Skip to Content

Configure Principal Propagation from SAP BTP, Cloud Foundry environment to SAP BTP, Neo environment

0 %
Configure Principal Propagation from SAP BTP, Cloud Foundry environment to SAP BTP, Neo environment

Configure Principal Propagation from SAP BTP, Cloud Foundry environment to SAP BTP, Neo environment

March 9, 2021
Created by
October 6, 2018
Set up principal propagation in SAP BTP so that you can deploy a SAP BTP, Cloud Foundry environment application that consumes data from a SAP BTP, Neo environment application.

You will learn

  • How to set up principal propagation in SAP BTP
  • How to establish trust from the SAP BTP, Neo environment to the SAP BTP, Cloud Foundry environment
QR code


  • Java
  • Eclipse for Java EE

In this tutorial you will set up a connection between SAP Business Technology Platform, Neo environment (Neo) and SAP Business Technology Platform, Cloud Foundry environment (CF).

A simple application in CF will consume data from an Neo application, and therefore propagate the user details from one environment to the other. This is called “Principal Propagation” and requires some additional steps establishing trust between the environments, to guarantee security.

Step 1: Adapt the ESPM Application
  1. If you’re using Eclipse for the first time, you will see a Welcome Page. Close this page.

    Close welcome page
  2. Open Eclipse and choose Window > Perspective > Open Perspective > Other…, select Git and click Open.

    Open git perspective
  3. Click Clone a Git repository.

    Click “Clone a Git repository”
  4. Insert into the URI field and click Next.

    Enter git url
  5. Make sure only the master branch is selected and click Next.

    Select branch
  6. Click Finish and wait until the clone has finished.

    Start git clone
  7. Right-click on cloud-espm-v2 > Import Projects….

    Open import dialog
  8. Make sure Eclipse hast detected all projects and click Finish.

    Import all projects
  9. Open the Java EE Perspective and edit the web.xml file: Look for <auth-method>FORM</auth-method> and change it to <auth-method>OAUTH</auth-method>. Don’t forget to save your changes.

    Adapt web.xml
Log on to answer question
Step 2: Create an approuter
  1. Create a new directory called approuter somewhere on your machine.

  2. Create a new file called package.json inside this directory with the following content:

      "name": "approuter",
      "version": "1.0.0",
      "description": "",
      "scripts": {
    "start": "node node_modules/@sap/approuter/approuter.js",
    "test": "echo \"Error: no test specified\" && exit 1"
      "license": "ISC",
      "dependencies": {
    "@sap/approuter": "^9.1"

    This tells Node (npm) to fetch and start the approuter.

  3. Create a file called xs-app.json with the following content:

      "welcomeFile": "index.html",
      "routes": [ {
      "source": "/espm-cloud-web/espm.svc/",
      "target": "/espm-cloud-web/espm.svc/",
      "destination": "retailerBackend"
    }, {
        "source": "/espm-cloud-web/images/",
        "localDir": "static/images/"
    }, {
      "source": "/",
      "localDir": "static/retailer/"

    This configures the routing inside the approuter.

  4. Create a folder called static.

  5. Move the src/main/webapp/retailer folder (from the espm project) to the newly created static folder.

    Note: This folder contains the HTML, CSS and JavaScript of the Retailer application.

  6. Copy the src/main/webapp/images folder to the newly created static folder.

    Note: The images are needed by the Shop and the Retailer application.

  7. Create a zip archive called containing all the file in the approuter folder. It’s important that the files are in the top level of the zip file!
    You can use this commands in bash (Linux and macOS) to create the zip file:

    for file in static/retailer static/images xs-app.json package.json ; do
      if [[ ! -e $file ]] ; then echo -e "\e[33m[WARNING] $file does not exist\e[0m"; fi ;
    zip -r .

    or use PowerShell (Windows):

    foreach ($file in @("static\retailer", "static\images","xs-app.json","package.json")){
       if (-not (Test-Path $file)) { Write-Warning "$file does not exist" }
    Compress-Archive -Force -Path .\* -DestinationPath

    This will also check that all files exist and print a warning if one or more is missing.
    Note: You need to change to the approuter directory using the cd command first (Linux, macOS and Windows).

Log on to answer question
Step 3: Build the ESPM Application
  1. Make a right-click on espm and select Export.

    Open export dialog
  2. Select Web > WAR file and click Next.

    select war export
  3. Select a Destination on your machine and click Finish.

    finish war export
Log on to answer question
Step 4: Configuration in the SAP BTP, Neo environment
  1. Open the SAP BTP, Neo environment cockpit.

  2. Navigate to SAP HANA / SAP ASE > Databases & Schemas and click New

    open create database dialog
  3. Create a database named espm and select a password. Make sure you don’t lose it, we’ll need it soon.

    create database dialog
  4. Wait until you see the event with description Tenant DB creation finished successfully (created and configured) (this can take up to 15 minutes). Now navigate back to your subaccount.

    wait and navigate back
  5. Navigate to Applications > Java Applications and click Deploy Application

    click deploy application
  6. Select the espm-cloud-web.war you’ve exported in the first step, be sure to use the Tomcat 8 Runtime and click deploy. Note: Don’t change the name of the application.

    deploy application
  7. Wait until the application is successfully deployed and click Done.

    click done
  8. Open the details of the application by clicking its name.

    open details
  9. Navigate to Configuration > Data Source Bindings and click New Binding.

    new binding
  10. Enter SYSTEM and the password you choose while creating the database as credentials and click Save.

    create database binding
  11. Navigate to Security > Roles, make sure the Retailer role is selected and click Assign in the Individual Users section.

    Open role assignment dialog
  12. Enter your email-address (the one you use for your Cloud Foundry Account) and click Assign.

    Assign role to yourself
  13. Navigate to Overview and click Start.

    start application
  14. Wait until you can see Started and open the Application URL.

    open application
What is the first article displayed in the App?
Step 5: Establish trust between SAP BTP, Cloud Foundry environment and SAP BTP, Neo environment
  1. Open the SAP BTP, Cloud Foundry environment in a new tab, navigate into your subaccount, go to Connectivity > Destinations and export the X509 certificate of the destination service by clicking the Download Trust button.

    Download Certificate
  2. Go to Overview and find your subaccounts id and the landscape host. You will need it later. Notice: The landscape host does not include!

    Find subaccount details
  3. Go to the Neo environment > Security > Trust > Application Identity Provider and click on Add Trusted Identity Provider.

    Open add trusted IDP dialog
  4. Enter the following details and click Save.

    Parameter Value
    Name cfapps. + Landscape Host + / + subaccount ID e.g.
    Signing Certificate Open the certificate file downloaded earlier with your favorite editor and copy everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
    Trusted IDP details
  5. Go to Security > OAuth > Clients and click Register new client.

    Register new OAuth Client
  6. Enter the following details and click Save.

    Parameter Value
    Name It doesn’t actually matter. Use e.g. CFNEO-Demo.
    Subscription p0123456789trial/espmcloudweb (while p0123456789 is your own account id)
    ID leave unchanged and save it somewhere for later use
    Confidential checked
    Secret Generate a random password and save it somewhere for later use
    Redirect URI Unused in this scenario. Use e.g.


    OAuth client sample configuration
  7. Go back to the CF environment and click New Destination.

    Property Value
    Name retailerBackend
    Type HTTP
    URL URL of the Neo application/API you want to consume. e.g.
    Proxy type Internet
    Authentication OAuth2SAMLBearerAssertion
    Audience Depends on your Landscape (Neo). See table in the bottom.
    Client Key ID of the OAuth client you saved in the previous step.
    Token Service URL taken from the “Branding” tab in the Neo subaccount - “Security” > “OAuth”.
    Token Service user Once again the ID of the OAuth client.
    Token Service Password The Secret you generate in the last step.
    System User empty
    Use default JDK truststore Checked

    Add the following Additional properties:

    Property Value
    authnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession
    nameIdFormat urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    Use this table to find the correct audience for your landscape:

    Landscape Audience
    Europe (Rot) - Trial
    Australia (Sydney)
    Brazil (São Paulo)
    Canada (Toronto)
    Europe (Amsterdam)
    Europe (Rot)
    Japan (Tokyo)
    KSA (Riyadh)
    Russia (Moscow)
    UAE (Dubai)
    US East (Ashburn)
    US West (Chandler)
    US East (Sterling)


    Example destination configuration
Log on to answer question
Step 6: Configuration in the SAP BTP, Cloud Foundry environment
  1. Create Destination Service Instance

    • Navigate into your dev space.
    Go to dev space
    • Open the Service Marketplace under Services.
    Open Service Marketplace
    • Find and click the destination tile.
    Open destination service in Marketplace
    • Click New Instance.
    Click create new destination service instance
    • Press Next three times.

    • Enter the Instance Name: destination-demo-lite and click Finish.

    Set destination service instance name
  2. Create Authorization & Trust Management Service Instance (aka XSUAA)

    • Click the arrow next to destination (see screenshot) and select Authorization & Trust Management.

    Open dropdown and select Authorization & Trust Management
    • Click New Instance.
    Create new XSUAA instance
    • Press Next only once.

    • Copy and past the following parameters and click Next.

      	"xsappname": "connectivity-app",
      	"tenant-mode": "dedicated",
      	"authorities": ["uaa.user"],
      	"scopes": [{
      		"name": "uaa.user",
      		"description": "Default scope for user",
      		"granted-apps": ["xs_user", "*"]
      	"role-templates": [{
      			"name": "USER",
      			"description": "Normal user",
      			"scope-references": [
    Verify json was loaded
    • Enter the Instance Name: xsuaa-demo and click Finish.
    Set xsuaa instance name
  3. Create Manifest File for the approuter.

    • Create a new file called approuter-manifest.yml with the following content:

        - name: destination-demo-approuter
          host: destination-demo-approuter-<userid>
          buildpack: nodejs_buildpack
          memory: 128M
          path: ./
            - xsuaa-demo
            - destination-demo-lite
    • Replace <userid> of the host property with your user id.

  4. Deploy the Approuter

    • Back in the Browser click the dev-space, Applications followed by Deploy Application.

    Click Deploy Application
    • Click Browse and select as File Location. Then do the same for the Manifest Location and select the approuter-manifest.yml. Finally click Deploy.
    Browser for and approuter-manifest.yml
    • Wait until your application shows a green Started as State and then click on approuter-demo.
    Wait for green started
    • Navigate to the Approuter by clicking the link as shown in the screenshot.
    Open approuter
    • Login using the E-Mail-Address and password of your trial account.
    Login into application
Log on to answer question

Next Steps

Back to top