Tips & Tricks for Principal Propagation Issues

If you plan to forward the identity of cloud users from SAP BTP to on-premise systems, you’ll likely come across the term principal propagation. Simply put, it lets the identity of the user logged into your cloud application be passed through to your backend system, so actions are executed as that user, not a generic technical account. Setting this up isn’t always straightforward. You’ll need to deal with cloud connector, certificates, trust configurations and backend settings. But don’t worry! This article won’t walk you through every step from scratch. Instead, it shares practical tips, common pitfalls and troubleshooting insights to help you get principal propagation working correctly in your landscape. Let’s learn more about moving cloud Users from SAP BTP to on-premise systems

SAP Principal Propagation Tips

• Check host and port in backend:
o Use transaction SMICM to find details about host and port for your on-premise system.

• Generate the following certificates in SAP Cloud Connector:
o System Certificate – used to establish the trust.
o CA Certificate.
o User Certificate with Common Name = user email or unique identifier.

• Import certificates in ABAP system:
o Use STRUST to import the system certificate under SSL Client SSL Standard.
o Use CERTRULE to define rule-based mapping (e.g. match CN to SU01 email).

• Maintain system profile parameters:
o Use RZ10 to update the profile with:
▪ icm/HTTPS/verify_client=1
▪ icm/trusted_reverse_proxy_0 = Subject DN from Cloud Connector -> System Certificate
o Save and activate the default profile.

• Restart ICM the clean way:
o Use transaction SMICM → Administration → ICM → Exit Soft → Global.

• Ensure Email Mapping in SU01:
o Check if your backend user in SU01 has the email filled with the mail address you use to logon to BTP.
o Each email address should be mapped to only one user in the backend system to avoid conflicts during certificate-based user resolution.

• Destination Testing Tips:
o Define at least two destinations in BTP – one with basic authentication with a technical user and one for principal propagation.
o In SAP Business Application Studio, use Command Palette -> Fiori: Open Environment Check to get detailed information about your destination and availability.
o Look for availability directly from Destinations in SAP BTP cockpit.

• Troubleshooting tips with Cloud Connector:
o In Cloud To On-Premise -> Access Control, press Show Details for your mapped host. Review System Mapping Details and Connection Check Details.
o Search the Log and Trace Files tab to diagnose issues such as certificate mismatches, failed connections or incorrect mappings.

Useful Official Guides

If you’re looking for detailed, step-by-step instructions from official sources, here are some recommended links that complement the tips in this article:

• Principal Propagation Setup:
SAP Blog: Setting Up Principal Propagation

A detailed SAP Community blog that covers for example certificate generation, configuration in Cloud Connector, backend steps for Principal Propagation.

• Official SAP Documentation about Principal Propagation:
SAP Help Portal: Principal Propagation
The official SAP Help Portal guide provides comprehensive documentation on how principal propagation works including prerequisites, configuration steps and troubleshooting advice