After a client is authenticated by an authentication provider, the Principal Propagation (X.509) provider enables single sign-on (SSO) access to back-end resources.
The Principal Propagation provider dynamically generates a short-lived certificate for a user who has been authenticated to SAP Mobile Platform Server by another provider. The generated certificate is signed by a configured CA certificate; a signing certificate and its private key are required for this. You can generate a signing certificate using the PKI system that is used by the customer; or you can generate a self-signed certificate using keytool (Java command line tool). To propagate this certificate to the back-end system, configure the application endpoint connection to use the X.509 SSO mechanism.
When you establish an HTTPS connection to the back end, the generated user certificate is propagated to the back end system in the HTTP header, SSL_CLIENT_CERT. The HTTPS connection is established using the alias that is configured for the endpoint (corresponds to the private key entry in the keystore). This alias can be the same as the one configured for the Principal Propagation provider
The Principal Propagation provider adds a credential that generates a certificate for an authenticated user. The endpoint uses the certificate to propagate user information to the back end in the SSL_CLIENT_CERT header.