Principal Propagation setup between S4HANA and BTP portal
We are configuring Principal Propagation (SSO) using email ID as common user between BTP and S4HANA system.
SAP Cloud connector must install and destination for backend system created and reachable, subaccount for BTP must added and status should be connected.
Below are the steps which we need to perform on backend system(S4HANA), Sap cloud Connector (SCC) and BTP (Hana on demand)
Configuration Steps on SCC:
- Add BTP Sub-account into SCC: After installation of SCC, login with default username and password and click on Add Subaccount, below popup will appear, provide the details of purchased subscription of Subaccount and other information and save it.
- Create Backend Destination on SCC: Please create backend destination under Cloud to On-premises tab using HTTPS protocol click on plus button, we will get below popup screen.
- Create & download System certificate from SCC: Go to Configuration->on-premises tab and for system certificate click on button create and import self-signed certificate, for production environment, it is recommended to use signed certificate, to get signed certificate, we can generate CSR response from the left hand side button, and can import.
Download and save the system certificate to import into backend system for later use.
- Create CA Certificate: Repeat the same step as it is for the CA certificate as well, under CN name we can put <hostname>.<domain-name> or *.<domain-name>, click on create button and it will create and import self-signed certificate as per below screen, for production environment, it is recommended to use signed certificate, to get signed certificate, we can generate CSR response from the left hand side button, and can import.
- Generate Principal Propagation (PP) certificate: Generate PP certificate for backend system, for that first you must click on edit button.
It will generate SCC_Sample certificate as below.
Fill the details as below for SCC backend destination URL and other related information as shown in below screen for reference.
Now Click on New Properties
If everything is okay, it will display as successful message, see screen below.
Now click on check connection, it will display connection test as successful.
Backend System setup:
- Create user in S4HANA and put email address under email address filed under su01, see below screen for example, our email address is equal to our user-id in BTP portal
- Login to S4HANA application, run t-code STRUST, double click on SSL server standard and press edit button, click import certificate button on the bottom and upload the system certificate download from the third step of Configuration Step on SCC. If we are uploading third party signed system certificate, then we must also get signed our SSL Standard Own certificate as well, and after import of signed certificate, it will import both CA and root certificate, see screen below for reference purpose.
- if we want SSO for one user, we must import and map PP certificate under Rule, if we want SSO for multiple users then we must generate explicit certificate for additional user and do the explicit mapping for each user, using explicit mapping button. a) Add Rule for one user: Generate PP certificate as per 5th Step of Configuration Steps on SCC, put our email address under CN name
b) Explicit Mapping for other users: Generate additional user certificate for PP from SCP, put our email address and generate it.
Now Click on save button, mapping will be created, and Mapping status will show as certificate mapped explicitly and user status will become green
- Maintain RZ10 Parameter: as below.
icm/trusted_reverse_proxy = SUBJECT=”CN=*.zyx.com”, ISSUER=”CN=*.zyx.com”
icm/trusted_reverse_proxy =SUBJECT=”CN=<>”, ISSUER=”CN=<>” (SAMPLE TYPE)
icm/HTTPS/trust_client_with_issuer = CN= *.cloudapp1-hcl.net icm/HTTPS/trust_client_with_subject = *
icm/HTTPS/verify_client = 1
login/certificate_mapping_rulebased = 1
Take Complete SAP App re-start after changing the parameter
To setup Principal Propagation, we can find many articles around it, my attempt was also in the same direction to include my experience and to add more detailed steps, so that anybody can try and do it easily, feedback and suggestions are most welcome.
In the Destination configuration under Authentication:
What are the difference if we choose to use BasicAuthentication (is a technical username (BASIS) at backend S4 for example) with ProxyType: OnPremise vs PrincipalPropagation ?
PrincipalPropagation, understand that it enable single sign-on (SSO) by forwarding the identity of a cloud user to the Cloud Connector, and from there to the target on-premise system.
When a user ABC launch an application that link to the backend S4 system, if we have the Destination configuration Authentication set BasicAuthentication will the application prompt for user and password?
We have a demo application case whereby there is no prompt when the application is launch. It straight bring us to the application with the screen.
Does this mean for BasicAuthentication it will authenticate using the access of the techincal username (BASIS) at the backend (where fiori roles, business roles, technical roles are assigned)?
So the difference between Basic authentication and Principal progation is the Basic always connects the backend(S/4 HANA) with that specific user even if someone else access the application. But PP, you're defining the configuration to identify the logged in user in BTP(via their email or SAP ID) and routing the connection to backend(S/4 or ECC) as the logged in user.
Hope that helps