Enable SAP Principal Propagation and SSO for Power Platform
Working with SAP interfaces in low code solutions is a common requirement for customers.
This article describes the required foundational configurations and components to interact with SAP systems via OData and the legacy RFC/BAPI interfaces.
The article puts emphasis on secure authorization using Microsoft Entra identity in Power Platform and for the SAP backend user. This mechanism is often referred to as SAP Principal Propagation. See this community post for more details.
Important
SAP Principal Propagation ensures user-mapping to the licensed named SAP user. For any SAP license related questions please contact your SAP representative.
Note
The guidance applies to Azure Logic Apps, Azure Functions, Azure Container Apps, and Azure App Service too.
SAP ERP connector in Power Platform
The SAP ERP connector (RFC/BAPI) is designed so multiple people can access and use an application at once; therefore, the connections aren't shared. The user credentials are provided in the connection, while other details required to connect to the SAP system (like server details and security configuration) are provided as part of the action.
Enabling single sign-on (SSO) makes it easy to refresh data from SAP while adhering to user-level permissions configured in SAP. There are several ways you can set up SSO for streamlined identity and access management.
Find more details on the power platform documentation.
SAP OData connector in Power Platform
The SAP OData connector enables consumption of any OData service from the SAP ecosystem.
Enabling SAP Principal Propagation makes it easy to interact with data while adhering to user-level permissions configured in SAP.
Learn more about the supported authentication types on the power platform documentation.
Guidance for SAP Principal Propagation
Principal Propagation is a mechanism well established in the SAP ecosystem. The SAP OData Connector supports this mechanism by providing a first-party Entra ID app registration with client ID 6bee4d13-fd19-43de-b82c-4b6401d174c3
and scope user_impersonation
. Use the field Microsoft Entra ID Resource URI (Application ID URI)
to maintain your globally unique resource URI of the Entra ID app registration authorized to access the SAP OData service.
The focus of the described configuration is on the Azure API Management, SAP Gateway, SAP OAuth 2.0 Server with AS ABAP, and OData sources, but the concepts used apply to any web-based resource.
Learn more from this article on the Power Platform community.
Note
An existing trust setup between your SAP backend and Entra ID using an enterprise app registration is required. The configuration needs to support the OAuth2SAMLBearer flow. See this Microsoft learn article and this SAP blog for details on the initial steps.
For the Entra ID token exchange required by SAP (OAuth2SAMLBearer flow), we recommend using an API Management solution. See this Microsoft learn article for details on the initial steps with Azure API Management.
Next steps
Understand SAP Principal Propagation using API Management in detail | blog
Work with SAP OData APIs in Azure API Management | Microsoft Learn
Protect APIs with Application Gateway and API Management | Microsoft Learn
Integrate API Management in an internal virtual network with Application Gateway | Microsoft Learn
Understand Azure Application Gateway and Web Application Firewall for SAP | blog