SAP Community - SAP BTP Security

SAP BTP Integration Suite Cloud to SAP S4 Private Cloud

2025-11-30T18:21:37.643000+01:00

Dear All,

Good Day!

Is there any documentation/steps to integrate SAP BTP Integration Suite Cloud to SAP S4 Private Cloud via Oauth2.0 Bearer Token.

Am not finding any documentation from SAP.

Thanks and Regards,

Rajesh PS

Consume Soap service using post method in build process automation.

2025-12-08T23:27:59.568000+01:00

Hello community,

I am currently working with SAP BTP Build Apps and need to consume a SOAP web service using the POST method. Since Build Apps does not natively support XML payloads, I attempted to handle the integration through SAP Build Process Automation (BPA), but I am still unable to get it working.

Does anyone have technical documentation, best practices, or a concrete example of how to properly call a SOAP service from Build Apps (directly or via BPA/destination)?

Thank you in advance.

Principal propagation from SAP Digital Manufacturing Production Process towards S/4HANA public cloud

2025-12-17T10:45:33.035000+01:00

Hi experts,

I am working on a requirement that needs a custom production process in SAP Digital Manufacturing calling an SAP S/4HANA Cloud, Public Cloud OData api. I have followed the steps as mentioned in this blog post external-api-web-service-integration-with-sap-digital-manufacturing .

Here is my BTP destination in the subaccount where DM is subscribed.

tokenServiceURLType=Dedicated
audience=https\://myXXXXXX-api.s4hana.cloud.sap
authnContextClassRef=urn\:oasis\:names\:tc\:SAML\:2.0\:ac\:classes\:X509
includeSigningCertificateInSAMLAssertion=false
tokenServiceUser=ZS4H_DMC_COMM
tokenServiceURL=https\://myXXXXXX-api.s4hana.cloud.sap/sap/bc/sec/oauth2/token
skipUserUuidInSAMLAttributes=false
URL=https\://myXXXXXX-api.s4hana.cloud.sap/sap/opu/odata4/sap/zapi_productionorder_labels/srvd_a2x/sap/zser_mfg_label/0001
Name=S4-Dev-Label-api-pp
tokenServicePassword=<removed>
Type=HTTP
clientKey=ZS4H_DMC_COMM
Authentication=OAuth2SAMLBearerAssertion
nameIdFormat=urn\:oasis\:names\:tc\:SAML\:1.1\:nameid-format\:emailAddress
skipUserAttributesPrefixInSAMLAttributes=false
ProxyType=Internet
userIdSource=
SAMLAssertionProvider=DestinationServiceGenerated

I have created the communication arrangement in S/4HANA Cloud:

But when I test the production process which uses the service thus created is not working, i.e., failing with HTTP 401

The production process worked successfully when I had used basic authentication at the BTP destination.

So, does SAP DM support such principal propagation with destination using OAuth2SAMLBearerAssertion? Or where am I going wrong?

Best regards,

Sumit

EPD Collaboration: No workflows found in SBPA cross-subaccount setup

2025-12-18T23:14:43.602000+01:00

Hi everyone,

I am facing an issue where the SAP EPD Collaboration app cannot discover any processes from SAP Build Process Automation. The workflow dropdown in both 'Configure Collaboration' and 'Specification Types' remains empty, and the OData call to the "WorkflowProperties" returns 0 results.

Our architecture is the following:

Subaccount A: SAP Build Process Automation is subscribed and active here. This is where our processes are built and deployed.

Subaccount B : SAP EPD / IPD Collaboration is subscribed here.

Scenario: We need EPD in Subaccount B to trigger and manage workflows residing in Subaccount A.

I have attempted to bridge the two subaccounts by manually replicating the standard SBPA destinations in Subaccount B, pointing them to the Service Key credentials of Subaccount A. Specifically, I configured sap_process_automation_service and sap_process_automation_service_user_access.

I've searched but could not find any official documentation or for connecting these specific apps (EPD to SBPA) across different subaccounts. Most guides assume a single-subaccount setup where the SAP Booster handles the wiring automatically.

My questions:

Are these two specific destinations (sap_process_automation_service andsap_process_automation_service_user_access) designed to work across subaccounts for EPD discovery?

Does this scenario require an Identity Trust (SAML/OIDC) between the subaccounts for the discovery phase?

Any suggestions for this "split" architecture would be greatly appreciated.

Thanks!

BTP admin - Day to Day operation activities

2026-01-02T19:35:02.975000+01:00

Hi Experts,

Most of the BTP admin tasks are one-time activity ( account set up,Role assignment, IAS, Cloud connector integration and CTMS )

Could you please provide the list of daily operation activities of BTP admin from support and monitoring perspective.

Thanks in advance

Facing “Invalid Metadata” with Principal Propagation in SAP BTP Workzone

2026-01-09T10:33:33.684000+01:00

We’re currently working on an MTA project deployed to Cloud Foundry and integrated into SAP BTP Workzone.

Our setup uses Principal Propagation (one per client), but we’re consistently hitting issues:

401 error when trying to load metadata with Principal Propagation
Invalid metadata error since the metadata is not being retrieved.
Despite configuring Principal Propagation, the data is still not received
X.509 certificates for SSO for On-Premise is done by basis team.
with Basic Authentication it is working fine.

my Destination Setting:

👉 Has anyone faced similar challenges with Principal Propagation in Workzone?
👉 What are the key areas we should check (destination settings, authentication, trust configuration or Workzone site setup or MTA Project)?

Any guidance or pointers from the community would be greatly appreciated!

#SAP #SAPBASIS #BTPMTAProject #Authenticationissue #PrincipalPropagation

How can execution-time controls prove verified comprehension before obligation attaches?

2026-01-15T22:47:12.930000+01:00

Most compliance and security controls operate after execution, when obligation is already binding.

I’m exploring execution-time gating that enforces identity verification, disclosure acknowledgment, and verified comprehension before the moment of no return.

From a platform and security perspective, what patterns or controls exist today to prove comprehension at execution time rather than relying on post-hoc attestations or disclosures?

Looking for architectural approaches, not product recommendations.

Forms Service by Adobe (BTP): Persistent "No client with requested id" Error after Configuration

2026-01-20T20:49:08.473000+01:00

Hello SAP Community,

I am seeking assistance with a persistent authentication issue while setting up SAP Forms Service by Adobe in the BTP Cloud Foundry environment.

Despite following the standard setup documentation, I am unable to access the Template Store UI. I consistently receive the following error: No client with requested id: sb-ads-xsappname!b65488

What I have configured so far:

Entitlements: Added "Forms Service by Adobe" and "Forms Service by Adobe API" (free plans).
Subscription: Successfully subscribed to "Forms Service by Adobe" (default plan).
Instance: Created a service instance for "Forms Service by Adobe API" in my space.
Role Collections: Created and assigned a Role Collection containing ADSAdmin and TemplateStoreAdmin.
Direct Access: I have tried accessing the UI via the "Go to Application" link and via the direct URL found in the destination configuration.

Steps taken to resolve the issue (but failed):

Verified that the Application Identifier in the Role Collection matches the subscription.
Unsubscribed and re-subscribed to force a new OAuth registration.
Cleared browser cache and used Incognito/Guest modes.
Waited for propagation (over 30 minutes).

It seems the XSUAA service is still looking for a specific client ID (!b65488) that perhaps isn't being correctly mapped or registered in the Trust Configuration.

System Details:

Environment: Cloud Foundry
Region: US10
Identity Provider: Default and Custom

Has anyone encountered this specific mismatch before? Is there a way to force a refresh of the OAuth2 clients in the subaccount, or is this a backend issue that requires an SAP Support ticket?

Thank you for your help!

Use BTP Malware Service with VSCAN (VSI) - Detect hidden code in metadata of image file

2026-01-26T11:01:11.928000+01:00

Hi,

I have a requirement where we need to scan files uploaded via a Fiori application for malware (in our case attachments for a leave request). After some research I came across this amazing github project ( https://github.com/gregorwolf/sap-malware-scanning-vsi ) that explains how you can use the BTP malware service via the VSI BAdI to do your virus/malware scanning.

We initiated the BTP Malware instance, created the SM59 config, created all the classes and interfaces as per the github project, implemented the BADI and created the basic VSI configuration.

Now that all seems to be working correctly. When I use VSCANTEST with the standard Eicar test virus, it correctly detects the virus.

However when I try something more complex like hiding executable PHP code within the metadata of an image file, it does not detect this as malware :(. I tried searching through all available documentation, and it seems as if the VSI profile configuration options where you specify MIME types for active content is only if you configure a malware service via VSI and not when you use the BADI?

Has anyone tried this before where you use the VSI BADI to call a malware scanning service (Like the BTP one) and scan for things like PHP code in metadata? How I do that?

Kind Regards

Deon

SM59 Connection Test Error

2026-01-29T01:22:24.740000+01:00

Hello.

I am getting an error when trying to connect to the AVALA Tax service in SAP BTP using the OAUTH client profile.

SM59 Destinations Type G (HTTP External):
AVLR_AVATAX_ADDRESS
AVLR_AVATAX_GLOBAL
OAuth Profile : SAP_COM_0249_PREM
Error Observed : Create Failed

Testing Details:
T-code: SE38
Program Name: OA2C_GENERIC_ACCESS
HTTP Client Selection: SM59 Destination

HTTP Client Selection: URL option

Once SAP enables the required connectivity, the SM59 test should work as expected.

I would like to hear the opinions of seniors who can help me solve the above problem.

The SSAM app performs a full sync instead of a delta sync on login after 1–3weeks of inactivity

2026-02-09T20:55:14.754000+01:00

Issue Summary

When users of SAP Service and Asset Manager (SSAM 2405) do not use the mobile application for 1–3 weeks, the next login triggers a full data synchronization instead of a delta sync, resulting in significantly longer sync times.

Detailed Description

Users have reported that after a period of inactivity (approximately 2–3 weeks), logging into the SSAM mobile application triggers a full synchronization.
Normally, the application performs a delta sync to update only changed records, which is faster and more efficient.
Due to the full sync, the login process takes an extended time, impacting productivity and delaying field operations.
This behavior is observed consistently across multiple devices and users who have been idle for an extended period.

Expected Behavior

After a period of inactivity, logging into SSAM should perform a delta sync (syncing only changed data), not a full sync, unless there are configuration or data inconsistencies requiring a full sync.
The sync time should remain comparable to normal delta sync durations.

Actual Behavior

After 1–3 weeks of inactivity, the application performs a full sync, which significantly increases login and data retrieval time.

Impact

Reduced user productivity due to long sync times.
Delays in field operations and work order processing.
Increased network and backend load during full sync events.

Steps to Reproduce

Do not log in to the SSAM mobile application for 2–3 weeks.
Open the SSAM mobile app and log in.
Observe that the application performs a full sync instead of a delta sync.
Note the extended sync duration compared to normal delta sync operations.

Request / Questions for SAP Support

Is this behavior expected for extended idle periods, or is it a potential issue with delta sync?
Are there configuration settings or best practices to ensure that the application performs a delta sync even after long periods of inactivity?
Is there a recommended way to minimize sync time for users returning after prolonged inactivity?

SAP BTP Boosters with Terraform Documentation

2026-02-13T12:59:22.354000+01:00

Hi DevOps,

since I am tinkering around with Terraform and the SAP BTP Platform. After some ClickOps (Boosters, and otherapproaches) vs. Infrastructure/Configuration As Code (via Terraform and BTP CLI and other REST APIs) experiments later, I miss some better integrated documentation. The "booster" feature within the SAP BTP Cockpit is pretty neat for a fast start and some initial experiments, but pretty intransparent for productive purpose.

Does anyone know, if the various boosters could be exported as a Terraform project (resources, variables and so on)? That would make a review process much easier. Furthermore, some customizing of the configuration would be possible.

By the way, the Terraform Sample Repo goes already a great direction for documenting some missions. I wish, some other SAP recommended reference architecture would be presented here as well.

Happy coding,

Florian

The JWT token only contains the openid scope, but none of the custom application scopes

2026-02-17T14:32:15.275000+01:00

Hi,

I am building CAP application and try to add custom roles and rolecollections through xs-security.json. Deploying in CF.

When i deploy my xs-auth service, i can see roles and rolecollections being created, i can see them in BTP cockpit Rolecollections, Roles . But what is missing is, i cant see roles under rolecollections. I tried below -

1) Created just roles through xs-security.json and created rolecollections manually in BTP. when try to browse and attach roles to rolecollection, i cant find my roles, templates or application identifier.

2) Created both roles and rolecollections through xs-security.json - i cant see roles inside rolecollections.

3) Removed template $XSAPPNAME from "role-template-references" as per recommendations, but i cant deploy, it gives error.

4) I tried delete and recreated whole auth service with new template, application name, identifier... no luck.

I am getting authenticated, but authorization is failing. My application require annotations and actions to be controlled (who can press button and perform action, this require custom roles).

Attached template i am using. I am sure you might have similar situations before. Please let me know what is the best way to resolve this issue. As Always, thanks for your help.

Below is my app trace log.

template used as below:

{
"xsappname": "my-app-reprocess-v2",
"tenant-mode": "dedicated",
"description": "Message Reprocessing Application - Security Configuration",
"scopes": [
{
"name": "$XSAPPNAME.ReprocessViewer",
"description": "View messages, content, and statistics (read-only access)"
},
{
"name": "$XSAPPNAME.ReprocessAdministrator",
"description": "Full administrative access including reprocess operations and CRUD"
}
],
"attributes": [
{
"name": "email",
"description": "User email address",
"valueType": "string"
}
],
"role-templates": [
{
"name": "ReprocessViewer",
"description": "Read-Only Access - View messages and statistics",
"scope-references": [
"$XSAPPNAME.ReprocessViewer"
],
"attribute-references": [
"email"
]
},
{
"name": "ReprocessAdministrator",
"description": "Full Administrative Access - CRUD operations and reprocess actions",
"scope-references": [
"$XSAPPNAME.ReprocessAdministrator",
"$XSAPPNAME.ReprocessViewer"
],
"attribute-references": [
"email"
]
}
],
"role-collections": [
{
"name": "MessageReprocessViewersRC",
"description": "Message Reprocess Viewers - Read-only access",
"role-template-references": [
"$XSAPPNAME.ReprocessViewer"
]
},
{
"name": "MessageReprocessAdministratorsRC",
"description": "Message Reprocess Administrators - Full access",
"role-template-references": [
"$XSAPPNAME.ReprocessAdministrator"
]
}
],
"oauth2-configuration": {
"credential-types": ["binding-secret", "x509"],
"redirect-uris": [
"https://*.cfapps.example.com/**",
"http://localhost:*/**"
],
"token-validity": 3600,
"refresh-token-validity": 86400
}
}

User is unable to login to SAP Build Work Zone due to "Subaccount reached its limit" message

2026-02-24T11:45:03.342000+01:00

Hello,

I'm having an issue where our developer team is unable to login to the SAP build work zone free version. The error they are getting is - " Subaccount reached its limit. Unfortunately, we couldn't log you in because your subaccount has reached the maximum limit of a free plan. A free plan is restricted to 20 named users and 2 admin users per month per subaccount ".

My doubts are as below regarding this: -

1. Can we restrict this admin access on role collections level from security side? Please advise how this can be done

2. Can this error be reset within the day? Cause our developer team needs to check an issue.

Regards,

Arpit

SAP Security

Security breaches in FTP - SAP Communication

2026-02-27T12:55:55.268000+01:00

Hi,

I am looking for help on a partner question. If security breaches are discovered on BTP:

how are SAP are resolving them and what happens if a security issue appears, that involves customer actions?
how are we communicating them to partners? Is it only via the Monthly Security Patch Day & SAP Security Notes?
do we have any document or whitepaper explaining the process?

Thanks

Sheena

XSUAA not getting the subject name identifier as ID

2026-03-11T07:57:57.377000+01:00

Hi,

We're trying to change `req.user.id` used from xsuaa to the User ID of IAS instead of the email.

BTP is connected to IAS with OpenID Connect (so "Default Name ID Format = Unspecified" as with SAML is not available).

In the IAS logs the sub is changed to the expected value `jwtPayload="{"sub":"`.

However the req.user.id we get in CAP / JWT token remains the email.

Not sure if it's related, but adding a custom atribute in `xs-security.json` and in IAS attributes also isn't reflected in `req.user.attr`. (it only shows the default value configured in `xs-security.json`)

Anyone have some insights on how to get the id ?

SCIM3 PATCH API returning 403 Forbidden in SAP Analytics Cloud (GET works, Admin access available)

2026-03-23T06:33:35.378000+01:00

Hi folks,

I am facing an issue while using the SCIM3 API in SAP Analytics Cloud to update team members using PATCH operation.

API Details

Endpoint:

PATCH /api/v1/scim3/Groups/<TEAM_UUID>

Authentication:

Authorization Bearer Token

Headers Used

Authorization: Bearer <access_token>
x-csrf-token: <csrf_token>
x-sap-sac-custom-auth: true

Payload

"schemas": [
            "urn:ietf:params:scim:api:messages:2.0:PatchOp"
        ],
        "Operations": [
            {
                "op":"add",
                "path":"members",
                "value":[
                    {
                        "value":"d0bbac78-776890-9876hjmd",
                        "type":"User",
                        "display":"newuser",
                        "$ref":"/api/v1/scim3/Users/d0bbac78-776890-9876hjmd"
                    }
                ]
            },
            {
                "op": "replace",
            "path": "urn:ietf:params:scim:schemas:extension:sap:2.0:Group:description",
            "value": "patch test"
            }
        ]

Issue

The PATCH request consistently returns:

{
"status": 403,
"error":"Forbidden"
}

Observations

GET operations on /api/v1/scim3/Groups are working successfully.
Team UUID is retrieved correctly.
Team type is userGroup.
I have full admin access (BI_Admin role) in SAP Analytics Cloud.
OAuth Client is configured with API access with App Integration.
CSRF Token is fetched and passed correctly.
when CSRF token is removed, the API returns 401 Unauthorized.
PATCH always returns 403 Forbidden.

Questions

Are there additional permissions required specifically for SCIM3 PATCH operations ?
Does the OAuth client require explicit SCIM provisioning(write) permissions?
Are there any tenant-level restrictions for SCIM3 write operations ?

Attachments

PATCH request (headers + payload)

Response (403 Forbidden)

Any guidance would be helpful

Thanks!

Transactions in identity lifecycle management

2026-04-08T14:13:18.197000+02:00

I am new to SAP, and I have a question re this picture in one of the courses:

The best practice in cryptography is to rely on stateless workflows. That is, at the time of authentication an identity provider would issue e.g., a JWT with all authorizations for resources the user is entitled to. The token could then be used in OAuth/ zero-trust environment for transparent access to the SAP cloud on the right-hand side. I would imagine the green arrow "Identity Lifecycle Management" only injects public keys a JWT would be verified against. But because those keys are public, they would usually be pulled from PKI whenever needed, so the push model (injection) is superfluous. I suspect my understanding could be wrong - if someone could please clarify? Is this authentication/authorization workflow a common place among Cloud foundry, ABAP, and Kyma? Maybe you could point me out to a good online course for this?

Support Needed: OAuth2 SAML Bearer Destination connection to Successfactor Issue in SAP BTP

2026-04-10T09:03:17.346000+02:00

Dear Connections,

I’m reaching out regarding an issue we are currently facing with the OAuth2.0 SAML Bearer Assertion destination setup in SAP BTP for establishing a connection with SuccessFactors.

Background

We are working on integrating our CAP-based application deployed on SAP BTP with SuccessFactors using a destination configured with OAuth2SAMLBearerAssertion authentication.

Current Status

The destination works successfully with Basic Authentication
However, when switching to OAuth2.0 SAML Bearer Assertion, the connection fails

Error Details

We are encountering the error:
“No user token (JWT) has been provided. This is strictly necessary for 'OAuth2SAMLBearerAssertion'.","stacktrace":["Error: No user token (JWT) has been provided. This is strictly necessary for 'OAuth2SAMLBearerAssertion'."”

What We Have Verified

Destination is correctly configured in BTP
OAuth client is created in SuccessFactors
JWT token is available and being passed from CAP (via request headers)
User attributes (logonName) are available in the request context
CAP application is correctly bound to XSUAA and Destination services

Suspected Areas

OAuth configuration mismatch
Certificate/trust configuration between BTP and SuccessFactors
SAML assertion generation issues via XSUAA

Request

Since this setup involves multiple components (CAP, XSUAA, Destination service, and SuccessFactors), I wanted to check if anyone have experience with similar OAuth2 SAML Bearer configurations in BTP.

It would be really helpful if you could:

Suggest any checks or troubleshooting steps we might be missing

CAPM Code:

const { executeHttpRequest } = require("@sap-cloud-sdk/http-client");

const { getDestination } = require('@sap-cloud-sdk/connectivity');

module.exports = async function (request) {

let payload = request.data;

oLogger.info("Workflow Payload: " + JSON.stringify(payload));

const workflowPath = `odata/v2/upsert?workflowConfirmed=true`;

oLogger.info("Workflow Path: " + workflowPath);

payload["__metadata"] = { "uri": "Position" };

const destination = await getDestination({

destinationName: "sfAdminDestination",

userJwt

});

const workflowRes = await executeHttpRequest(

destination,

{

method: "POST",

url: "odata/v2/upsert?workflowConfirmed=true",

data: payload,

headers: {

"Content-Type": "application/json",

"Accept": "application/json"

}

);

}
Thanks in advance for your support.

I am SAP security consultant , now I want to learn BTP , how should I prepare ?

2026-04-11T03:10:31.824000+02:00

Hello all

I am SAP security consultant, I want to learn BTP, how should I start? Where will I get material and how should I prepare ?