Setting Up Cloud Connector for Principal Propagation


After completing this lesson, you will be able to:

  • Create certificates and switch authorization to principal propogation


The initial setup of Cloud Connector can be used to leverage the connection between the SAP BTP subaccount and the SAP S/4HANA system. Currently however, all users logging into the SAP Build Work Zone, standard edition will see the same data corresponding to the fixed user credentials that were used to access back-end data via the Runtime Destination.

The setup of principal propagation is required to grant end-users access to their own data and to ensure they can only access data based on their authorizations in the SAP S/4HANA system. To achieve this, the user information from SAP BTP will be propagated to the SAP S/4HANA system through the Cloud Connector. Access to the requested data is only granted if the user record between SAP BTP and SAP S/4HANA can be mapped based on a specified attribute (for example, E-Mail).


The user record on SAP BTP and SAP S/4HANA needs to have this specified attribute maintained with the same value. For example, for the e-mail address, you must make sure the SAP S/4HANA user has the "E-Mail Address" attribute in SU01 filled with the same address the SAP BTP user uses to log on.

Generate Cloud Connector Certificates

As a first step for the setup of principal propagation, we must prepare different certificates to establish trust between the Cloud Connector and SAP S/4HANA. In the latest versions of the Cloud Connector, it is possible to generate self-signed certificates, which are sufficient for doing a Proof of Concept. However, for a productive scenario, it is highly recommended to use signed certificates from a trusted Certification Authority.

In total, three different certificates are required:

  • System certificate
  • CA certificate
  • User certificate

In this practice exercise, you will be able to create and download self-signed certificates within the Cloud Connector.

Principal Propagation Settings

The following video shows the remaining steps to get principal propagation enabled for your connection:

  1. Syncing Cloud Trust with IdP
  2. Configuring the mapping to the backend system to use X.509 certificate as principal type
  3. Switching the Authentication from BasicAuthentication to PrincipalPropagation in the runtime destination

Log in to track your progress & complete quizzes