Skip to main content

Configuring Principal Propagation for SSO

enosix Link makes use of SAP Principal Propagation to support Single Sign On between applications using enosix Link and the enosix SAP Framework.

info

A prerequisite step is that you've configured SAP Principal Propagation between your Cloud Connector and your SAP Back-end.

Configure Cloud Connector for Principal Propagation

For Principal Propagation to work with enosix Link, the Cloud Connector System Mapping Virtual to Internal System entry has been configured over HTTPS with Principal Type X.509 Certificate.

Note: The internal port must be a secure port on the Netweaver Application Server.

Configure Destination for Principal Propagation

To configure a link route for Principal Propagation a destination based route must be used. The only additional change needed will be to configure the Authentication to use PrincipalPropagation.

Configure Authorization and Trust Management Service in SAP Cloud Foundry

The space Link is deployed to will need to have an Authorization and Trust Management service (XSUAA) provisioned with the instance name of xsuaa, although it can be configured to use a specific instance. Configuring the Authorization and Trust Management instance

Configure the routing

Use the cloud foundry CLI with the following manifest.yaml template.

---
applications:
- name: enosix-link-<company-name> # Add your company name
  random-route: true # Remove this line in the production space
  memory: 128M
  docker:
    image: enosix/link:stable
  services:
   - connectivity
   - destination
   - xsuaa
  health-check-type: http
  health-check-http-endpoint: /health
  env:
    #Logging__LogLevel__Default: Trace # Used to enable detailed trace logging for submitting issues
    Routes__dev__ConcurrentRequests: 10 # Throttle link to a limited number of requests concurrently, in order to reduce memory constraints.
    Routes__dev__Token: 3de65974f59e200ef27e8ecfb84437f7 # Rename to a unique secret token
    Routes__dev__Destination: sap-ensx-framework # Should match to the name of the destination configured in BTP Subaccount using PrincipalPropagation