Skip to Content

Configure Principal Propagation from SAP BTP, Cloud Foundry environment to SAP BTP, Neo environment

Requires Customer/Partner License
Set up principal propagation in SAP BTP so that you can deploy a SAP BTP, Cloud Foundry environment application that consumes data from a SAP BTP, Neo environment application.
You will learn
  • How to set up principal propagation in SAP BTP
  • How to establish trust from the SAP BTP, Neo environment to the SAP BTP, Cloud Foundry environment
phil9909Philipp StehleMarch 9, 2021
Created by
October 6, 2018


  • Java
  • Eclipse for Java EE

In this tutorial you will set up a connection between SAP Business Technology Platform, Neo environment (Neo) and SAP Business Technology Platform, Cloud Foundry environment (CF).

A simple application in CF will consume data from an Neo application, and therefore propagate the user details from one environment to the other. This is called “Principal Propagation” and requires some additional steps establishing trust between the environments, to guarantee security.

  • Step 1
    1. If you’re using Eclipse for the first time, you will see a Welcome Page. Close this page.

      Close welcome page
    2. Open Eclipse and choose Window > Perspective > Open Perspective > Other…, select Git and click Open.

      Open git perspective
    3. Click Clone a Git repository.

      Click “Clone a Git repository”
    4. Insert into the URI field and click Next.

      Enter git url
    5. Make sure only the master branch is selected and click Next.

      Select branch
    6. Click Finish and wait until the clone has finished.

      Start git clone
    7. Right-click on cloud-espm-v2 > Import Projects….

      Open import dialog
    8. Make sure Eclipse hast detected all projects and click Finish.

      Import all projects
    9. Open the Java EE Perspective and edit the web.xml file: Look for <auth-method>FORM</auth-method> and change it to <auth-method>OAUTH</auth-method>. Don’t forget to save your changes.

      Adapt web.xml
  • Step 2
    1. Create a new directory called approuter somewhere on your machine.

    2. Create a new file called package.json inside this directory with the following content:

        "name": "approuter",
        "version": "1.0.0",
        "description": "",
        "scripts": {
      "start": "node node_modules/@sap/approuter/approuter.js",
      "test": "echo \"Error: no test specified\" && exit 1"
        "license": "ISC",
        "dependencies": {
      "@sap/approuter": "^9.1"

      This tells Node (npm) to fetch and start the approuter.

    3. Create a file called xs-app.json with the following content:

        "welcomeFile": "index.html",
        "routes": [ {
        "source": "/espm-cloud-web/espm.svc/",
        "target": "/espm-cloud-web/espm.svc/",
        "destination": "retailerBackend"
      }, {
          "source": "/espm-cloud-web/images/",
          "localDir": "static/images/"
      }, {
        "source": "/",
        "localDir": "static/retailer/"

      This configures the routing inside the approuter.

    4. Create a folder called static.

    5. Move the src/main/webapp/retailer folder (from the espm project) to the newly created static folder.

      Note: This folder contains the HTML, CSS and JavaScript of the Retailer application.

    6. Copy the src/main/webapp/images folder to the newly created static folder.

      Note: The images are needed by the Shop and the Retailer application.

    7. Create a zip archive called containing all the file in the approuter folder. It’s important that the files are in the top level of the zip file!
      You can use this commands in bash (Linux and macOS) to create the zip file:

      for file in static/retailer static/images xs-app.json package.json ; do
        if [[ ! -e $file ]] ; then echo -e "\e[33m[WARNING] $file does not exist\e[0m"; fi ;
      zip -r .

      or use PowerShell (Windows):

      foreach ($file in @("static\retailer", "static\images","xs-app.json","package.json")){
         if (-not (Test-Path $file)) { Write-Warning "$file does not exist" }
      Compress-Archive -Force -Path .\* -DestinationPath

      This will also check that all files exist and print a warning if one or more is missing.
      Note: You need to change to the approuter directory using the cd command first (Linux, macOS and Windows).

  • Step 3
    1. Make a right-click on espm and select Export.

      Open export dialog
    2. Select Web > WAR file and click Next.

      select war export
    3. Select a Destination on your machine and click Finish.

      finish war export
  • Step 4
    1. Open the SAP BTP, Neo environment cockpit.

    2. Navigate to SAP HANA / SAP ASE > Databases & Schemas and click New

      open create database dialog
    3. Create a database named espm and select a password. Make sure you don’t lose it, we’ll need it soon.

      create database dialog
    4. Wait until you see the event with description Tenant DB creation finished successfully (created and configured) (this can take up to 15 minutes). Now navigate back to your subaccount.

      wait and navigate back
    5. Navigate to Applications > Java Applications and click Deploy Application

      click deploy application
    6. Select the espm-cloud-web.war you’ve exported in the first step, be sure to use the Tomcat 8 Runtime and click deploy. Note: Don’t change the name of the application.

      deploy application
    7. Wait until the application is successfully deployed and click Done.

      click done
    8. Open the details of the application by clicking its name.

      open details
    9. Navigate to Configuration > Data Source Bindings and click New Binding.

      new binding
    10. Enter SYSTEM and the password you choose while creating the database as credentials and click Save.

      create database binding
    11. Navigate to Security > Roles, make sure the Retailer role is selected and click Assign in the Individual Users section.

      Open role assignment dialog
    12. Enter your email-address (the one you use for your Cloud Foundry Account) and click Assign.

      Assign role to yourself
    13. Navigate to Overview and click Start.

      start application
    14. Wait until you can see Started and open the Application URL.

      open application

    What is the first article displayed in the App?

  • Step 5
    1. Open the SAP BTP, Cloud Foundry environment in a new tab, navigate into your subaccount, go to Connectivity > Destinations and export the X509 certificate of the destination service by clicking the Download Trust button.

      Download Certificate
    2. Go to Overview and find your subaccounts id and the landscape host. You will need it later. Notice: The landscape host does not include!

      Find subaccount details
    3. Go to the Neo environment > Security > Trust > Application Identity Provider and click on Add Trusted Identity Provider.

      Open add trusted IDP dialog
    4. Enter the following details and click Save.

      Parameter Value
      Name cfapps. + Landscape Host + / + subaccount ID e.g.
      Signing Certificate Open the certificate file downloaded earlier with your favorite editor and copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
      Trusted IDP details
    5. Go to Security > OAuth > Clients and click Register new client.

      Register new OAuth Client
    6. Enter the following details and click Save.

      Parameter Value
      Name It doesn’t actually matter. Use e.g. CFNEO-Demo.
      Subscription p0123456789trial/espmcloudweb (while p0123456789 is your own account id)
      ID leave unchanged and save it somewhere for later use
      Confidential checked
      Secret Generate a random password and save it somewhere for later use
      Redirect URI Unused in this scenario. Use e.g.


      OAuth client sample configuration
    7. Go back to the CF environment and click New Destination.

      Property Value
      Name retailerBackend
      Type HTTP
      URL URL of the Neo application/API you want to consume. e.g.
      Proxy type Internet
      Authentication OAuth2SAMLBearerAssertion
      Audience Depends on your Landscape (Neo). See table in the bottom.
      Client Key ID of the OAuth client you saved in the previous step.
      Token Service URL taken from the “Branding” tab in the Neo subaccount - “Security” > “OAuth”.
      Token Service user Once again the ID of the OAuth client.
      Token Service Password The Secret you generate in the last step.
      System User empty
      Use default JDK truststore Checked

      Add the following Additional properties:

      Property Value
      authnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
      nameIdFormat urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

      Use this table to find the correct audience for your landscape:

      Landscape Audience
      Europe (Rot) - Trial
      Australia (Sydney)
      Brazil (São Paulo)
      Canada (Toronto)
      Europe (Amsterdam)
      Europe (Rot)
      Japan (Tokyo)
      KSA (Riyadh)
      Russia (Moscow)
      UAE (Dubai)
      US East (Ashburn)
      US West (Chandler)
      US East (Sterling)


      Example destination configuration
  • Step 6
    1. Create Destination Service Instance

      • Navigate into your dev space.
      Go to dev space
      • Open the Service Marketplace under Services.
      Open Service Marketplace
      • Find and click the destination tile.
      Open destination service in Marketplace
      • Click New Instance.
      Click create new destination service instance
      • Press Next three times.

      • Enter the Instance Name: destination-demo-lite and click Finish.

      Set destination service instance name
    2. Create Authorization & Trust Management Service Instance (aka XSUAA)

      • Click the arrow next to destination (see screenshot) and select Authorization & Trust Management.

      Open dropdown and select Authorization & Trust Management
      • Click New Instance.
      Create new XSUAA instance
      • Press Next only once.

      • Copy and past the following parameters and click Next.

        	"xsappname": "connectivity-app",
        	"tenant-mode": "dedicated",
        	"authorities": ["uaa.user"],
        	"scopes": [{
        		"name": "uaa.user",
        		"description": "Default scope for user",
        		"granted-apps": ["xs_user", "*"]
        	"role-templates": [{
        			"name": "USER",
        			"description": "Normal user",
        			"scope-references": [
      Verify json was loaded
      • Enter the Instance Name: xsuaa-demo and click Finish.
      Set xsuaa instance name
    3. Create Manifest File for the approuter.

      • Create a new file called approuter-manifest.yml with the following content:

          - name: destination-demo-approuter
            host: destination-demo-approuter-<userid>
            buildpack: nodejs_buildpack
            memory: 128M
            path: ./
              - xsuaa-demo
              - destination-demo-lite
      • Replace <userid> of the host property with your user id.

    4. Deploy the Approuter

      • Back in the Browser click the dev-space, Applications followed by Deploy Application.

      Click Deploy Application
      • Click Browse and select as File Location. Then do the same for the Manifest Location and select the approuter-manifest.yml. Finally click Deploy.
      Browser for and approuter-manifest.yml
      • Wait until your application shows a green Started as State and then click on approuter-demo.
      Wait for green started
      • Navigate to the Approuter by clicking the link as shown in the screenshot.
      Open approuter
      • Login using the E-Mail-Address and password of your trial account.
      Login into application
Back to top