Principal propagation is configured between Cloud Platform, Cloud Connector and a backend on premise system such as ABAP or S4Hana. There is an intermediary such as a proxy, SAP Web Dispatcher or a Load balancer in between the Cloud Connector and the backend system.
A principal propagation Signle sign-on (SSO) is failing with the following errors seen in the dev_icm trace of the backend ABAP or S4Hana on premise system:
HttpCertIsReverseProxyTrustworthy: no trust relationship to intermediary specified (see documentation for parameter "icm/HTTPS/trust_client_with_issuer" or "icm/trusted_reverse_proxy")
HttpIsReverseProxyTrustworthy: intermediary is NOT trusted
HttpModGetDefRules: intermediary is NOT trusted -> remove SSL header fields
Reject untrusted forwarded certificate
Additionally you might see
(received via HTTPS with untrusted certificate) or (received via HTTP)
SAP Cloud Platform Connectivity
KBA , BC-CST-IC , Internet Communication Manager , BC-CST-WDP , Web Dispatcher , BC-SEC-LGN , Authentication and SSO , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , Problem
About this pageThis is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP ONE Support launchpad (Login required).
Search for additional results
Visit SAP Support Portal's SAP Notes and KBA Search.