In our scenario, the application Easy Franchise extends an SAP S/4HANA Cloud system. So far, in order to connect this system, we have created an SAP S/4HANA Cloud technical user that is saved in a destination of the application. This is often the way-to-go at the beginning of the development but usually going productive you want to know which user is doing some changes in your system. For that purpose, you can implement the propagation of user principal so you have a single sign-on in place.
This chapter describes how to configure principal propagation, using OAuth communication between a subaccount in SAP BTP with enabled SAP BTP, Kyma runtime to an SAP S/4HANA Cloud system. We will use the OAuth 2.0 SAML bearer assertion flow as OAuth mechanism.
Here are the steps needed for such an implementation:
- Set Trust Between SAP BTP and SAP S/4HANA Tenant Using Identity Authentication Service
- Get Trust Certificate from SAP BTP
- Configure Communication Settings in SAP S/4HANA Cloud
- Understand the Principal Propagation Authentication Flow
- Configure Destination in SAP BTP to use Principal Propagation
- Manage End User Access for the EasyFranchise Application
NOTE: For more details, see Configuration Tasks at SAP Help Portal.