Skip to Content

Transfer SCP User ID (IdP) from UI5 App to SAP Backend System safely

Jan 25 at 09:20 AM


avatar image

Hi guys,

we are currently working on an SAPUI5 Application in the SAP Cloud Platform, environment Neo. We are facing an issue which is not very common and yet unsolved. We did a lot of research and found nearly nothing.

Requirement of the Application:

Employees from very different location need to interact via a web application to create some feedback which will be transferred into the SAP backend system. Daily response on quantity and stock.

The employees do not have a sap backend user and they shouldn’t get one because they do not have any other tasks in the backend system at all. This is a decision which I can’t change.

So, every employee should get a SCP User within the SAP IdP (SAP Cloud Platform Identity Provider). The communitcation between SCP and Backend will be done via an SAP interface user (non-dialog). But we need to know which SCP IdP User is logged on and sent us the request. During the development we send the SCP IdP user ID over the OData service which is not save and can be manipulate e.g. via Chrome dev tools etc.

We tried following setup to propagate the IdP user identiy from SCP app to SAP backend by using the step-by-step guide Cloud Platform Connectivity Principal Propagation, Exercise B1-B3. I’ll just mention the main steps within here.

  1. Set up trust with the IdP
  2. Export System certificate (Cloud Connector) for acquainting it with backend
  3. Configure CA certificate of Cloud Connector
  4. Configure SAP backend to trust Cloud Connector (Transaction STRUST)
  5. Import certificate in SAP backend for user mapping (Transaction CERTRULE)
  6. Create SCP destination to propagate user credentials to SAP backend

But we still get a logon dialog where we need to logon with a sap backend user. We also tried work with the different logon modes in SCIF Service as well. Without success.

I guess that I always need an SAP Backend User and therefore we need to store the tech. SAP User into the SCP Destination or into the SICF Service. Or did I set up the principal propagation not complete correctly so the SAP backend answer to my incorrect setup by showing the logon dialog?

To sum it up, I have two questions:

  1. If I configure the principal propagation between SCP, Cloud Connector and SAP backend correctly, can I connect from the web app to SAP Backend without a SAP backend user?
  2. Is there any possibility to transfer the SCP IdP User ID from SCP web app to SAP backend safely?

The second question bother us the most. The first Question could be “bypassed” with an technical SAP User in the SCP Destination or in the SICF Service, as far as I understood the topic.

Regards, your H.P.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

4 Answers

Best Answer
Nghia Nguyen
Feb 07 at 04:40 PM


To use Principal Propagation either via the Cloud Connector or SAPAssertionSSO, the user ID must also exist in the backend system so there isn’t a way around this and this is why you are getting the 2nd authentication request from your backend system during your testing. You just answered your own question by using the technical user for the destination configuration in the SAP Cloud Platform.

As for the 2nd question, I think I know what you are trying to do but I don’t recommend this. You are trying to bypass the authentication method for your backend system and it is a high security risk.

10 |10000 characters needed characters left characters exceeded
Olivier Souksamran Feb 07 at 02:11 PM

Dear H.P.,

This topic is really interesting and I agree, I found nothing on it (or I just misunderstood every technical document I've read, since I am not strong about this security thing :)).

It is so true when you write that data stored in the front end javascript application can be manipulated in debug mode so end users may access data they are not supposed to see. So how the hell can we pass data stored on SCP IdP User Identity service directly to SAP backend ?

What I can tell you : I've already set up Principal Propagation using X509 Short Live certificates and it works great. But you still need a SAP user to log in : in CERTRULE transaction, you map a subject of an X509 certicate to the SAP username / alias. When the mapping is successful, the end user is then logged in with the corresponding SAP user. If unsuccessful, the end user will be prompted to provide credentials on standard HTTP popup.

If you have any update for your second question, please, let me know :).



10 |10000 characters needed characters left characters exceeded
Olivier Souksamran Feb 08 at 01:32 PM

Dear all,

I've commented Nghia Nguyen 's answer but it is somehow not as visible as a real topic reply. So please, check my comment a little below Nghia Nguyen's.

Also, I am wondering why this is actually considered as an "accepted answer" by Moya Watson ? I think it is a bit premature, since the question has not been fully and clearly answered :)

Thank you.



Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hi -- just means it's one of many potential answers. Doesn't mean the issue is closed. But it helps bump it up so people can respond in the active thread with more info. Sorry for the confusion.

Olivier Souksamran Feb 08 at 11:28 AM

Dear Nghia,

Thank you for your quick reply.

I think you misunderstood what H.P. and I try to achieve. Let me clarify the situation :

  1. In our SCP Destination settings we want to set up a Basic Authentication with a specified "technical user". The goal of this user is only to get connected to the back end from SCP.
  2. In our ZCL_XXXXXXX_DPC_EXT service implémentation class, we want to retrieve some of the P00XXX cloud user data (check the screenshot) like Company or so on... as we would do with a GET PARAMETER ID on a principal propagation scenario. But in this very case, the user who is logged in SAP system is the "technical user" we defined in SCP Destination. We are not able to know which end user is actually logged in (P000001 or P000002)

I won't recall the licensing topic as this is not what the point here. This is a technical request.



users.png (49.8 kB)
Show 4 Share
10 |10000 characters needed characters left characters exceeded


OK, from your latest statement, I understand what you are trying to do.

I am not a programmer to give you the exact thing that you would need but it would be something like this.

The user is authenticated against an IdP and that SAML ticket does contain the information that you looking for in one of the attributes. Since the destination is configured for basic authentication then none of the SAML attributes will be forwarded which mean your app must use the API to extract the attribute and somehow pass that value along with your request to the backend system. Here are some links that may help with getting the SAML attribute within the app:

Hope this help.


Thank you Nghia Nguyen.

The user API solution you are talking about is the technical path we want to avoid. We are already implementing this but it is unacceptable in a security speaking way.

As H.P. Baxxter mentionned in his initial question, if you store data in your front-end app (let say "Customer Number") in order to build and execute a request to your back end (let's say "Retrieve me all the Sales order for this Customer Number"), what can prevent me from changing this very Customer Number into another one in javascript debugging mode ? So I will access some sales orders who are not mine...

What if I can delete anyone else data just by knowing his customer id ?

Unlike the principal propagation scenario, we want to identify which end user is logged in without having a Gateway user / SAP user created per SCP Cloud user. The one and only user we want to deal with, in SAP back end, is the technical user from SCP destination, and it should remain transparent.

If we give to 1500 customers the access to the app, we don't want to manage 1500 gateway users and 1500 SAP ECC users.

We have an idea but don't know if it is the way to go. In the principal propagation scenario, is it possible to map every SCP user to a single Gateway/SAP ECC user ? The SAP Cloud Connector, while setting the principal propagation Subject Pattern would only let me choose among ${name}, ${mail}, ${display_name} and ${login_name}. It seems to be SAML assertion attributes from SAP Identity Provider.

Alongside with this first question, is it possible to retrieve SAML assertion attributes in SAP ECC back end ?

Do you follow me ?



Olivier Souksamran


Wow! Initially, I thought you were using the UserID for logging purpose to see who access the service. IMO, I don’t there is an easy way to do this with some simple setting. You trying to use a technical user but at the same time trying to get the real user ID to parse the backend data.

Yes, you are correct about the Cloud Connector subject name option. It is a selection so you must pick one.

Get SAML attributes in the backend system, in all my testing I haven’t seen any SAML ticket passed to the backend system. I haven’t encounter any parameter that would forward the SAML ticket to the backend system from the Cloud Connector.

SAP Cloud Platform offered methods to achieve SSO for on premise system but the issue you are trying to solve is not really an SSO so I don't think there is a way to do this without some programming at the app level and backend service.

I don’t know if this is possible, but encrypted the real UserID in the app on SAP Cloud Platform after using the API & decrypted it in the backend system.


Thank you. For reading convenience, I'll convert my latest comments into answers. Maybe you could do the same so we have better visibility :)