Skip to Content

In the first and second part of this blog series, you can read more on how to setup the Cloud Connector and deploy a cloud application running in the Cloud Foundry environment of SAP Cloud Platform. There you can find all details you need on how to use SAP Cloud Platform Connectivity to consume data coming from an on-premise backend system using Basic Authentication. This authentication type is good for testing but not really recommended for productive usage. In this new part of the blog series, I want to share with you which steps are needed to update the existing configuration to use principal propagation.

Note: To successfully understand the explanations below, I recommend you to go first through the previous parts of the blog series as everything here is based on them.

Before starting to explain on how to configure the Cloud Connector to propagate the user identity from the cloud application to the backend system, let’s have again a short recap of what happens and emphasize the differences to Basic Authentication (colored in blue):

1. User calls the webApp through the AppRouter, which provides a central point of entry to business applications.

2. The request is redirected to XSUAA and the user needs to login. Then a JSON Web Token (let’s call this token JWT1) is created and sent to AppRouter. JWT1 is then cached by the AppRouter.

3. AppRouter forwards the request to the relevant Web-app URL which is defined as destination, it also passes the JWT1 token as credentials.

4a. The WebApp requests another JWT (JWT2) to access the destination instance. JWT2 should be cached for better performance.

4b. In parallel, the WebApp requests another JWT (JWT3) to access the connectivity instance. JWT3 should be cached for better performance.

5. The WebApp requests destination configuration by sending JWT2 and gets the authentication type (Principal Propagation).

6. Based on the authentication type defined in the destination, the WebApp sends a request to the connectivity instance with JWT1 and JWT3.

7. SAP Cloud Platform Connectivity forwards the request to the Cloud Connector.

8. The Cloud Connector sends a request to the on-premise system. Both need to be well configured for principal propagation (see below for details).

In the diagram you can see that you need to update the configuration in 3 different places: in the Cloud Connector,  in the on-premise backend system and in the destination created in the SAP Cloud Platform. Let see now what needs to be done exactly.

 

1. Configuration of the Cloud Connector

a. Update the principal type of the Access Control

b. Set up a trust with the identity provider

c. Export the system certificate so that you can import it in the backend system later on

d. Configure the CA certificate for the short-living certificate

e. Adapt the subject pattern for principal propagation

f. Generate a sample certificate in order to import it in the backend.

2. Configuration of the on-premise backend system

a. Import the system certificate of the Cloud Connector to establish trust

b. Configure the Internet Communication Manager (ICM) to ensure the communication to the outside world.

c. Set up the rule-based certificate mapping (short-living certificate of the Cloud Connector)

 

3. Update of the destination in SAP Cloud Platform

a. Change the authentication type of the destination to “Principal Propagation”

b. That’s all you need to do in the SAP Cloud Platform. Now you can test your application.

 

As you can see the main efforts to setup principal propagation remains in the configuration of the Cloud Connector and the backend system. That means the configuration is almost identical to what we need to do in order to propagate the user identity for the NEO environment of the SAP Cloud Platform. If you are not familiar with this configuration: we have created last year for TechEd a step-by-step guide and the good thing is that you can re-use it completely, even though it has been created for the NEO environment.

One last thing… you are probably asking yourself how the web application decides to send the Authorization header (for basic authentication) or the JWT1 (for principal propagation) based on the authentication type defined in the destination. We have just insert a condition to check it in the code. Here is the excerpt of the code, which is in the  file ConnectivityServlet.java.

switch (authType) {
			case NO_AUTHENTICATION:
				// No action needed
				break;
			case PRINCIPAL_PROPAGATION:
				// Forward JWT token to Connectivity Service
				client.setRequestProperty(SharedConstants.HEADER_SAP_CONNECTIVITY_AUTHENTICATION,
						SharedConstants.BEARER_WITH_TRAILING_SPACE + token);
				break;
			case BASIC_AUTHENTICATION:
				client.setRequestProperty(SharedConstants.HEADER_AUTORIZATION, SharedConstants.BASIC_WITH_TRAILING_SPACE + 
						connectionAttributes.getAuthenticationToken());
				break;
			case SAMLBEARER_AUTHENTICATION:
				String authHeader = SharedConstants.BEARER_WITH_TRAILING_SPACE
						+ connectionAttributes.getAuthenticationToken();
				LOGGER.info(SharedConstants.HEADER_AUTORIZATION + ": " + authHeader);
				client.setRequestProperty(SharedConstants.HEADER_AUTORIZATION, authHeader);
			default:
				break;
			}

 

As mentioned in the previous blogs, you can find all the code in the sharepoint.

You can find the step-by-step guide for setting the principal propagation here on Github. To make it easier for you to use it, I have inserted below a detailed structure of what needs to be done with the direct related links, so that you can faster get to the right info. As bonus, you can find a trouble-shooting guide at the end in the same Github repository 😉

 

A. Steps needed in the Cloud Connector

Step1: Change the principal type of the existing access control to X.509 Certificate

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/tree/master/exercises/B1#user-content-step-by-step-guide

Step 2: Trust configuration to establish trust with the identity provider

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/blob/master/exercises/B1#user-content-step-1-trust-configuration-to-establish-trust-with-the-identity-provider

Step 3: Configure and export the system certificate

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/blob/master/exercises/B1#user-content-step-2-setup-system-certificate 

Step 4: Set up CA certificate

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/blob/master/exercises/B1#user-content-step-3-setup-ca-certificate

Step 5: Configure a subject pattern for principal propagation and generate a sample certificate

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/blob/master/exercises/B1#user-content-step-4-configure-a-subject-pattern-for-principal-propagation

 

B. Steps needed in the on-premise backend system

Step 1: Establishing trust between the ABAP system and the Cloud Connector by importing the system certificate

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/tree/master/exercises/B2#user-content-step-1-establishing-trust-between-the-abap-system-and-the-cloud-connector-by-importing-ca-issuing-the-system-certificate

Step 2: Configuration of the ICM

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/tree/master/exercises/B2#user-content-step-2-configuration-of-the-icm

Step 3: Mapping of the short-living certificate

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/tree/master/exercises/B2#user-content-step-3-mapping-of-the-short-living-certificate

 

C. Steps needed in the SAP Cloud Platform

Step 1: Update the destination

https://github.com/SAP/cloud-platform-connectivity-principal-propagation/tree/master/exercises/B3#user-content-step-by-step-guide

Step 2: Launch the app 😉

 

Here again the repository with the code:

https://sap-my.sharepoint.com/personal/matthieu_pelatan_sap_com/Documents/Forms/All.aspx?slrid=d30fa09e-7067-0000-4021-ad2f4e3a7899&RootFolder=%2Fpersonal%2Fmatthieu_pelatan_sap_com%2FDocuments%2FShare%2FSAP-CP-Connectivity-CF&FolderCTID=0x01200069EF892B2153EC4CB7AC6B15C16160B4

 

Be aware that this is only the basic setup to propagate the identity of the user. You will probably want to do more like setting the Trust Store in the Cloud Connector or whitelist your cloud applications as trusted. As this is not mandatory for having a working setup, I haven’t mentioned it before but I would highly recommend you to have a look at it. You can find all the details and much more in our security guide that is now part of the official documentation.

Thanks for taking the time to go through this blog and please share your feedbacks. It’s always much appreciated 😉

 

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Bert Deterd

    When i refresh PRINCIPAL PROPAGATION I get different Idps. i do not see accounts.sap.com. My region is cf.eu10.hana.ondemand.com. 

    Some help here would be great. 

     

    >>edit:

    Ok. Seems to be no problem for setting up principal propagation

    (0) 
  2. rizwan pasha

    Hi Matthieu Pelatan,

    we are trying to consume on-premise service from Neo Trial platform . For authentication , we are using principal propagation through HANA cloud connector to the gateway system.

    We followed the steps from the your blogs but received 503 Error when creating UI5 application from neo platform at data connection step

    Below is the screenshot of my Cloud connector of principal propagation

    cloud-connector-pp.jpg

    Below is the screenshot of backend system and its status reachable from Cloud connector

    access-control.jpg

    Below is the screenshot of neo platform destination configuration and its status

    destination-reachable.jpg

    destination-neo.jpg

    Error while creating application from WebIDE at data connection step

    ui-template-503-error.jpg

    In Cloud connector logs, i have found the following error

    cc-logs-new.jpg

    from Cloud connector to the gateway system, connectivity is showing reachable.

    From neo platform destination, connectivity check is showing “connection successful”.

    but when i create the UI5 project in WebIDE at data connection step it is showing 503 error.

    Can anyone help me to find the issue here.

    Thanks,

    Rizwan.

    (0) 

Leave a Reply