This is a test message to test the length of the message box.
Login
BTP Basic Authentication & Principal Propagation
Created by Software-Heroes

BTP - Basic Authentication & Principal Propagation

Author: © 2025 Björn S. 447 03/04/2025

In this article we look at the login options from the ABAP environment to on-premise and how they influence your development.



In this article we will look at different methods to log into an on-premise system and access data. There are different scenarios available for different things. More on this in the following chapters.

 

Introduction

As long as you are working on the ABAP environment, the system behaves like a cloud or on-premise system and all functions can be used normally. However, if you want to call a service to read on-premise data, you may have some difficulties or come to points where you cannot go any further. Then the type of user could perhaps be the deciding factor.

 

Types

Let's take a look at the most common types of login and what advantages and disadvantages they bring with them.

 

Basic Authentication

With Basic Authentication, or BA for short, we use a technical user with their own authorizations to log in to the backend system. This means that not every user who wants to use the connection to this system needs to have their own user on the system. In this case, we store the login data, for example, in a connection in the subaccount in the BTP, and anyone with access to the connection can access the configured system.

 

Principal Propagation

With Principal Propagation, or PP for short, we log into the system via an identity provider, who issues us a ticket with which we are logged into the system as long as the ticket is valid. If we establish the connection towards On-Premise, this ticket is forwarded to the system. If there is then a trust relationship (configuration and certificate) between Subaccount -> Cloud Connector -> On-Premise, then we are ultimately logged into the On-Premise system and can then continue working with our personal user. This means that the system knows who we are and our individual authorizations apply.

 

Further types

There are generally other login procedures, such as OAuth, SAML and certificates. In this article, we will look at the two most common procedures when it comes to connecting to the ABAP environment. If you want to use SAP Build Process Automation, you will usually use the Destination Service with OAuth.

 

Usage

In this chapter, let's take a look at what exactly we can do with the two types and how you can use them effectively for yourself.

 

Jobs

If we want to access on-premise data in an Application Job, we need a connection of type BA. The job is generally executed under the user who scheduled it. However, since the user has not logged in beforehand, he does not have a valid "ticket" to log in to the on-premise system. 

 

ABAP Development Tools

If you want to test an interface in an executable class, you can currently only do this via a BA connection. Similar to the application job, a valid ticket for logging on to the on-premise system is missing in the ABAP Development Tools.

 

HTTP Service

We call the HTTP service from outside via the browser. When we call the service for the first time, the system requires us to log in. In this case, a valid ticket is issued after successful registration, giving us the option of using a PP type connection and logging into the backend system with our own user. In principle, a technical connection via BA can also be used.

 

Fiori App

If we are working in a Fiori app and have, for example, a custom entity through which we read data for our value help, then we can use both types of connections here too. The advantage of the registered user is that they are only offered the values for which they are authorized. On the other hand, if you want to ensure that all values are always displayed, you should use a technical user and give him the necessary permissions.

 

Summary

What can we learn from the various connections? First of all, a technical connection works in all cases via basic authentication, since the user and password are already stored in the connection and a login can take place on the target system.

With principal propagation, you must have logged in beforehand before you can access a backend system. The permissions are drawn individually, which ensures that the logged in user does not see more than he should. However, connections with PP cannot be used everywhere, for example in a job or directly from the ADTs to test access.

 

Conclusion

If you have problems logging into the on-premise system in the next test using the ABAP Development Tools, then you are probably using a connection of type Principal Propagation. In this case, switch to Basic Authentication and access should work.

Included topics:
BTPABAP EnvironmentBasic AuthenticationPrincipal Propagation
Comments (0)



And further ...

Are you satisfied with the content of the article? We post new content in the ABAP area every Friday and irregularly in all other areas. Take a look at our tools and apps, we provide them free of charge.


BTP - Interface Performance

Category - ABAP

Which interface technology currently has the best performance when accessing On-Premise data in ABAP? Here we go into more detail.

03/07/2025

BTP - Table Entity

Category - ABAP

The new ABAP tables are here. In this article we look at the current options and which features are not yet supported.

02/28/2025

BTP - HTTP Service

Category - ABAP

Do you need a generic endpoint in the ABAP environment? In this article we look at the possibility of HTTP services.

02/14/2025

BTP - ABAP Unit Runner

Category - ABAP

How can you regularly run your ABAP unit tests on the ABAP environment and have the results sent to you? There is currently no standard for this.

02/11/2025

BTP - Custom Data Browser

Category - ABAP

What alternatives to SE16 do you have in the ABAP environment to give your department easy access to data? In this article, we'll go into the details.

01/31/2025