP run the tests internally or you may select an independent third-party vendor approved by ADP to perform the tests externally.Note: To understand and avoid security flaws that may impact your app, review “Top Ten Application Security Risks” on the Open Web Application Security Project (OWASP) website.
Tests Performed by ADP
Follow the procedure below to have ADP run the tests on your app.
Tests Performed by an ADP-Approved Vendor
If you want an independent third-party vendor (approved by ADP) perform the tests on your app, use the following procedure.
ADP Web APIs are intended to be used programmatically from your application. In the context of the application model, all applications external to ADP are called consumer applications. Each consumer application can have distinct properties and access limitations to ADP’s client data. You must register your consumer application with ADP.
The following types of apps are offered on the ADP Marketplace. There are various levels of integration and options available.
Referral apps on the ADP Marketplace route (or refer) ADP clients to an ADP partner’s services and applications. There is no integration between ADP and partner applications with referral apps. The partner application is listed on the ADP Marketplace for viewing and referral purposes only. Client leads from the ADP Marketplace are sent to partners.
Partner applications such as Business-to-Consumer (B2C) or Business-to-Business (B2B) apps are integrated with the ADP Marketplace at either the employee or client organization level.
Contact your ADP representative.
If your consumer application is an End User web application, your application must use the OAuth 2.0 Authorization Code Grant to obtain the access token required for invoking APIs.
Your consumer application can use the Authorization Code Grant with the OpenID Connect protocol when the consumer application needs to establish the identity of the user using the application. ADP’s Authorization Code Grant authenticates end-users with their ADP login credentials.
Note: Authentication with other OpenID Connect providers is not supported at this time.
The process to obtain and use an access token consists of the following three steps.
Your consumer application first obtains an authorization code by redirecting the end-user to the ADP authorization endpoint (https://accounts.adp.com/auth/
ADP authenticates the end-user and validates the scope of access requested by your application. If the validation is successful, ADP redirects the end-user to your application’s website and provides an authorization code.
For details, see
Business-to-Business (Data Connector) partner applications are integrated with the ADP Marketplace at the client organization level. After a client’s administrator purchases this type of integrated application from the ADP Marketplace, the partner is issued credentials to retrieve the integration data for that client from ADP. Data Connector integration doesn’t require employees to provide individual consent or access their information.
This applies to developers (partners) who have applications on the App Store that have at least one paid subscription.
As of Summer 2016, developers will be paid by check.
Business-to-Consumer (end user) partner applications are integrated with the ADP Marketplace at the employee level. After a client’s administrator purchases this type of integrated application from the ADP Marketplace and assigns it to its employees, the client’s employees must provide individual consent to release data from ADP to the partner. This data integration occurs at the employee level. End User integration supports Single Sign-On (SSO) for employees using ADP’s OpenID Connect.
ADP’s large Human Capital Management (HCM) structure consists of various backend systems and market segments. ADP allows partners to market their applications to three segments – small (1-49 employees), medium (50-1000 employees) and large (1000+ employees).
The App Store allows partners to sell their apps to all or any one of these market segments. Partners can define different prices and integration models for these market segments.
This applies to partners with paid subscriptions on the App Store.
Partners can offer discounts on the entire order, fees, and setup fees. There is no way to apply a discount to a setup fee only, or just the app subscription.
This applies to partners with paid subscriptions from international clients on the App Store.
International clients will need to pay by credit card for subscriptions on the App Store. ADP Invoice is not offered as a method of payment for international customers.
This applies to partners who have paid subscriptions.
Partners cannot give refunds to clients on the App Store. The App Store does not provide refunds for unused subscriptions. However, if a client upgrades, the App Store will apply any unused subscription toward the new subscription.
In place of a refund, a discount can be awarded for the next billing cycle.
This applies to partners on the App Store with paid subscriptions.
Revenue is based on the billing activity excluding uncollectible receivables or refunds.
To receive notifications, you need to configure and implement subscription events. Please see the following articles:
This applies to partners who have paid subscriptions in their App Store products.
Per the agreement with partners on the App Store, ADP will remit to the Developer within sixty (60) days after the end of such month, the application Net Revenue for the preceding month.
Partners who have applications on the App Store can modify their trial period offerings to clients. Once the partner admin for the App Store application has logged in, they can navigate to Developer > Products > Editions.
You will see a screen like the one below where you can change the Free Trial Period settings.
This applies to developer partners with paid subscriptions on the App Store.
Invoices on the the App Store will show what each client paid for partner product subscriptions.