Principal propagation provides the ability to forward the user context of the message from the sender to the receiver, such that it remains unchanged. In this blog post, we will be discussing how to implement
SSO with principal propagation in a way that it trusts the requests coming via the configured Cloud Connector.
There are two levels of trust that must be configured. First, the Cloud Connector needs to identify itself with the system certificates for the HTTPS. Second, we need to allow this identity to propagate accordingly, so that a short-lived X.509 certificate could be forwarded. Finally, we map the user in the target system - the
SAP S/4HANA on-premise system, in this case.
The X.509 certificate contains the information about the Cloud user in the subject, and this information is used for mapping the user to the corresponding user in the target system.
Step 1 - Generate Certificates in Cloud Connector
We have to configure the following certificates in Cloud Connector:
- System Certificate
- CA Certificate and
- User Certificate
Note: We no longer need third party tools to generate the certificates from Cloud Connector version 2.12.3.
1.1 System Certificate
- To configure the System Certificate, go to Configuration → On Premise → System Certificate → Create and import a self-signed certificate.

Figure 1: Configuring the System Certificate
2. Fill the required details in the pop-up window. The
Common Name (CN) represents the server name protected by the SSL certificate. The request hostname must match the certificate common name for a valid certificate.

Figure 2: Required Details to Generate System Certificate
3. Download the generated certificate.

Figure 3: Downloading the Generated System Certificate
4. The downloaded
sys_cert.der certificate will be used in the steps below. It will be uploaded to the SAP S/4HANA on-premise backend system (
STRUST).
1.2 CA Certificate
A CA certificate signs all the certificates that are used when a request is forwarded from the Cloud with the Cloud principals.
- To create the CA certificate, scroll down to the corresponding section and click on the “Create and import a self-signed certificate” button.

Figure 4: Creating a CA Certificate
2. Fill the required details in the pop-up window (as explained in
section 1.1, step 2) to generate the certificate.

Figure 5: Required Details to Generate CA Certificate
The Cloud connector acts as a CA when the request is sent from the Cloud Platform to SAP S/4HANA on-premise system. Every request from the Cloud Platform will be signed from Cloud Connector with this certificate. SAP S/4HANA must trust this certificate to establish the communication from cloud to the on-premise system.
1.3 User Certificate
- Scroll down to the Principal propagation section and edit the Subject Pattern

Figure 6: Generating the User Certificate
2. Select the
Subject Pattern from the list to assert the user IDs. For example, Select
${mail} to assert the user against the user’s mail address propagated from the Cloud.

Figure 7: Editing Principal Propagation
Note: You can select the
Subject Pattern d
epending on the assertion attribute. You can also provide manual pattern if it is not listed in the dropdown. For example, ${email}.
3. click on the
Create Sample Certificate button

Figure 8: Generate Sample Certificate
This sample certificate is used to define the rules in the SAP S/4HANA On-premise system under the Transaction code (
CERTRULE).

Figure 9: Creating a Sample Certificate
Step 2 - Synchronize the Cloud Subaccount IDP
You can follow the help document on how to add the subaccount in the Cloud connector
here.
Go to
Cloud To On-Premise → Principal Propagation tab. Click on the
Synchronize button to sync the
Trust Configuration details of the connected subaccount.

Figure 9: Syncing Trust Configuration of the subaccount
Step 3 – Configure Backend System details in Cloud Connector
- Create a new System Mapping and provide the Internal and Virtual host details. Choose the Protocol as HTTPS and Principal Type as 509 Certificate (General Usage).

Figure 11: Configuring Backend System Details in the Cloud Connector
2. Add the
Resource Access Policy after adding the system mapping
.

Figure 12: Adding the Resource Access Policy
Step 4 – Configure SAP S/4HANA On-Premise Backend System with Certificates for the Principal Propagation Setup
You can do the necessary configurations using the following procedure:
- Import the System certificate downloaded from the Cloud Connector into the SSL Server standard (Transaction code – STRUST).
- Define the rule-based mapping by importing the Sample certificate downloaded from Cloud Connector. (Transaction code – CERTRULE)
- Maintain the reverse proxy parameters in the Default Profile. (Transaction code – RZ10)
- Restart the ICM and check the profile parameters. (Transaction code – SMICM)
4.1 Import the System Certificate
- Go to the transaction code STRUST
- Expand the SSL Server Standard and go to the Instance Specific as shown in the below image. If there is no existing SSL Server Standard, switch to the edit mode and right click on the SSL Server standard to create one.

Figure 13: SSL Server Standard
3. Click on the
Import Certificate button to import the System certificate downloaded from the Cloud Connector (
sys_cert.der).
4. Click on “
Add to Certificate list” to add the certificate to the list of trusted certificates.

Figure 14: Adding Certificate to Trusted Certificates
4.2 Define the Rule-based Mapping
- Go to the transaction code CERTRULE.
- Click on the “Import Certificate” button to import the Sample certificate (scc_sample_cert.der) that was downloaded from the Cloud Connector in section 1.3.

Figure 15: Importing User Certificate
3. Click on the
Rule button to map the rules.

Figure 16: Mapping Rules
4. Choose the
Certificate Attr and login as
E-Mail (or user name as per the requirement).
5. You can view the
Status after a
Save.

Figure 17: Mapping Certificate Status
4.3 Maintain Profile Parameters
- Go to the transaction RZ10
- Choose Profile DEFAULT and then Edit button for Extended Maintenance.

Figure 18: Maintaining Profile Parameters
3. Click on
New Parameter button

Figure 19: New Parameter
4. Give the Parameter name as “
icm/trusted_reverse_proxy_0” and value as
SUBJECT=”CN=<>”, ISSUER=”CN=<>”.
You can copy these values from the Cloud Connector
System Certificate section (
1.1).
5. After filling the values, click on
Copy.

Figure 20: Copying Default Version
6. Go back and
Save parameter.
Activate the
DEFAULT profile.

Figure 21: Saving and Activating
7. You can ignore the error check validations at this point.
4.4 Restart the ICM
- Go to the transaction SMICM.
- You can restart the ICM to reflect the changes related to the PROFILES and parameters.
- Go to Administration → ICM → Hard Shut Down → Global.

Figure 22: Restarting the ICM
In the next part of the blog post, we will discuss how to test the setup with the Fiori based extension application.
Further Reading