To implement principal propagation, we need to establish a trust between the subaccount in SAP BTP and the SAP S/4HANA Cloud tenant. For this purpose, we use the Identity Authentication service to act as the component in the middle. So we have a two-step approach:
- Setting the trust between the subaccount in SAP BTP and the Identity Authentication service.
- Setting the trust between the SAP S/4HANA Cloud tenant and the Identity Authentication service.
In the previous chapter, we have already explained how to connect an Identity Authentication tenant to a subaccount in SAP BTP. See Set Trust between Identity Authentication tenant and SAP BTP Subaccount.
Regarding the trust between the SAP S/4HANA Cloud tenant and the Identity Authentication tenant, it depends on which system you are using:
- In case you are using SAP S/4HANA Cloud: you have already got such your SAP S/4HANA Cloud tenant delivered by SAP with a configured trust between this tenant and the SAP Cloud Identity Services - Identity Authentication tenant. Just be sure to use the very same Identity Authentication tenant.
- In case you are using SAP S/4HANA: to establish the trust, follow the steps at Configure SAML Trust between SAP S/4HANA System and Identity Authentication Service at SAP Help Portal.
NOTE: For more information, see Configuration Tasks at SAP Help Portal.