Part 2: Principal Propagation setup between Cloud Platform and on-premise backend system

In part 1, we have seen how to establish authentication setup between IAS & corporate userstore. In this blog, we will implement SSO using Principal Propagation. One of the most common use case in Fiori Cloud, or cloud portal implementation to enable SSO when running the custom UI5 or Fiori apps on the Cloud portal or Launchpad. A user will log in initially to Fiori Launchpad using Active directory credentials and clicking on the tile will pass the x509 short-lived certificate to the backend system and authenticate the user.

User id’s in the backend and Active Directory are different, we will perform the user mapping based on user email address.

Prerequisite: Cloud Connector is installed, configured and connector sub account as shown below

By default, SAP Cloud Connector is not trusted to any IdP. To synchronize the IdP, navigate to sub-account, select Cloud To on-premise, select Principal Propagation tab and hit synchronize icon

1. Create the destination in Cloud Platform with the following properties. Most important properties are highlighted

2. Log in to Cloud Connector, select the configuration, under On-Premise tab generate self-signed system certificate and CA certificate. For simplicity, I will use the self-signed cert to establish the trust with the backend system

System Certificate: Create and Import Self Signed Cert and download the cert.

CA Certificate: Create and Import Self Signed Cert

Create a sample user certificate. Notice that subject pattern is selected as ${mail} to allow users to log in with an email address as user id’s between SCP and backend system are different. This sample cert will be used to define the rule (certrule) in the backend system.

3. Select the SCP subaccount in cloud connector and select Cloud to on-premise to maintain the backend system details

4. Click on the plus (+) sign to maintain the backend system details and virtual host and port that is visible on Cloud Platform. Most important selection is Principal Type: X.509 Certificate. Make sure backend system is reachable by selecting check availability open

5. Once the backend system is added, add the resource to allow the access for. You can restrict access at the path level. For simplicity, I have kept the path wide open, not recommended for real life scenario.

This concludes steps on the cloud connector!!

Below steps are performed in the backend system.

1. Import Cloud Connector (SCC) System certificate in STRUSTSSO2 transaction under SSL Server Standard. This established the trust between the backend and SCC
2. Maintain subject, issuer, cert rule parameter details in default profile – RZ10 transaction
3. Create the rule-based mapping using sample X.509 certificate – CERTRULE transaction
4. Restart ICM

Let’s look into each of the above steps in detail

1. Import the system certificate in STRUSTSSO2

2. Maintain 4 profile parameters as shown below – RZ10 transaction

• login/certificate_mapping_rulebased=1
• icm/HTTPS/verify_client=1
• icm/HTTPS/trust_client_with_issuer=Value of Issuer of the SAP Cloud Connector System Certificate
• icm/HTTPS/trust_client_with_subject=Value of Issuer of the SAP Cloud Connector System Certificate

3. Create the rule mapping – CERTRULE transaction

Select Rule to define the mapping and click Save. Notice User Status, it shows the user with an email address is found in the system.

4. Restart ICM – SMICM transaction

This concludes all required steps to enable Single-Sign-On between SAP Cloud Platform application to the backend system via Cloud Connector.

If you have any trouble with SSO, please refer this wiki to get the ICM logs. Look for client certificate or search username to find the errors.

This concludes part 2/3 blog series. In part 3, I will explain how to test the application (GUI based transaction) in Fiori cloud with principal propagation. Stay tuned!!!.