Technical Articles
Part 2: Principal Propagation setup between Cloud Platform and on-premise backend system
In part 1, we have seen how to establish authentication setup between IAS & corporate userstore. In this blog, we will implement SSO using Principal Propagation. One of the most common use case in Fiori Cloud, or cloud portal implementation to enable SSO when running the custom UI5 or Fiori apps on the Cloud portal or Launchpad. A user will log in initially to Fiori Launchpad using Active directory credentials and clicking on the tile will pass the x509 short-lived certificate to the backend system and authenticate the user.
User id’s in the backend and Active Directory are different, we will perform the user mapping based on user email address.
Prerequisite: Cloud Connector is installed, configured and connector sub account as shown below
By default, SAP Cloud Connector is not trusted to any IdP. To synchronize the IdP, navigate to sub-account, select Cloud To on-premise, select Principal Propagation tab and hit synchronize icon
- Create the destination in Cloud Platform with the following properties. Most important properties are highlighted
2. Log in to Cloud Connector, select the configuration, under On-Premise tab generate self-signed system certificate and CA certificate. For simplicity, I will use the self-signed cert to establish the trust with the backend system
System Certificate: Create and Import Self Signed Cert and download the cert.
CA Certificate: Create and Import Self Signed Cert
Create a sample user certificate. Notice that subject pattern is selected as ${mail} to allow users to log in with an email address as user id’s between SCP and backend system are different. This sample cert will be used to define the rule (certrule) in the backend system.
3. Select the SCP subaccount in cloud connector and select Cloud to on-premise to maintain the backend system details
4. Click on the plus (+) sign to maintain the backend system details and virtual host and port that is visible on Cloud Platform. Most important selection is Principal Type: X.509 Certificate. Make sure backend system is reachable by selecting check availability open
5. Once the backend system is added, add the resource to allow the access for. You can restrict access at the path level. For simplicity, I have kept the path wide open, not recommended for real life scenario.
This concludes steps on the cloud connector!!
Below steps are performed in the backend system.
- Import Cloud Connector (SCC) System certificate in STRUSTSSO2 transaction under SSL Server Standard. This established the trust between the backend and SCC
- Maintain subject, issuer, cert rule parameter details in default profile – RZ10 transaction
- Create the rule-based mapping using sample X.509 certificate – CERTRULE transaction
- Restart ICM
Let’s look into each of the above steps in detail
- Import the system certificate in STRUSTSSO2
2. Maintain 4 profile parameters as shown below – RZ10 transaction
- login/certificate_mapping_rulebased=1
- icm/HTTPS/verify_client=1
- icm/HTTPS/trust_client_with_issuer=Value of Issuer of the SAP Cloud Connector System Certificate
- icm/HTTPS/trust_client_with_subject=Value of Issuer of the SAP Cloud Connector System Certificate
3. Create the rule mapping – CERTRULE transaction
Select Rule to define the mapping and click Save. Notice User Status, it shows the user with an email address is found in the system.
4. Restart ICM – SMICM transaction
This concludes all required steps to enable Single-Sign-On between SAP Cloud Platform application to the backend system via Cloud Connector.
If you have any trouble with SSO, please refer this wiki to get the ICM logs. Look for client certificate or search username to find the errors.
This concludes part 2/3 blog series. In part 3, I will explain how to test the application (GUI based transaction) in Fiori cloud with principal propagation. Stay tuned!!!.
Hi,
What we can do, if this user mapping has to do for more than 3000 SAP user?
Thanks,
Bala
Hello,
did you find a way for mass mapping please ?
Hi Imran,
Nice blog! thanks!
But should we do CERTRULE configuration for each user individually. Say if I have 300 users that are using cloud platform that logs in with their email address and should I perform CERTRULE config individually for all those 300 users in the backend system
And Should I do this certificates export & import between 3 different sub-accounts in cloud connector to appropriate backend system or just perform certificates export once and do the backend configuration in each of the backend systems(Dev, QAS & PRD)
Thanks
Sabarinathan Chandrasekar
Hi
Question about the system and CA certificate, CN should be the hostname of the on-premise system?
And what certificate should we upload in the STRUST? Is it the system certificate? When I try to download the system certificate and double click it, i am getting CA root certificate not trusted.
Regards,
Florence