2. Automation
Core
• Technology
improvements
mean
computing
tasks
previously
requiring
interaction
with
people,
can
be
fully
automated.
• Automation
brings
repeatability,
reduced
error
rates,
easy
scalability
of
service
provision.
Platform
Agnostic
• Future
interoperability
and
open
standards
will
mean
businesses
can
swap
easily
between
cloud
providers.
• It
is
key
that
solutions
are
designed
to
operate
in
such
a
platform
agnostic
manner
outside
the
bounds
of
normal
technical
architecture
design
(i.e.
no
fixed
O/S
choices
or
fixed
DB
platforms).
Established
Technological
Principals
• Solutions
today,
should
be
built
using
already
established
technological
principals.
• Using
bleeding
edge
rarely
produces
the
perceived
benefits
in
places
such
as
core
business
systems,
without
significant
buy-‐in
from
business
leaders.
• Pre-‐empting
standards
not
already
widely
adopted,
could
produce
a
“Beta-‐Max”
scenario.
Future
Assurance
• Technology
solutions
should
deliver
for
a
minimum
timeframe
within
the
context
of
the
lifecycle
of
the
related
business
system.
• Example:
Re-‐writing
scripts
during
any
platform
migration
should
not
just
use
the
coolest
scripting
language,
they
should
use
a
commonly
known
language
widely
used
and
understood.
Drivers
3. • Permits
federated
authentication
(single-‐sign-‐on)
into
customer
SAP
systems
via
an
IdP such
as
SAP
IDM.
• Authentication
to
on-‐premise
SAP
IDM
is
possible.
• Subsequent
SAP
system
can
authenticate
against
the
IDM
generated
SAP
logon
ticket
(MYSAPSSO2
cookie)
or
SAML2
token.
• SAP
Cloud
Platform
(SCP)
users
(S-‐users)
can
use
SAP
Cloud
Platform
services
such
as
Web
IDE,
authenticating
into
the
customer
SAP
systems
against
their
respective
SAP
system
account
in
the
IdP (usually
their
corporate
identity).
About
Principal
Propagation
4. • SAP
Cloud
Platform
a.k.a.
SCP
(previously
called
SAP
HANA
Cloud).
• A
PaaS
set
of
tools,
utilities
and
cloud
capabilities
for
use
with
SAP
and
non-‐
SAP
products,
all
provided
in
the
cloud.
• Accessed
over
the
internet.
• Is
the
future
of
SAP
software
integration
and
will
provide
the
basis
for
many
SAP
SaaS
applications
also.
• Can
be
accessed
from
“on-‐premise”
(or
your
cloud
provider)
using
the
SAP
Cloud
Connector
(SCC),
which
acts
as
a
reverse
proxy.
About
SAP
Cloud
Platform
5. SCP
SAP
Cloud
Platform
Developer
with
S-‐user
account.
Destinations:
BE1:1234
SAP
Cloud
Connector
Sub-‐ Account:
ABC123
BE1:1234
=
https://be1.corp
Trust
Store
CA
Cert
System
Cert
BE1
SSL
Cert
Chain
Cloud “On-‐Premise”
(Cloud
be
cloud
hosted
IaaS)
IdP (SAP
IDM)
UME
Developer
corporate
identity
and
account.
BE1
– SAP
(https://be1.corp)
Optional
Web
Dispatcher
Trust
Store
SCC
CA
Cert
Target
ICF
Service
ICM
(+Web
Dispatcher)
Parameters:
login/certificate_mapping_rulebased=”1“
icm/trusted_reverse_proxy_0=<SCC
System
CA>
icm/HTTPS/verify_client=1
ICM
Trust
Store
SCC
CA
Cert
SSL
HTTP
HEADER
SCC
Cert
Chain
x.509
Client
Cert
SAML
Token
Customise:
STRUST
CERTRULE
RZ10
Wdisp SSL
Chain
Architecture
Overview
6. SCP:
• Create
S-‐user
account(s).
• Create
destination
to
back-‐end
SAP
system
via
SCC
with
Principal
Propagation
enabled
and
pointing
to
your
IdP.
IdP:
• SAML:
Configure
SAML
token
creation
for
SCP
users
after
authentication.
SCC:
• Sub-‐Account:
Register
SCP
sub-‐accounts
for
incoming
connections
from
SCP.
• On-‐Premise:
Configure
trust
store
with
back-‐end
SAP
system
SSL
server
cert
and
optional
Web
Disp SSL
cert.
• On-‐Premise:
Configure
Principal
Propagation
user
x.509
client
cert
creation
upon
SAML
token
receipt.
BE1:
• ICM:
Transaction
STRUST
to
trust
the
SCC
client
x.509
cert.
• AUTH:
Transaction
CERTRULE
to
map
SCC
dynamic
x.509
client
cert
CN
to
SAP
system
user
accounts.
• ICM:
Transaction
RZ10
to
configure
ICM
params to
enable
trusting
of
client
x.509
certs
forwarded
in
HTTP
header.
Optional
Web
Dispatcher:
• ICM:
Adding
SCC
client
x.509
cert
to
the
SAPSSLS
PSE.
• ICM:
DEFAULT.PFL
to
configure
ICM
params to
enable
trusting
of
client
x.509
certs
forwarded
in
HTTP
header.
Areas
for
Configuration
7. • Principal
Propagation
should
enable
smooth
efficient
access
to
back-‐end
SAP
systems
via
the
SAP
Cloud
Connector
from
the
SAP
Cloud
Platform.
• A
secure
setup
is
always
recommended,
paying
attention
to
SAP
recommendations
for
the
SCC
networking
and
HA.
• The
future
direction
of
SAP
integration
will
need
to
use
the
SCC
more
and
more.
Example:
SAP
Analytics
Coud.
• The
Principal
Propagation
trust
setup
is
complex
and
involves
multiple
certificates,
leaving
you
open
to
the
probability
of
certificate
expiration
causing
an
outage.
Summary
8. SAP
Notes:
• SAP
note
2462533
-‐ Configuring
Principal
Propagation
to
an
ABAP
System.
• SAP
note
2052899
-‐ ICM
-‐ Multiple
Trusted
Reverse
Proxies
• SAP
note
2461375
-‐ How
to
connect
SAP
Cloud
Platform
Identity
Authentication
Service
to
on-‐premise
user
store
SAP
Guides:
• SCC
secure
setup
recommendations:
https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-‐
US/e7ea82a4bb571014a4ceb61cb7e3d31f.html
• Configure
Principal
Propagation
for
an
ABAP
system:
https://help.sap.com/viewer/cca91383641e40ffbe03bdc78f00f681/Cloud/en-‐
US/a8bb87a72d094e0d981d2b1f67df7bc3.html
References