SAP Principal Propagation


SAP Principal Propagation allows destinations to forward the identity of an on-demand user to the backend system of the relevant SAP on-premise system or cloud system. An on-demand user does not need to provide an identity for each connection to an SAP system when using Neptune DXP - Open Edition. The identity is instead propagated through Principal Propagation.

When to use Principal Propagation

You can use Principal Propagation if the backend service endpoint accepts client certificate authentication for both SAP and non-SAP systems. This can be used with HTTPS protocol or RFC protocol with SAP Secure Network Communications (SNC). You can generate an X.509 certificate using Neptune DXP - Open Edition.

Technical scenario

In almost all applications, the identity of a user needs to be verified against the backend system. In Neptune DXP - Open Edition, one of the ways to do that is to use Principal Propagation with X.509 certificates. Once the user has been verified against an identity provider (IdP), a short-lived certificate is generated that can be passed along with the request to the backend system. The identity of the user between the Neptune DXP - Open Edition and backend system should be the same when accessing the system to achieve single sign-on login.

principal propagation1
principal propagation2

Value proposition

Having Principal Propagation enabled on Neptune DXP - Open Edition allows the user to access a resource without needing to provide an identity every time the user makes a connection to the on-premise system or SAP Cloud.

This is a one-time setup per backend system so the time and effort for this is short and any new business scenario that uses the same backend system are ready to go. This type of user identity propagation method allows Neptune DXP - Open Edition to consume a variety of backend systems that accept X.509 certificate-based authentication.