Skip to Content

SAP Cloud Platform Principal Propagation

Single Sign-On to backend service using Principal Propagation

This blueprint provides common information, guidance, and direction for implementing principal propagation with X.509 certificate from SAP Cloud Platform to the backend system that is running on-premise to achieve Single Sign-On. It will allow you to use this method for any endpoint service that accept X.509 certificate based authentication.

Overview

SAP Cloud Platform is an essential part of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey toward digital business models. This open platform as a service (PaaS) provides unique in-memory database and application services. It is the proven cloud platform that enables you to rapidly develop new applications or extend existing ones, all in the cloud.

While the authentication and authorization on the SAP Cloud Platform is part of the security implementation. The challenge comes in how to integrate with on-premise systems so that the user has a nice experience without having to constantly provide their identity repeatedly.

SAP Cloud Platform offers many methods of principal propagation so it is important to understand them and how they can be used in the destination configuration.

Authentication Type Description When to use…

Application-to-Application SSO

(AppToAppSSO)

Enables services to propagate user identities to other applications which are consumed (deployed or subscribed) in the SAP Cloud Platform account. A user identity is propagated to the application that is specified in the URL.

Full identity is propagated

If the service endpoint is running on an account in the SAP Cloud Platform
SAPAssertionSSO

Configure the back-end system to accept SAP assertion tickets that are signed by a trusted X.509 DSA key pair. By default, all SAP systems accept SAP assertion tickets for principal propagation.

Only User ID is propagated

If the backend service endpoint is a SAP NetWeaver AS system that can reside on the cloud or on-premise.
Principal Propagation

Allows destinations to forward the identity of an on-demand user to SAP cloud connector, which then forwards it to the back-end system of the relevant on-premise system. An on-demand user need not provide his or her identity for each connection to an on-premise system when using SAP Cloud Connector.

Full identity is propagated

If the backend service endpoint accepts client certificate authentication for both SAP and non-SAP system.

This can be use with HTTPS protocol or RFC protocol with SNC.

Note: Cloud Connector is needed.

OAuth2SAMLBearerAssertion

Enables applications to use SAML assertions to access OAuth-protected resources.

Full identity is propagated

If the backend service endpoint is a OAuth-protected resources that can reside on the cloud or on-premise (SAP and 3rd party backend system)

OAuth authorization server is needed.

This blueprint will focus on the Principal Propagation method with Cloud Connector. The Cloud Connector serves as the link between on-demand applications in SAP Cloud Platform and existing on premise systems. The Cloud Connector is an on premise agent that runs in the customer network and takes care of securely connecting cloud applications running on SAP Cloud Platform to services and systems in the customer network.The Cloud Connector serves as the link between on-demand applications in SAP Cloud Platform and existing on-premise systems. It combines an easy setup with a clear configuration of the systems that are exposed to SAP Cloud Platform. In addition, you can control the resources available for the cloud applications in those systems. Thus, you can benefit from your existing assets without exposing the whole internal landscape.

Principal propagation is used to implement hybrid scenarios in which cloud applications require point-to-point integration with existing services or applications in the customer network.

Technical Scenario

For almost all applications a business runs, the application will consume some sort of service that may reside on-premise or on the cloud and the identity of the user needs  to be verified against the backend system as well. On the SAP Cloud Platform, one of the ways to do that is to use principal propagation with X.509 certificates. Once the user has been verified against an Identity provider (IdP), a SAML assertion token is passed to the Cloud Connector to generate a short-lived certificate that can be passed along with the request to the backend system. The identity of the user between the SAP Cloud Platform and backend system should be the same when accessing the system to achieve SSO.

Solution

In this setup for principal propagation, there will be a trust relationship setup between the SAP Cloud Platform and the Cloud Connector and between the Cloud Connector and backend system. The Cloud Connector by default does not trust anything so the administrator must configure it to trust the SAP Cloud Platform services. With this trust, the Cloud Connector will accept incoming service requests from SAP Cloud Platform. Aside from the trust setup between systems, the configuration must also be done for the Cloud Connector and backend system(s).

The Cloud Connector needs to be configured before principal propagation can be used. These settings are “CA Certificate” and “Principal Propagation”. The “CA Certificate” will act as an identity issuer for the user coming from SAP Cloud Platform and this certificate can be self-signed or signed as a trusted CA. The “Principal Propagation” setting will tell the Cloud Connector which attribute of the SAML token to use when generating the short-lived certificate. The other setting needed is to perform host mapping and with the correct “Principal Type” of “X.509 Certificate”. Since the protocol between the Cloud Connector and the backend system should be secure HTTP (HTTPS), the administrator should add the backend public certificate to the trust store of the Cloud Connector.

The backend system comes in many flavors so there isn’t common configuration setting that would cover all of them. The general configuration setting would include enabling the system Internet Communication Manager (ICM) parameters, enabling the service to use certificate based authentication, trusting the Cloud Connector “CA Certificate”, and finally mapping the Cloud Connector short-lived certificates to the backend users.

Solution Benefits

Having principal propagation enabled for the destination on SAP Cloud Platform would allow the user to access the resource seamlessly without needing to provide his/her identity every time he/she makes a connection to an on-premise system. This is a one-time setup per backend system so the time and effort for this should be short and any new business scenario that uses the same backend system would be ready to go. This type of principal propagation method allows SAP Cloud Platform to consume a variety of backend systems that accept X.509 certificate based authentication from SAP systems to non-SAP systems.

SAP Cloud Platform is the extension platform for SAP. It enables developers to develop loosely coupled extension applications securely, thus implementing additional workflows or modules on top of the existing solution they already have.

SAP Cloud Platform supports application scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is available for all three scenarios. All scenario type users will be asked for authentication by the SAP Cloud Platform and the platform application configuration will propagate the user identity down to the backend system. 

Reference Solution Diagram

The following graphical diagram of the solution illustrates a basic architectural pattern implementing single sign-on using principal propagation and X.509 certificates.   

3.1 The user has already been authenticated against an IdP and authorized for SAP Cloud Platform.

3.2 The destination in SAP Cloud Platform is configured to use Principal Propagation.

3.3 The Cloud Connector is also configured to use Principal Propagation for “Authentication” field.  The Cloud Connector creates a short-lived X.509 certificate and populates the Subject field with the username and passes it to the backend resource.  This X.509 certificate is sent as a header (SSL_CLIENT_CERT) in the request to the backend resource.  The backend resource then reads the header and strips the username and fulfils the request in the context of this username.

Note: In the landscape picture, the SAP Cloud Platform Identity Authentication service is the IdP (this can be any 3rd party IdP) being used to authenticate the user. The authentication IdP should already be configured and trusted by the SAP Cloud Platform and authorization should be already configured.

Reference Solution Components

The following list describes the main components needed to implement this scenario and the role they play in the overall solution

User Network

Application – Organizations can choose to develop according to their needs, resources, and skills. Applications can be developed using SAP Mobile Platform SDK. The SAP Mobile Platform SDK provides developer tools to streamline the development, delivery, security and management of mobile applications. 

SAP Cloud Platform

SAP Cloud Platform Identity Authentication service – A cloud solution for secure authentication and single sign-on for SAP Cloud Platform applications, and for on premise applications.

Connectivity Service – The connectivity service allows SAP Cloud Platform applications to access securely remote services that run on the Internet or on premise.

Generic SAP Cloud Platform Service – To keep the blueprint simplified, a generic icon is used since any SAP Cloud Platform services requiring authentication will act the same way.

On-Premise

On Premise System – This is a generic depiction of any system that can use the principal propagation SSO.

Cloud Connector – Serves as the link between on-demand applications in SAP Cloud Platform and existing on-premise systems.

High Level Implementation Process

This is an overview of the steps needed to implement this blueprint:

  1. Create certificates (CA Certificate and System Certificate) to be configured with Cloud Connector
  2. Get backend SSL system certificate
  3. Add certificates to Cloud Connector
  4. Select “Principal Propagation” attribute to use in Cloud Connector
  5. Map backend system in Cloud Connector
  6. Enable backend system ICM parameters
  7. Enable backend service for certificate base authentication
  8. Trust Cloud Connector certificate on backend system
  9. Map the certificate user to the user on the system

Learn More

This blueprint highlights important considerations companies need to analyze when implementing authentication for cloud platform applications. It only provides a high level overview of the process. It is recommended to review further information to help you implement your single sign-on using principal propagation. The following resources are a starting point:

  • Configure Principal Propagation to an ABAP System for HTTPS: In this page, the abstract description for principal propagation configuration is mapped to a concrete step-by-step instruction for an ABAP application server configuration of the use case
  • Principal Propagation between HTML5- or Java-based applications and SAP HANA XS on SAP HANA Cloud Platform: This blog illustrates another very common scenario for principal propagation, where an application on HCP consists of two components: The user interface (UI) is developed and deployed as an HTML5- or Java-application on HCP which consumes an API implemented as a RESTful service from an SAP HANA instance running on HCP. The API requires an authenticated user and exposes the user’s data via SAP HANA extended application services (XS).
  • Principal Propagation in a HTTPS based scenario: This introductory blog describes the actual steps and anchors these in practical Mobile Centric or focused scenarios to show an End to End flow where the authentication takes place through the various system components using Principal Propagation. There are of course factors that increase complexity in a real-world implementation scenario, but this blog together with the corresponding how to guide should get you well on your way.
Back to top