Skip to Content

In a typical integration landscape involving PI we use a service user for communication between involved systems. This configuration works most of the times accept in the scenarios where we are required to pass logged in user information as user context to PI.

In this blog I will try to describe the configuration of Principal Propagation using SAP assertion ticket between CRM and SAP PO7.31.

Configuring Trust Relationship in CRM for issuing Assertion Ticket:


Call transaction STRUST to check whether a system PSE is maintained.

             By default, a self-signed system PSE should exist, which is sufficient

STRUST1.JPG

Call transaction RZ11 and parameter login/create_sso2_ticket

             Default value is ‘0’ change it to ‘2’.

parameter.JPG

Configuring PO7.31 to accept assertion ticket:

NWA -> Configuration->Trusted Systems-> Add Trusted System->By Querying Trusted System

Provide the details of ticket issueing system(CRM).

Trusted Systems.JPG

once import is complete click finish.

Trusted Systems - 2.JPG

Configuring the Login Module Stack:

NWA -> Configuration-> Authentication and Single Sign-On

I have created a custom template for Login Module “assertionTicket.

Below login module is added. This configuration means if assertion ticket is successful message is passed to PI else if assertion ticket is unsuccessful basic authentication is required.

EvaluateAssertionTicketLoginModule: SUFFICIENT

BasicPasswordLoginModule :               REQUIRED

to create a template click on add.

login policy template.JPG


policy config1.JPG

Add this custom template to SOAP adapter policy configuration


policy config2.JPG

Enabling Principal Propagation in CRM system:

Execute T-Code SXMB_ADM-> Configure Principal Propagation->Restore

It will create PIPPUSER & RFC destination SAPXIPP<clnt no.>

PP config.JPG

Now add interface and user id using 2nd tab “interface Conf. For Transfer of User IDs>

You can use * for all the entries to include all interfaces.

PP2.JPG

Configure RFC destination to P2D as per below screen shot.

RFC destination.JPG

Set ASMA and variable Transport Binding in sender comm. Channel.

comm channel.JPG

Now we are ready to execute the interface.

using SE80 transaction I executed one proxy and below is the screenshot from PI log. Here SOAP channel is using customer template created by me.

nwa log.JPG

The user id is passed to dynamic configuration of PI.

MM Log.JPG

Below is one of the use cases.  This UDF  get logged in user from dynamic configuration and  fetch last name of that user from UME.

  public String getName(Container container) throws StreamTransformationException{

AbstractTrace trace = container.getTrace();

DynamicConfiguration conf =(DynamicConfiguration) container.getTransformationParameters().get(StreamTransformationConstants.DYNAMIC_CONFIGURATION);

String user = “unknown”;

String name = “initial”;

if (conf != null) {

  DynamicConfigurationKey keyUser =DynamicConfigurationKey.create(“http://sap.com/xi/XI/System/SOAP“, “SRemoteUser”);

  user = conf.get(keyUser);

  }

IUserFactory iuf = UMFactory.getUserFactory();

try {

  IUser iu = iuf.getUserByLogonID(user);

  name = iu.getLastName();

  }

catch (UMException e) {

  name = e.getMessage();

  trace.addDebugMessage(e.getMessage());

  }

return(name);

  }

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply