Principal Propagation when extending on-prem systems using Kyma runtime
Since Kyma 2.0, on-premise connectivity is enabled. This implies you can now extend your on-premise systems by building and deploying extensions on SAP BTP, Kyma runtime.
One of the key requirements when extending on-premise systems is to enable principal propagation. This blog provides details on how you can achieve principal propagation flow when extending an on-premise system using SAP BTP, Kyma runtime.
It is possible to use XSUAA, SAP Identity Authentication Service (IAS) as an external identity provider with user federation.
The principal propagation relies on the exchange of the JWT token received in Kyma. The exchanged token is then forwarded to the SAP Cloud Connector and is used to identify the logged-in user.
The flow leverages SAP application router to do
- The token exchange
- Call the on-premise system via the SAP Connectivity proxy
Checkout this GitHub sample for a reference implementation.
To do the token exchange or call the on-premise system via connectivity proxy, you do not need to write any code. All of this can be achieved by simply configuring the application router.
For cloud connector side configuration for principal propagation, refer to this official SAP documentation.
- Since Kyma 2.0, it is possible to extend on-premise systems
- Principal Propagation flow can be implemented using application router
- No developer code is required to achieve the standard flow
Hello Gaurav Abbi ,
Thank you for your blog and example repositories. It works great and I have an additional question. Can we use "html5-apps-repo-rt" with that application router to access to html5 app over app-router? I tried but I couldn't make it successful.
Is your html5 app is deployed on HTML5 repository?
Yes it is deployed to html5 repository with another deployment pod with kyma.
Thanks in advance,
I suppose it is deployed via a Kubernetes Job to the HTML5 repository. Perhaps you can confirm it.
If that is the case, it is not deployed on the Kyma runtime.
I haven't tried it myself, but perhaps using a destination you can reach out to the html5 app.
Yes you are right, It is deployed via Kubernetes job to the HTML5 repo.
Thanks in advance,
The app router you have deployed as a part of the sample is running inside Kyma.
For accessing your html5 app, you can consider using launchpad service.
If still you need to access it via app router on Kyma, you might need to possibly set up destination and other required configuration. I would request you to direct this question to the app router component / team to confirm if this is feasible and what all configurations would be required.
Thank you for your time Gaurav.
Hello Gaurav Abbi
I mount to HTML5 repo to approuter than servis works fine.
First of all I created the html5-apps-repo instance with app-runtime plan. Than, xs-app configuration is validated properly.
I shared my part of my yaml file as an example.
In this way, is the content in the link below outdated?
Yes, thanks for the details. I will notify the respective team.
There is a PR in progress.