Configuration of Principal Propagation

Principal propagation means the ability to forward the user context of a message unchanged from the sender to the receiver. It enables authentication of a message in the receiver system with the same user that issued the message in the corresponding sender system. Thus, the receiver application is virtually part of the sender application, and the permissions and audit functions of the receiver application can be applied to the original user of the sender application.

Principal propagation is implemented using authentication between the involved messaging components. You can use SAP assertion tickets or the Security Assertion Markup Language (SAML) for this purpose.

• SAP assertion tickets are supported by the following runtimes and adapters:

  • XI (for both ABAP and Java proxies)

  • SOAP

  • RFC

  • WS

• SAML is supported by the WS runtime only.

  More information: Configuring SSO with SAML Token Profiles

To enable principal propagation, you have to perform the following steps:

• Enable principal propagation for the ABAP messaging components

• Configure a trust relationship for SAP assertion tickets

• Modify the configuration of your sender

• Configure principal propagation in the Integration Directory

• Maintain your users