Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

HCPMS and HCP Database backend

Dear HCPMS/SMP dev and experts,

I'd like to pick your brain on a persitent problem I am facing.

Background to the problem:

I have a productive hana instance on Hana Cloud Platform. I have created a database for it and exposed it as xsodata service i.e.

The service can be accessed using user's SAP ID (p-xxxxxx/s-xxxxxx) via SAP's Identity Provider

It is important that user must log in with SAP ID because I have Database Views which is using SESSION_USER to identify which records to retrieve.

Now I have also created a hybrid mobile app with Kapsel Logon.

I have also set up application on the HCPMS, which backend ""

What I want to achieve:

It's actually quite simple: I want user to logon via Kapsel Logon (can be Basic auth or Form auth) using SAP IDP. Then I would like that logged-in user being propagated to the backend which is using the same SAP IDP too.

What problem I am having:

I can't seem to get the user propagation to work. Please do note that I am no security expert, so I am currently still trying to understand many of the concepts.

Currently there are a few choice of Authentication Type for the backend configuration in HCPMS:

Auth Type
Basic Authentication This seem to require me to logon as a specific user by providing username and password
Principal PropagationThis is only for on-premise that use HANA Cloud Connector? My hana instance is on Hana Cloud Platform

This sounds like the way to go, but I have absolutely no idea where to find the Issuer SID, Issuer Client, Receipient SID, Receipient Client, Signing Key, Signing Certificate.

Can I use existing certificate that my HANA instance already has, if it has one? If yes, where do I find those information and what sort of configuration do I my HANA instance to allow this type of authentication?

If not, how do I generate these information (I assume I need to generate certificate?) and how to upload this cert to HANA?

Client CertificationI assume this is no go as it will always log in as a specified user instead real user's username.



Former Member
Not what you were looking for? View more on this topic or Ask a question