Single Sign-On with SAP Cloud Platform: Principal Propagation

Single sign-on to back-end service using principal propagation


Almost all applications a business runs consume some sort of service on-premise or in the cloud. Users of these applications need to be verified against the back-end system. On SAP Cloud Platform, you can do so using principal propagation with X.509 certificates. Once the user has been verified against an identity provider (IdP), a SAML assertion token is passed to the cloud connector to generate a short-lived certificate, that can be passed along with the request to the back-end system. The identity of the user between SAP Cloud Platform and the back-end system is be the same when accessing the system to achieve single sign-on.

The solution diagram above illustrates a basic architectural pattern implementing principal propagation. 

Download the blueprint

Bill of Material - SAP Cloud Platform Components for Licensing Considerations

Note that the following Bill of Material is for reference purposes only. The following table is only an example of the SAP Cloud Platform services and components required for this use case. Please consult your SAP Account Executive regarding your specific licensing needs.  Calculations below are based on 100 users.

SAP Cloud Platform services


Licensing metrics


SAP Cloud Platform Identity Authentication

Simplify and secure cloud access from anywhere, on any device.

Logons in blocks of  100

3,000 logons

Customers can use the SAP Cloud Platform pricing estimator to calculate the required investment for a particular project. Scale up or down on services as required.

Members and partners of SAP PartnerEdge* can evaluate the development of an application for this use case – most development licensing is covered by the packs offered by the SAP partner licensing services. Click here for details.

*excluding open ecosystem basic.