cancel
Showing results for 
Search instead for 
Did you mean: 

Principal propagation question

Former Member
0 Kudos

Hi All,

We currently have a synchronous scenario: SOAP -> PI 7.0 -> ABAP Proxy

We now have a requirement that for the above scenario, the sender system (which does not

know the password of its logged in user, only the userid), does its SOAP call to PI and PI

invokes the ABAP Proxy system with the credentials of the user in the sender system.

Can we use principal propagation for this? Please correct me if I'm wrong but I see an issue

with the sender system not knowing the password of its logged in user and therefore issuing

a SOAP call to PI for that user. Wouldn't authentication to PI fail without a userid/password

via SOAP?

Also, we are moving to PI 7.1. If I am correct with the above statement, is there a way to

achieve this requirement perhaps with the WS/SAML new feature? Aologies but I have read

countless documents on sdn on principal propagation and the new WS/SAML feature and I'm

still not sure if it will do what I require.

Any suggestions as to how I could achieve the scenario would be greatly appreciated.

Regards,

JM

Accepted Solutions (0)

Answers (1)

Answers (1)

MichalKrawczyk
Active Contributor
0 Kudos

hi,

>Can we use principal propagation for this?

yes, principal propagation works with soap and abap proxies

so this should work in stnadard

Regards,

Michal Krawczyk

http://mypigenie.com XI/PI FAQ

Former Member
0 Kudos

Hi Michal,

Thanks for the quick response. Perhaps because I don't quite understand the technicalities of principal propagation, I need further clarification. When issuing a SOAP call, a username/password must be provided to authenticate to PI, correct? If the sender doesn't know the password of the logged-in user, how can they propagate the details of the user through to PI and be successfully authenticated and then propagated to the receiver without a password. Does enabling principal propagation mean no passwords are needed to issue a SOAP call to PI and onward to the ABAP proxy? Do assertion tickets override the need for a password for authentication?

Regards,

JM

prateek
Active Contributor
0 Kudos

I see an issue with the sender system not knowing the password of its logged in user

For using Principal Propagation, the user must be created at sender as well as receiver system.

Does enabling principal propagation mean no passwords are needed to issue a SOAP call to PI and onward to the ABAP proxy?

Incorrect. It just means that same user would be propagated to all the communicating systems using something called as Assertion Ticket.

While using Assertion tickets to communicate, a trust relationship is established between various systems. For this an SAP client is associated and in the keystore the certificate should be imported for digital signature. So the authentication is certificate based.

Regards,

Prateek

Former Member
0 Kudos

Hi Prateek,

Thanks for the response.

If the userid is already created in both the sender and receiver systems, but not SAP PI, do I still have an issue with principal propagation if the sender system does not know the password of the user at runtime? That is really my issue - if the sender doesn't have the user's password at runtime, can principal propagation still be used to propagate that user to the receiver where the user also exists?

Regards,

JM