Skip to Content
Technical Articles
Author's profile photo Gaurav Abbi

Principal Propagation when extending on-prem systems using Kyma runtime

Since Kyma 2.0, on-premise connectivity is enabled. This implies you can now extend your on-premise systems by building and deploying extensions on SAP BTP, Kyma runtime.

One of the key requirements when extending on-premise systems is to enable principal propagation. This blog provides details on how you can achieve principal propagation flow when extending an on-premise system using SAP BTP, Kyma runtime.

It is possible to use XSUAA, SAP Identity Authentication Service (IAS) as an external identity provider with user federation.

The principal propagation relies on the exchange of the JWT token received in Kyma. The exchanged token is then forwarded to the SAP Cloud Connector and is used to identify the logged-in user.

The flow leverages SAP application router to do

  • The token exchange
  • Call the on-premise system via the SAP Connectivity proxy

 

Checkout this GitHub sample for a reference implementation.

To do the token exchange or call the on-premise system via connectivity proxy, you do not need to write any code. All of this can be achieved by simply configuring the application router.

 

For cloud connector side configuration for principal propagation, refer to this official SAP documentation.

 

Takeaways

  • Since Kyma 2.0, it is possible to extend on-premise systems
  • Principal Propagation flow can be implemented using application router
  • No developer code is required to achieve the standard flow

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Zafer Kuru
      Zafer Kuru

      Hello Gaurav Abbi ,

      Thank you for your blog and example repositories. It works great and I have an additional question. Can we use "html5-apps-repo-rt" with that application router to access to html5 app over app-router? I tried but I couldn't make it successful.

       

      { 
           "source": "^(/.*)",                                    
           "target": "$1",                                        
           "service": "html5-apps-repo-rt", 
           "authenticationType": "xsuaa"                      
       }
      
      
      Thanks,
      Author's profile photo Gaurav Abbi
      Gaurav Abbi
      Blog Post Author

      Hi Zafer,

      Is your html5 app is deployed on HTML5 repository?

       

      Thanks,

      Gaurav Abbi

      Author's profile photo Zafer Kuru
      Zafer Kuru

      Hi Gaurav,

       

      Yes it is deployed to html5 repository with another deployment pod with kyma.

       

      Thanks in advance,

      Zafer

      Author's profile photo Gaurav Abbi
      Gaurav Abbi
      Blog Post Author

      Hi Zafer,

      I suppose it is deployed via a Kubernetes Job to the HTML5 repository. Perhaps you can confirm it.

      If that is the case, it is not deployed on the Kyma runtime.

      I haven't tried it myself, but perhaps using a destination you can reach out to the html5 app.

       

      Best regards,
      Gaurav Abbi

      Author's profile photo Zafer Kuru
      Zafer Kuru

      Hi Gaurav,

      Yes you are right, It is deployed via Kubernetes job to the HTML5 repo.

      • When we tried with that config, pod get an error.

      “VError: xs-app.json/routes/0: Format validation failed (A route requires access to html5-apps-repo-rt service but the service is not bound.)”.

      { 
           "source": "^(/.*)",                                    
           "target": "$1",                                        
           "service": "html5-apps-repo-rt", 
           "authenticationType": "xsuaa"                      
       }
      
      
      • Also when we tried with that destination config, pod deployed correctly. But I couldn't reach the HTML5 app via browser. I guess this is related with xsuaa service.
      {
      "source": "^/(.*)$",
      "target": "$1",
      "destination": "HTML5-Repo",
      "authenticationType": "xsuaa"
      }
      Error
      
      
      

      Thanks in advance,

      Zafer

      Author's profile photo Gaurav Abbi
      Gaurav Abbi
      Blog Post Author

      Hi Zafer,

      The app router you have deployed as a part of the sample is running inside Kyma.

      For accessing your html5 app, you can consider using launchpad service.

      If still you need to access it via app router on Kyma, you might need to possibly set up destination and other required configuration. I would request you to direct this question to the app router component / team to confirm if this is feasible and what all configurations would be required.

       

      Best regards,

      Gaurav Abbi

       

      Author's profile photo Zafer Kuru
      Zafer Kuru

      Thank you for your time Gaurav.

       

      Regards

      Zafer

      Author's profile photo Zafer Kuru
      Zafer Kuru

      Hello Gaurav Abbi

      I mount to HTML5 repo to approuter than servis works fine.

      First of all I created the html5-apps-repo instance with app-runtime plan. Than, xs-app configuration is validated properly.

      I shared my part of my yaml file as an example.

      Regards,

      Zafer