Pass individual user identities from the SAP BTP environment to the backend S4 Hana system

Principal Propagation is the solution to handle this functionality, that will ensure integration between SAP BTP and your backend SAP system (e.g., an ABAP-based system like SAP S/4HANA or BTP ABAP Environment). This setup ensures that individual user identities are passed from the SAP BTP environment to the backend, allowing transport requests to be saved under the correct developer's user ID rather than a single technical user.

Principal Propagation relies on SAML 2.0 (Security Assertion Markup Language) to securely propagate user identities across systems. Below is a step-by-step guide to implement this.

Prerequisites

  1. Administrator Access:
    • SAP BTP Cockpit (Global Account and Subaccount Admin roles).
    • Backend SAP system (e.g., S/4HANA or ABAP Environment) with Basis/Admin access.
  2. Identity Provider (IdP):
    • An IdP that supports SAML 2.0, such as SAP Identity Authentication Service (IAS), Azure AD, or another corporate IdP. SAP IAS is commonly used with BTP.
  3. Consistent User IDs:
    • Ensure that user IDs (or email addresses) are consistent between the IdP, BTP, and the backend system, or set up proper user mapping.
  4. HTTPS Enabled:
    • Both BTP and the backend system must use HTTPS for secure communication.

Implementation Steps

Step 1: Configure the Identity Provider (e.g., SAP IAS)

  1. Access SAP IAS:
    • Log in to your SAP IAS tenant (e.g., <your-tenant>.accounts.ondemand.com).
  2. Create an Application for BTP:
    • In IAS, go to Applications & Resources > Applications.
    • Add a new application for your SAP BTP subaccount.
    • Set the "Subject Name Identifier" to an attribute like email or login name (this will be the user ID propagated to BTP and the backend).
  3. Enable SAML 2.0:
    • Under Trust Configuration > SAML 2.0 Configuration, download the IAS metadata XML file. You’ll need this later.
  4. Assign Users:
    • Add the developers/users who will work in BTP to the IAS tenant and assign them to the BTP application.

Step 2: Configure Trust in SAP BTP

  1. Access BTP Cockpit:
    • Log in to your SAP BTP Cockpit at the subaccount level.
  2. Establish Trust with IAS:
    • Navigate to Security > Trust Configuration.
    • By default, you’ll see "SAP ID Service." Click Create to add a custom IdP.
    • Upload the IAS metadata XML file downloaded earlier.
    • Set this new trust configuration as the default for your subaccount.
  3. Role Mapping:
    • Go to Security > Role Collections and create or update role collections (e.g., Developer) that grant access to Fiori development tools.
    • Map these role collections to user groups or attributes from IAS (e.g., Groups or Roles).

Step 3: Configure the Backend System as a Service Provider

  1. Log into the Backend System:
    • Access your backend SAP system (e.g., via SAP GUI or Fiori Launchpad).
  2. Set Up SAML 2.0:
    • Use transaction SAML2 in the ABAP system to configure SAML settings.
    • Enable SAML 2.0 and upload the IAS metadata XML as the IdP.
    • Export the backend system’s SAML metadata (Service Provider metadata) and download it as an XML file.
  3. Register Backend in IAS:
    • Go back to SAP IAS, create a new application for the backend system, and upload the backend’s SAML metadata XML.
    • Configure the "Subject Name Identifier" to match what you set for BTP (e.g., email).
  4. User Mapping:
    • In the backend system, go to User Administration (SU01) and ensure users exist with IDs matching those in IAS (or set up a mapping rule in SAML2 to map IAS attributes to backend user IDs).

Step 4: Configure the Destination in BTP

  1. Create a Destination:
    • In your BTP subaccount, go to Connectivity > Destinations.
    • Create a new destination pointing to your backend system (e.g., https://<backend-host>:<port>).
  2. Set Authentication to Principal Propagation:
    • In the destination settings:
      • Type: HTTP
      • URL: Backend system URL
      • Authentication: Select Principal Propagation
      • Audience: Enter the SAML audience (usually the backend system’s entity ID from its metadata).
    • Save and test the connection.
  3. Cloud Connector (if On-Premise):
    • If your backend is on-premise, configure the SAP Cloud Connector to expose the backend system to BTP. Map the virtual host and enable Principal Propagation in the Cloud Connector settings.

Step 5: Adjust Communication Arrangements (if Using BTP ABAP Environment)

If your backend is an SAP BTP ABAP Environment:

  1. Access Communication Management:
    • Log in to the Fiori Launchpad of the ABAP Environment.
    • Open the Communication Arrangements app.
  2. Update Scenario:
    • Find the relevant scenario (e.g., SAP_COM_0599 for transport management).
    • Change the authentication method to SAML Bearer Assertion instead of a technical user.
    • Link it to the destination you created in BTP.

Step 6: Test the Setup

  1. Developer Test:
    • Have a developer log in to SAP Business Application Studio (or another Fiori development tool) via BTP using their IAS credentials.
    • Create a new Fiori app or ABAP object and assign it to a transport request.
  2. Verify in Backend:
    • Go to the backend system (e.g., via SE10) and check the transport request. The owner should now reflect the developer’s user ID, not a technical user.
  3. Repeat with Another User:
    • Have a second developer repeat the process to confirm that their user ID is also correctly propagated.

Step 7: Fine-Tune and Monitor

  • Error Handling: If propagation fails, check logs in BTP (Security > Trust Configuration), IAS, and the backend system (SAML2 transaction or SLG1 logs).
  • Timeouts: Ensure SAML assertion lifetimes are aligned across IAS, BTP, and the backend (default is usually 3600 seconds).
  • Fallback: If some processes still require a technical user, create separate destinations with basic authentication for those cases.

Key Benefits

  • Correct Attribution: Transport requests will now be saved under the individual developer’s user ID in the backend system.
  • Security: SAML-based authentication enhances security by avoiding hardcoded technical user credentials.
  • Auditability: Actions in the backend are traceable to specific users, improving accountability.


    Comments

    Post a Comment