Principal propagation setup with SAP S/4HANA on-premise system and SAP Business Technology Platform

Principal propagation provides the ability to forward the user context of the message from the sender to the receiver, such that it remains unchanged. In this blog post, we will be discussing how to implement SSO with principal propagation in a way that it trusts the requests coming via the configured Cloud Connector.

There are two levels of trust that must be configured. First, the Cloud Connector needs to identify itself with the system certificates for the HTTPS. Second, we need to allow this identity to propagate accordingly, so that a short-lived X.509 certificate could be forwarded. Finally, we map the user in the target system – the SAP S/4HANA on-premise system, in this case.

The X.509 certificate contains the information about the Cloud user in the subject, and this information is used for mapping the user to the corresponding user in the target system.

Step 1 – Generate Certificates in Cloud Connector

We have to configure the following certificates in Cloud Connector:

1. System Certificate
2. CA Certificate and
3. User Certificate

Note: We no longer need third party tools to generate the certificates from Cloud Connector version 2.12.3.

1.1 System Certificate

1. To configure the System Certificate, go to Configuration → On Premise → System Certificate → Create and import a self-signed certificate.

Figure 1: Configuring the System Certificate

2. Fill the required details in the pop-up window. The Common Name (CN) represents the server name protected by the SSL certificate. The request hostname must match the certificate common name for a valid certificate.

Figure 2: Required Details to Generate System Certificate

3. Download the generated certificate.

Figure 3: Downloading the Generated System Certificate

4. The downloaded sys_cert.der certificate will be used in the steps below. It will be uploaded to  the SAP S/4HANA on-premise backend system (STRUST).

1.2 CA Certificate

A CA certificate  signs all the certificates that are used when a request is forwarded from the Cloud with the Cloud principals.

1. To create the CA certificate, scroll down to the corresponding section and click on the “Create and import a self-signed certificate” button.

Figure 4: Creating a CA Certificate

2. Fill the required details in the pop-up window (as explained in section 1.1, step 2) to generate the certificate.

Figure 5: Required Details to Generate CA Certificate

The Cloud connector acts as a CA when the request is sent from the Cloud Platform to SAP S/4HANA on-premise system. Every request from the Cloud Platform will be signed from Cloud Connector with this certificate. SAP S/4HANA must trust this certificate to establish the communication from cloud to the on-premise system.

1.3 User Certificate

1. Scroll down to the Principal propagation section and edit the Subject Pattern

Figure 6: Generating the User Certificate

2. Select the Subject Pattern from the list to assert the user IDs. For example, Select ${mail} to assert the user against the user’s mail address propagated from the Cloud.

Figure 7: Editing Principal Propagation

Note: You can select the Subject Pattern depending on the assertion attribute. You can also provide manual pattern if it is not listed in the dropdown. For example, ${email}.

3. click on the Create Sample Certificate button

Figure 8: Generate Sample Certificate

This sample certificate is used to define the rules in the SAP S/4HANA On-premise system under the Transaction code (CERTRULE).

Figure 9: Creating a Sample Certificate

Step 2 – Synchronize the Cloud Subaccount IDP

You can follow the help document on how to add the subaccount in the Cloud connector here.

Go to Cloud To On-Premise → Principal Propagation tab. Click on the Synchronize button to sync the Trust Configuration details of the connected subaccount.

Figure 9: Syncing Trust Configuration of the subaccount

Step 3 – Configure Backend System details in Cloud Connector

1. Create a new System Mapping and provide the Internal and Virtual host details. Choose the Protocol as HTTPS and Principal Type as 509 Certificate (General Usage).

Figure 11: Configuring Backend System Details in the Cloud Connector

2. Add the Resource Access Policy after adding the system mapping.

Figure 12: Adding the Resource Access Policy

Step 4 – Configure SAP S/4HANA On-Premise Backend System with Certificates for the Principal Propagation Setup

You can do the necessary configurations using the following procedure:

• Import the System certificate downloaded from the Cloud Connector into the SSL Server standard (Transaction code – STRUST).
• Define the rule-based mapping by importing the Sample certificate downloaded from Cloud Connector. (Transaction code – CERTRULE)
• Maintain the reverse proxy parameters in the Default Profile. (Transaction code – RZ10)
• Restart the ICM and check the profile parameters. (Transaction code – SMICM)

4.1 Import the System Certificate

1. Go to the transaction code STRUST
2. Expand the SSL Server Standard and go to the Instance Specific as shown in the below image. If there is no existing SSL Server Standard, switch to the edit mode and right click on the SSL Server standard to create one.

Figure 13: SSL Server Standard

3. Click on the Import Certificate button to import the System certificate downloaded from the Cloud Connector (sys_cert.der).

4. Click on “Add to Certificate list” to add the certificate to the list of trusted certificates.

Figure 14: Adding Certificate to Trusted Certificates

4.2 Define the Rule-based Mapping

1. Go to the transaction code CERTRULE.
2. Click on the “Import Certificate” button to import the Sample certificate (scc_sample_cert.der) that was downloaded from the Cloud Connector in section 1.3.

Figure 15: Importing User Certificate

3. Click on the Rule button to map the rules.

Figure 16: Mapping Rules

4. Choose the Certificate Attr and login as E-Mail (or user name as per the requirement).

5. You can view the Status after a Save.

Figure 17: Mapping Certificate Status

4.3 Maintain Profile Parameters

1. Go to the transaction RZ10
2. Choose Profile DEFAULT and then Edit button for Extended Maintenance.

Figure 18: Maintaining Profile Parameters

3. Click on New Parameter button

Figure 19: New Parameter

4. Give the Parameter name as “icm/trusted_reverse_proxy_0” and value as

SUBJECT=”CN=<>”, ISSUER=”CN=<>”.

You can copy these values from the Cloud Connector System Certificate section (1.1).

5. After filling the values, click on Copy.

Figure 20: Copying Default Version

6. Go back and Save parameter. Activate the DEFAULT profile.

Figure 21: Saving and Activating

7. You can ignore the error check validations at this point.

4.4 Restart the ICM

1. Go to the transaction SMICM.
2. You can restart the ICM to reflect the changes related to the PROFILES and parameters.
3. Go to Administration → ICM → Hard Shut Down → Global.

Figure 22: Restarting the ICM

In the next part of the blog post, we will discuss how to test the setup with the Fiori based extension application.

Further Reading

• Principal propagation in a multi-cloud solution between Microsoft Azure and SAP Business Technology Platform