Single Sign-On to backend service using Principal Propagation
This blueprint provides common information, guidance, and direction for implementing principal propagation with X.509 certificate from SAP Cloud Platform to the backend system that is running on-premise to achieve Single Sign-On. It will allow you to use this method for any endpoint service that accept X.509 certificate based authentication.
SAP Cloud Platform is an essential part of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey toward digital business models. This open platform as a service (PaaS) provides unique in-memory database and application services. It is the proven cloud platform that enables you to rapidly develop new applications or extend existing ones, all in the cloud.
While the authentication and authorization on the SAP Cloud Platform is part of the security implementation. The challenge comes in how to integrate with on-premise systems so that the user has a nice experience without having to constantly provide their identity repeatedly.
SAP Cloud Platform offers many methods of principal propagation so it is important to understand them and how they can be used in the destination configuration.
| Authentication Type | Description | When to use… |
Application-to-Application SSO (AppToAppSSO) |
Enables services to propagate user identities to other applications which are consumed (deployed or subscribed) in the SAP Cloud Platform account. A user identity is propagated to the application that is specified in the URL. Full identity is propagated |
If the service endpoint is running on an account in the SAP Cloud Platform |
| SAPAssertionSSO | Configure the back-end system to accept SAP assertion tickets that are signed by a trusted X.509 DSA key pair. By default, all SAP systems accept SAP assertion tickets for principal propagation. Only User ID is propagated |
If the backend service endpoint is a SAP NetWeaver AS system that can reside on the cloud or on-premise. |
| Principal Propagation | Allows destinations to forward the identity of an on-demand user to SAP cloud connector, which then forwards it to the back-end system of the relevant on-premise system. An on-demand user need not provide his or her identity for each connection to an on-premise system when using SAP Cloud Connector. Full identity is propagated |
If the backend service endpoint accepts client certificate authentication for both SAP and non-SAP system. This can be use with HTTPS protocol or RFC protocol with SNC. Note: Cloud Connector is needed. |
| OAuth2SAMLBearerAssertion | Enables applications to use SAML assertions to access OAuth-protected resources. Full identity is propagated |
If the backend service endpoint is a OAuth-protected resources that can reside on the cloud or on-premise (SAP and 3rd party backend system) OAuth authorization server is needed. |
This blueprint will focus on the Principal Propagation method with Cloud Connector. The Cloud Connector serves as the link between on-demand applications in SAP Cloud Platform and existing on premise systems. The Cloud Connector is an on premise agent that runs in the customer network and takes care of securely connecting cloud applications running on SAP Cloud Platform to services and systems in the customer network.The Cloud Connector serves as the link between on-demand applications in SAP Cloud Platform and existing on-premise systems. It combines an easy setup with a clear configuration of the systems that are exposed to SAP Cloud Platform. In addition, you can control the resources available for the cloud applications in those systems. Thus, you can benefit from your existing assets without exposing the whole internal landscape.
Principal propagation is used to implement hybrid scenarios in which cloud applications require point-to-point integration with existing services or applications in the customer network.
For almost all applications a business runs, the application will consume some sort of service that may reside on-premise or on the cloud and the identity of the user needs to be verified against the backend system as well. On the SAP Cloud Platform, one of the ways to do that is to use principal propagation with X.509 certificates. Once the user has been verified against an Identity provider (IdP), a SAML assertion token is passed to the Cloud Connector to generate a short-lived certificate that can be passed along with the request to the backend system. The identity of the user between the SAP Cloud Platform and backend system should be the same when accessing the system to achieve SSO.
In this setup for principal propagation, there will be a trust relationship setup between the SAP Cloud Platform and the Cloud Connector and between the Cloud Connector and backend system. The Cloud Connector by default does not trust anything so the administrator must configure it to trust the SAP Cloud Platform services. With this trust, the Cloud Connector will accept incoming service requests from SAP Cloud Platform. Aside from the trust setup between systems, the configuration must also be done for the Cloud Connector and backend system(s).
The Cloud Connector needs to be configured before principal propagation can be used. These settings are “CA Certificate” and “Principal Propagation”. The “CA Certificate” will act as an identity issuer for the user coming from SAP Cloud Platform and this certificate can be self-signed or signed as a trusted CA. The “Principal Propagation” setting will tell the Cloud Connector which attribute of the SAML token to use when generating the short-lived certificate. The other setting needed is to perform host mapping and with the correct “Principal Type” of “X.509 Certificate”. Since the protocol between the Cloud Connector and the backend system should be secure HTTP (HTTPS), the administrator should add the backend public certificate to the trust store of the Cloud Connector.
The backend system comes in many flavors so there isn’t common configuration setting that would cover all of them. The general configuration setting would include enabling the system Internet Communication Manager (ICM) parameters, enabling the service to use certificate based authentication, trusting the Cloud Connector “CA Certificate”, and finally mapping the Cloud Connector short-lived certificates to the backend users.
Having principal propagation enabled for the destination on SAP Cloud Platform would allow the user to access the resource seamlessly without needing to provide his/her identity every time he/she makes a connection to an on-premise system. This is a one-time setup per backend system so the time and effort for this should be short and any new business scenario that uses the same backend system would be ready to go. This type of principal propagation method allows SAP Cloud Platform to consume a variety of backend systems that accept X.509 certificate based authentication from SAP systems to non-SAP systems.
SAP Cloud Platform is the extension platform for SAP. It enables developers to develop loosely coupled extension applications securely, thus implementing additional workflows or modules on top of the existing solution they already have.
SAP Cloud Platform supports application scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is available for all three scenarios. All scenario type users will be asked for authentication by the SAP Cloud Platform and the platform application configuration will propagate the user identity down to the backend system.
The following graphical diagram of the solution illustrates a basic architectural pattern implementing single sign-on using principal propagation and X.509 certificates.
Note: In the landscape picture, the SAP Cloud Platform Identity Authentication service is the IdP (this can be any 3rd party IdP) being used to authenticate the user. The authentication IdP should already be configured and trusted by the SAP Cloud Platform and authorization should be already configured.
The following list describes the main components needed to implement this scenario and the role they play in the overall solution
User Network
Application – Organizations can choose to develop according to their needs, resources, and skills. Applications can be developed using SAP Mobile Platform SDK. The SAP Mobile Platform SDK provides developer tools to streamline the development, delivery, security and management of mobile applications.
SAP Cloud Platform
SAP Cloud Platform Identity Authentication service – A cloud solution for secure authentication and single sign-on for SAP Cloud Platform applications, and for on premise applications.
Connectivity Service – The connectivity service allows SAP Cloud Platform applications to access securely remote services that run on the Internet or on premise.
Generic SAP Cloud Platform Service – To keep the blueprint simplified, a generic icon is used since any SAP Cloud Platform services requiring authentication will act the same way.
On-Premise
On Premise System – This is a generic depiction of any system that can use the principal propagation SSO.
Cloud Connector – Serves as the link between on-demand applications in SAP Cloud Platform and existing on-premise systems.
This is an overview of the steps needed to implement this blueprint:
This blueprint highlights important considerations companies need to analyze when implementing authentication for cloud platform applications. It only provides a high level overview of the process. It is recommended to review further information to help you implement your single sign-on using principal propagation. The following resources are a starting point:
