The identity of the user needs to be verified on the back-end system when applications consume services or data on-premise. The same holds true when the back-end for the application is another application or service running on the cloud. Once the user has been verified against an identity provider (IdP), a SAML assertion token is passed to the back-end application/service running on the SAP Cloud Platform. The identity of the user between the two cloud platform applications should be the same in order to achieve single sign-on.
In this setup for AppToAppSSO, the identity propagation is configured using a destination allowing communication between two applications. If the two applications are running on different sub-accounts that could be on the same global account or two different accounts, there needs to be a trust relationship between the two accounts. This is achieved by exchanging the local service provider metadata to the destination account.
The solution diagram above illustrates a basic architectural pattern implementing single sign-on using AppToAppSSO.