Skip to Content
Technical Articles
Author's profile photo Martin Blust

UAA, XSUAA, Platform UAA, CFUAA – What Is It All About?

In SAP Business Technology Platform, you can’t help coming across the UAA since it enables you to log in or log out. The full name for UAA is User Account and Authentication. This doesn’t explain much, though. Unfortunately, we talk about UAA, CFUAA, XSUAA, Platform UAA in SAP BTP. Is this all the same? Or are these four different UAAs?


Let’s give it a try and explain UAA:



CFUAA stands for Cloud Foundry User Account and Authentication. It is the implementation of the UAA of the Open Source Cloud Application Platform Cloud Foundry. UAA is an open source project of Cloud Foundry and it is available through a variety of private cloud distributions. SAP is a major contributor. In developer speak, the term CFUAA is used to distinguish the UAA of Cloud Foundry from the XSUAA.



Platform UAA

At SAP, the Platform UAA is often simply called UAA. It is an open source UAA of Cloud Foundry (or CFUAA), but it is deployed in the Cloud Foundry environment of SAP BTP.

The Platform UAA manages the platform users (space developers and administrators). The platform users are allowed to use the cockpit and to interact with the Cloud Controller. They can use the Cloud Foundry CLI, push and scale applications, and create service instances. Platform users are authenticated via SAP ID service.



The XSUAA has been developed by SAP. It is an extension of the CFUAA and acts as the central infrastructure component of the Cloud Foundry environment at SAP BTP for business user authentication and authorization. SAP has enhanced the CFUAA by adding a service broker, multitenancy, management API functions, and some minor enhancements. The XSUAA manages business users and enables them to authenticate to applications deployed in SAP BTP.


What Is the SAP Authorization and Trust Management Service?

Web Access Control

API Access Control

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Vladislav Volodin
      Vladislav Volodin

      Is it possible to use Platform UAA for own applications? e.g. I do not want to have own ID service, but to use what SAP offers?


      Author's profile photo Rajesh Bhadana
      Rajesh Bhadana


      Is it possible consume SAP XSUAA service from SAP Cloud platform to Open Source Cloud Foundry platform ?




      Author's profile photo Jacob Brian
      Jacob Brian



      Nice blog.

      Thanks for sharing.


      this would be useful for this Question.


      Authorization using XSUAA | Migrating from the Neo Environment to the Multi-Cloud Foundation | SAP Blogs

      Author's profile photo Luiz Gomes
      Luiz Gomes

      How to connect with xsuaa different BTP accounts? My scenario is Kyma runtime on one BTP account and Portal on another BTP account. Today when the HTML5 application tries to access the API it returns the 401 error. I could use an xsuaa service from the same account as the application but I will have problems with SSO and access to services in the account where the API is executed.

      Author's profile photo Martin Blust
      Martin Blust
      Blog Post Author

      Hello Luiz,

      Please address your request to the support component BC-CP-CF-SEC-IAM. This is the component for the SAP Authorization and Trust Management service in SAP BTP. I guess that the support colleagues can help you.