Skip to Content

Implementing a user self-registration scenario using Workflow and Business rules in SAP Cloud Platform – Part 5


Part 1 – Overall Solution

Part 2 – Setting up Business Rules in SAP Cloud Platform

Part 3 – Modeling workflows in SAP Cloud Platform

Part 4 – Testing you workflow using monitoring tools

Part 5 – Triggering the workflow using a Start UI

Part 6 – Configuring trust between SAP Cloud Platform account and Identity Provider

Part 7 – Mapping user groups and roles in SAP Cloud Platform Portal


UPDATE [13/8/2017]: Calling an external service from a Custom UI Task

In this portion of the blog series, I will show you how to create a custom HTML5 app which is the Start UI for triggering the workflow. I have uploaded the project in github for your reference.

SAP Cloud Platform workflow service provides REST APIs which can be used by applications to interact with the service. In this section, we are going to leverage workflow-instance REST API to create a new instance.

You can navigate to a particular API to read the documentation and also find sample payload. In the below image, I have highlighted two important things – Workflow definition ID and context. This needs to be provided when triggering a workflow.

In the Start UI, I have created a XML view which will display the user registration form. I have put the usual fields like firstname, lastname, email, phone etc.

In the controller definition, I am invoking two REST APIs. The first one is to get X-CSRF-Token and the subsequent call is to make a POST call with the X-CSRF-Token along with the context payload. The context payload would contain the information provided by the user in the registration form

You can find the compete source code here at github.

I have deployed this App to my SAP Cloud Platform cockpit. When I run this app, I get the below screen where I can provide user information and click on submit. Notice that I have provided an email with domain “vendorA”. The business rules within the workflow should find the relevant approver and default IdP group for this vendor organization.

After submitting, this request, a task gets created and I can view the task instance using the REST APIs.  In the below screenshot, the tasks is currently sitting in My Inbox for the recipient to action. Notice that the business rules have already been applied. You can say that by the output node which is populated with the approver and default IdP group.

When I logon to My Inbox, I would be able to see this task waiting for me to action. Notice that the default IdP group has been picked up and is also displayed on the screen.

As an approver, I can decide to approve this task by clicking on “Approve” button. This will invoke the SCIM APIs exposed from SAP Cloud Platform Identity Authentication service. I have defined a method called createSCIUser which prepares the input and makes an ajax call.

When calling an external service from the Custom UI task the URL needs to be proerply formatted as explain in the Help documentation. In the example above, the URL to invoke a SCIM API would be URL: /html5apps/mywfapp/SCI/. I have created a destination in my SAP CP cockpit with the name SCI which refers to my SCI tenant.

If you would like to know more about how to invoke the SCIM APIs, you can check the SAP Help documentation.

After approving the task, when I navigate to the Cloud Identity, I will be able to see the user created.

Secondly, when I navigate to the “User Groups” menu and explore the “AccountsPayable_A” group, I would be able to see the newly created user assigned to this group.

In the next part of the blog, I will show you how to setup trust between SAP Cloud Platform Identity Authentication service and Cloud Portal.


You must be Logged on to comment or reply to a post.
  • Hi Murali,

    thank you for this great Blog series!

    As I'm currently implementing a similar User Registration process I'm wondering if you've found a way to influence the "Register" button that shows up in the SAP Identity Authentication Login form. I want to either disable it or link it to my custom registration form. Have you looked into this and found a solution?

    Best regards

    • Thanks Gregor. I am glad its helpful.

      Few people have asked me the same question. I am not sure if there is a way to influence the register button in the SAP Identity Authentication Login form.  Here are my thoughts - The "Register" button shows up only when you have set the "User Application Access"  to "Public" in Identity Authentication service for the respective application. What if we change this to "Internal" and remove the Register button in the login form. You can then provide the link to your custom registration form to your end users and request them to kick start the process of registering and then accessing the applications.I know this is not an elegant way. I will try and request this feature to be added to Identity Authentication service.

      • Hi Murali,

        thank you for the quick response. I gave it a try already and that is a good intermediate solution. I would like to support this feature request. Have you posted it already somewhere? seems not to include an SAP Cloud Identity Authentication Service.

        Best regards

        • Yes, it looks like SAP Cloud Identity Authentication Service is not accepting ideas through Idea Place. I am reaching out internally to check if we can have an Idea place for this service too.

        • Hey Gregor, I'm working through the same process now 🙂


          In the administration cockpit for the Identity Authentication, you can navigate to:


          Custom Application->Authentication & Access Tab->User Application Access list item:



          These options seem to influence the "Registration'" Button on the logon page.  If this is set to "Internal" for example, the Registration Button doesn't appear.

          I'm actually struggling with this, I need to couple a SCP Workflow into this process rather than just direct self-registration ( i.e. the scenario in Murali's blog ) but I can't find anyway to influence the behaviour after clicking "Register" when the user completes the registration form.

          When I work this out I'll share it 🙂


          • Hi Leigh,

            our solution was to link a public accessible HTML5 app with an XS Classic backend. The XS Classic backend then calls the SCP Identity Service API. But there you could also call the Workflow.

            Best regards

  • Hi Murali,

    thank you for this great Blog series!

    Actually I am doing workflow for vendor data creation, in that multiple level of approvals are there. Can u please explain how to achieve multiple approvals in workflow.


    Best regards



    Hi Murali,

    thank you for this great Blog series!

    Actually I am doing workflow for  vendor data creation for this app multiple level of approvals are there. Can u please explain how to achieve multiple levels of approving.

    Best regards


  • Hi Murali,


    Thanks for the introduction.

    I got a question about the authientification for the SCIM API, do i access the API via SAP Certificate?

    Is there any tutorial existing? The relation between the application and the API is not quite clear?


    Best regards

    Lucas Erni


  • Hi Murali,

    thanks a lot for providing this blog post!

    I am currently trying to call my IdP's SCIM REST API from within the workflow environment in order to register the provided user after approval. Calling it from inside the approval UI as indicated in the blog post results in an 405 (Method Not Allowed) response. The corresponding destination seems to work since a static call from the same UI deployed outside the workflow environment does not cause any problems.

    I tried to circumvent this problem by implementing the approval UI as a simple User Task form with two descision buttons (accept / deny) and introducing an exclusive gateway which triggers a Service Task only when the "Accept" button is hit. In this Service Task I tried to call the SCIM REST API to register my user. Again, an error occured, in this case a 415 (Unsupported Media Type) response. It seems that this is caused by a default content type which is not the required "application/scim+json" one. I did not find a way to adjust the content type using the GUI.

    How do I use SCIM REST APIs from within the worklow environment?

    Best regards,


    • Hi Christian,

      Its been a while since I worked on the Workflow service. Can you please raise a question in the forum and tag the Workflow service? Thanks