Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert
Since Kyma 2.0, on-premise connectivity is enabled. This implies you can now extend your on-premise systems by building and deploying extensions on SAP BTP, Kyma runtime.

One of the key requirements when extending on-premise systems is to enable principal propagation. This blog provides details on how you can achieve principal propagation flow when extending an on-premise system using SAP BTP, Kyma runtime.

It is possible to use XSUAA, SAP Identity Authentication Service (IAS) as an external identity provider with user federation.

The principal propagation relies on the exchange of the JWT token received in Kyma. The exchanged token is then forwarded to the SAP Cloud Connector and is used to identify the logged-in user.

The flow leverages SAP application router to do

  • The token exchange

  • Call the on-premise system via the SAP Connectivity proxy


Checkout this GitHub sample for a reference implementation.

To do the token exchange or call the on-premise system via connectivity proxy, you do not need to write any code. All of this can be achieved by simply configuring the application router.


For cloud connector side configuration for principal propagation, refer to this official SAP documentation.



  • Since Kyma 2.0, it is possible to extend on-premise systems

  • Principal Propagation flow can be implemented using application router

  • No developer code is required to achieve the standard flow