top of page
Search

The Complete ADP Integration Guide

  • Jun 4
  • 4 min read

For ADP Workforce Now, Workforce Now Next Generation, Vantage HCM, Enterprise HR, and Lyric.


ADP powers payroll and HR for millions of employees across the country, and your benefits data is already inside it. The challenge for most organizations is that getting that data from ADP into your carriers and vendors automatically requires a more involved technical setup than most HRIS integrations.


ADP secures its API with two layers of authentication: OAuth 2.0, which verifies the identity of the application connecting to your account, and mutual TLS, which establishes a trusted encrypted channel using a signed digital certificate. Both layers need to be in place before Benefit Cloud can read your data.


This guide covers every step of that process. Most teams complete it in 30 to 60 minutes once ADP API Central is active. If you run into any stumbling blocks, our team is happy to hop on a screen-share.


Note: This guide covers ADP Workforce Now, Workforce Now Next Generation, Vantage HCM, Enterprise HR, and Lyric. ADP RUN uses a different integration model and is not covered here. If you are an ADP RUN client, contact Benefit Cloud directly for guidance.


Step 1: Verify Your ADP API Central Subscription


ADP API Central is the product that unlocks API access on your ADP tenant. Without an active API Central subscription, none of the remaining steps will work.


  1. Go to the ADP Marketplace at https://apps.adp.com.

  2. Search for "ADP API Central" and select the version that matches your ADP product.

  3. If you are not already subscribed, click Buy Now and complete the subscription process.

  4. If you are unsure whether you already have it, check with your ADP account representative or internal ADP admin.

This is a one-time prerequisite. Once API Central is active, you do not need to revisit this step.


Step 2: Get Access to the Developer Self-Service Portal


The Developer Self-Service Portal is where you will create the project and retrieve your OAuth credentials. Access to this portal is managed through your ADP account representative.


  1. Contact your ADP account representative and request access to the Developer Self-Service Portal.

  2. Once access is granted, log into the portal.

  3. Familiarize yourself with the interface before proceeding to the next step.


Step 3: Create a Project and Retrieve OAuth Credentials


Inside the Developer Self-Service Portal, you will create a project for the Benefit Cloud integration. This is where ADP generates your Client ID and Client Secret.


  1. Create a new project in the Developer Self-Service Portal. Name it something identifiable, such as "BenefitCloud Integration."

  2. Select the API products your integration will need access to (employee data, payroll, benefits as applicable).

  3. Once the project is created, ADP will issue a Client ID and Client Secret.

  4. Copy both values immediately and store them in a secure location.


Step 4: Generate a Private Key and CSR


This step uses OpenSSL to generate two files: a private key that stays with you, and a Certificate Signing Request (CSR) that you will send to ADP in the next step. If OpenSSL is not already installed on your computer, Benefit Cloud can point you to installation instructions for your operating system.


  1. Open a terminal or command prompt.

  2. Run the OpenSSL command to generate a 2048-bit RSA private key and a CSR simultaneously.

  3. When prompted, fill in the requested fields (country, organization, common name, etc.). Use plain ASCII characters only. Special characters can cause ADP to reject the CSR.

  4. You will end up with two files: a .key file (your private key) and a .csr file (the certificate signing request).


Keep your private key secure. You will share the .key file with Benefit Cloud via encrypted upload, but it should never be shared over unencrypted email or stored in an unsecured location.


Step 5: Submit the CSR to ADP for Signing


ADP will sign your CSR and return a signed certificate (.pem file). This signed certificate is what Benefit Cloud uses to complete the mutual TLS handshake.


  1. Log back into the ADP Developer Self-Service Portal.

  2. Locate the certificate management section for your project.

  3. Upload your .csr file to ADP's signing tool.

  4. Download the signed .pem certificate that ADP returns.


If ADP rejects your CSR, the most common cause is special characters in the company information fields. Re-run Step 4 using only plain ASCII characters and try again.


Step 6: Submit All Credentials to Benefit Cloud


You now have everything Benefit Cloud needs: a Client ID, a Client Secret, your private key (.key file), and your signed certificate (.pem file). Submit them securely through the Benefit Cloud portal at app.benefitcloud.io/resources/guides/integrations/adp.


  1. Log into the Benefit Cloud portal.

  2. Navigate to Resources and select the ADP Integration Guide.

  3. Use the secure credential submission form to upload your Client ID, Client Secret, signed .pem certificate, and private .key file.

  4. Submit the form. All files are encrypted immediately on upload.


Step 7: Integration Complete


Once your credentials are submitted, here is what happens:


  1. Benefit Cloud verifies the OAuth credentials and tests the mutual TLS connection.

  2. Our team configures data mapping based on your specific feed requirements.

  3. You receive confirmation once the integration is fully active.

  4. Data syncs automatically on your agreed schedule from that point forward.


One thing to keep in mind: ADP-signed certificates expire on a fixed schedule (typically every one to two years). ADP will notify you before expiration, and Benefit Cloud will coordinate the renewal process with you when the time comes.


Ready to automate your benefits data? Book a demo to get started with Benefit Cloud today.

bottom of page