SaaS Multitenant CAP Application: How to setup API access for third party applications of customers

[nocin]

Hi CAP Team,

as I have not found a simple guide on this topic, I'm trying to collect information on how to archive the following task:

We have built a Multitenant CAP Application as Side-by-side Extension for SuccessFactors. Access for End-user is realized via SSO using the customers SAP Cloud Identity Service (CIS) connect via SAML to our Global Account.

Now we have an API endpoint which should be called by third party applications of the subscribed customer. For example, an onPremise HCM system should send data to our CAP application via this API Endpoint. This means, in someway, the right authentication token with the right tenant information must be created during authentication. But how to do this?

As I think this is a standard scenario, many SaaS-developer run into, in my opinion it would make sense to document this topic in CAP Multitenancy chapter.

I've found many discussions in the SAP Community and also some ideas how it can/could be done. But nowhere a full guide of a simple solution and nowhere an official statement of SAP, how it should be done.

Therefore, I opened a ticket (1216256/2025) to figure this out.
The ticket even suggests another solution that might work (I haven't tested it yet). The proposed solution is an IAS Proxy Scenario that must be configured, like described here. What I still need to figure out in detail is, how a technical user must be created on CIS and how the right http calls look like for a correct authentication flow, so everything happens in the right tenant context.

Following some other discussions that I've found:

• https://community.sap.com/t5/technology-q-a/how-would-you-securely-access-multitenant-cap-apis-from-a-background-nodejs/qaq-p/12484740
  In the comments, Simon described a solution using a custom endpoint in Approuter and also links to his intial post.

• https://github.com/SAP-samples/btp-cap-multitenant-saas/blob/main/docu/2-basic/5-push-data-to-saas-api/README.md
  Solution using a Service Broker. I'm sure it can work (even though Simon mentioned in the previous post that it didn't work for him), but more importantly, it seems far too complicated for such a simple task. Especially since I don't need any other features of the Service Broker. Also, not sure what the effort is, to implement this in an existing application with subscribed customers.

• https://community.sap.com/t5/technology-q-a/how-to-expose-cap-api-to-external-app/qaq-p/12700180
  @gregorwolf raises the point of why it's not a good idea to share Client ID and Secret to a third party.

• https://community.sap.com/t5/technology-blog-posts-by-members/managing-technical-users-for-btp-platform-access/ba-p/13521814#comment-678592
  Discussion in the comments about the limitation when a technical user on IAS is created, but the IAS uses SAML instead of OIDC
  Follow-up discussion, that it's not possible to connect a customer IAS using OIDC to a Global Account having a different customerID
  https://community.sap.com/t5/technology-q-a/connect-cutomer-ias-to-our-btp-subaccount-using-estrablish-trust-openid/qaq-p/12747591
  Perhaps, this problem can be solved by using an IAS Proxy Scenario.

Is there already documentation regarding this topic I haven't found yet? Please paste the links here! :-)

best regards
Nico

PS: In case anyone is wondering why they have seen my post elsewhere, this is now the third place where I am attempting to clarify the topic. :-)
- Ticket (1216256/2025)
- Capire issue

[thisisevanfox]

Hi @nocin,

following up on your question from today’s CAP Roundtable, I wanted to share some practical experience from our side as a CAP SaaS provider.

We initially thought the Service Broker approach would be too complex, but after implementing it, the overall effort turned out to be quite reasonable. We followed this tutorial: https://github.com/SAP-samples/sme-partner-reference-application/blob/main/Tutorials/71-Multi-Tenancy-Service-Broker.md.

For us, this approach worked well for exposing tenant-aware CAP APIs to third-party systems. No deep architectural changes were required, and existing subscriptions could be reused.

One aspect to be aware of is that the broker must be enabled in the customer subaccount so that service instances can be created in the consumer account, as described here: https://github.com/SAP-samples/sme-partner-reference-application/blob/main/Tutorials/72-Multi-Tenancy-Provisioning-Service-Broker.md.

Also, the broker service itself consumes resources in the provider subaccount (route, memory, and space quota), which should be considered in the overall setup.

What is currently missing, in our view, is documentation: the official docs do not mention service brokers or @sap/sbf, although this is a common SaaS use case.

Best regards
Johannes