Hi Naresh,
I wouldn`t do principal propagation. It means that your SMP3 will be a CA and create certificates, something you should really talk to about with your security team. You`ll also have to configure the backend to accept certificates, something which depends on your backend. (btw: this should be done, as the best approach is to have certificate based logon on SMP3 + backend).
If you cannot sync SMP3 and NW user credentials and cannot do certificates end to end, you should go for SSO.