Administrator

Principal Propagation Single Sign-On Provider

After a client is authenticated by an authentication provider, the Principal Propagation (X.509) provider enables single sign-on (SSO) access to back-end resources.

The Principal Propagation provider dynamically generates a short-lived certificate for a user who has been authenticated to SAP Mobile Platform Server by another provider. The generated certificate is signed by a configured CA certificate; a signing certificate and its private key are required for this. You can generate a signing certificate using the PKI system that is used by the customer; or you can generate a self-signed certificate using keytool (Java command line tool). To propagate this certificate to the back-end system, configure the application endpoint connection to use the X.509 SSO mechanism.

When you establish an HTTPS connection to the back end, the generated user certificate is propagated to the back end system in the HTTP header, SSL_CLIENT_CERT. The HTTPS connection is established using the alias that is configured for the endpoint (corresponds to the private key entry in the keystore). This alias can be the same as the one configured for the Principal Propagation provider

To use the Principal Propagation provider:
  1. Configure the back-end SAP gateway server to authenticate the user identified in the SSL_CLIENT_CERT header, which is provided in a mutually authenticated SSL connection that is established using technical-user credentials, and allow the technical user to impersonate the user who is identified in the SSL_CLIENT_CERT header.
  2. To allow a technical user to connect over HTTPS, configure the endpoint with the X.509 SSO mechanism.

The Principal Propagation provider adds a credential that generates a certificate for an authenticated user. The endpoint uses the certificate to propagate user information to the back end in the SSL_CLIENT_CERT header.