Skip to Content
Technical Articles

Getting Started with Multitenant Business Applications on SAP Cloud Platform | Hands-on Video Tutorials

The SAP Cloud Platform video tutorial series from SAP Partner Engineering | SAP HANA Academy has just been updated to include the latest features, interfaces, and insights about creating multitenant business applications.

For the previous blog post, see

In this blog we are going to get started with the development of multitenant business applications and you will find the videos embedded with references and additional information.

Any good? Post a comment, share on social media, and/or give a like. Thanks!


Hands-On Video Tutorials

Philip MUGGLESTONE just updated his Developing Multitenant Business Applications video tutorial series for the SAP Cloud Platform. In this blog, you will find the videos embedded with some additional information and resources. Following along in the patented zero-to-hero format, you will be ready to start developing business applications on the platform with minimal effort and no time wasted.

You can watch the 10 video tutorials in a little under 100 minutes. What you learn is

  • Multitenant business application concepts and components, including the UAA service, SaaS Registry, and routes.
  • How to use SAP Business Application Studio (BAS) and yeoman to generate the scaffolding for the app and how to build and deploy the MTA (multi-target app) to SAP Cloud Platform using BAS (reprise)
  • How to configure the app to automatically generate the unique tenant routes (and remove the routes when unsubscribing)
  • How to configure dependencies
  • How to use SaaS provisioning service APIs to manage multitenant applications
  • How to configure persistence, for example using SAP HANA Cloud HDI
  • How to configure custom domains for multi-tenant apps

As development environment we use the SAP Business Application Studio and the free 90-day SAP Cloud Platform trial environment, for which you can sign up here:

To follow along you will need some basic understanding of the SAP Cloud Platform concepts and be familiar with global and subaccounts, Cloud Foundry, destinations, subscriptions, identity provider, SAP HANA Cloud, and HDI. In case you are new to the SAP Cloud Platform or could use an update, please first join our onboarding program:

As we know your time is precious, this will be a low-code affair as we will be using Yeoman to provide the scaffolding for our app supplemented with sample code from SAP HANA Academy GitHub repository:

Ready? Let’s build some apps!

Multitenant Business Application Architecture diagram (large-scale)

For the binge-watchers here is the complete playlist:


For the documentation, see

For related blog post here on the SAP Community, see


Getting Started

In the first video, the concepts of multitenant SaaS business applications are introduced and where you find this documented. We demonstrate how such an app would work, with isolated database connectivity using HDI containers in SAP HANA Cloud, and dedicated destinations, for example to a back-end private to the tenant.

As always, no smoke-and-mirrors: we can easily subscribe a new tenant and remove one as well and all this in a short 7-minute demo.

0:00 – Introduction

1:10 – Documentation and architecture

3:15 – Demo sample multitenant SaaS business application

5:10 – Subscribe new consumer

8:20 – Create new destination (for back-end connectivity)

9:00 – Offboard subscriber(s)

9:20 – SAP Business Application Studio

9:55 – Create application scaffolding using the Yeoman app generator


First Application – Part I and II

In the first two videos we are going to build a very basic version of the multitenant application to show how everything fits together. In the first video, we scaffold the project and do a bit of code walkthrough. In the second video, we are going to build, deploy, and test the app. After verifying that everything works as expected, we also delete everything so we can start with a clean slate again.

Access the SAP Business Application Studio from your SAP Cloud Platform (trial) subaccount  Subscriptions and create a new Dev space for this project using the Basic tool extension with MTA Tools as additional extension. Next, install the Yeoman code generator and generate the scaffolding for our app.

0:00 – Introduction

0:30 – Open SAP Business Application Studio, create a new dev space (extension Basic + MTA Tools) and open the default workspace.

0:55 – Open terminal and install the yeoman application generator

1:10 – Generate first application (using defaults and No for the advanced options)

1:50 – Generated code walkthrough: multi-target application with app (router) and srv (backend)

2:30 – Application manifest file mta.yaml with XSUAA service and SaaS Registry service

6:30 – Security configuration xs-security.json file with tenant-mode, scopes, and role templates

7:45 – Index.html and xs-app.json file with routing and authorisation settings.

8:20 – Backend Node.js application server.js file with endpoint to on- and offboard, and access

Code Snippets and Commands

Command to install the generator

npm i -g generator-saphanaacademy-saas

Command to generate the app

yo saphanaacademy-saas

0:00 – Introduction

0:30 – Execute Build MTA command

0:40 – Deploy the generated mtar (MTA archive) and provide the Cloud Foundry API endpoint, login and specify Org and space (e.g. trial / dev). This will create the UAA service, and SaaS Registry entry.

1:20 – Access the SAP Cloud Platform cockpit and verify that the app (router) and the srv (backend) apps are up and running (Applications) with bindings to the registry and uaa (Services).

2:10 – Two routes are defined (Routes)

2:30 – Create new subaccount using the same provider and region (e.g. AWS Europe) as the application with a unique subdomain for that environment

3:00 – Connect to the subaccount and navigate to Subscriptions and subscribe to the app (My SaaS App); this will call the subscribe endpoint from Node.js application (server.js)

4:00 – Under Security > Trust Configuration > IdP (sap.default) assign the role collection (e.g. myappsaas_Administrator or _User) as defined in the xs-security.json.

5:00 – Create a new route for the subscription and map it to the application (myappsaas)

6:20 – Unsubscribe

7:00 – Undeploy application from the command line

8:00 – Navigating the UI shows that there are no more apps and services or subscriptions for the consumer subaccounts, nor any role collections.

9:00 – Remove project from the app studio.

Code Snippets and Commands

Command to remove app and services (without confirmation prompt)

cf undeploy myappsaas --delete-services -f

Yeoman input, mta.yaml configuration, and output in the SCP cockpit.



Now that we have seen how (easily) we can create multitenant applications we are now going to make it even easier by automatically generating the route for each new subscription (and each unsubscribe).

0:00 – Introduction

0:30 – From the terminal in SAP Business Application Studio run the yeoman generator again with same responses except for the Would you like to include creation/deletion of tenant routes on subscribe/unsubscribe (using the CF API)?

01:00 – Code walkthrough: Node.js server.js file now include lib.createRoute and deleteRoute functions, defined in library.js

06:00 – Documentation reference Cloud Foundry API

07:00 – After the app is deployed we need to define with cf set-env the environment variables to authenticate the API user used to create the subscription routes

07:40 – Deploy the MTAR

07:50 – Verify apps and services in SCP cockpit

08:20 – Set environment variables for the technical user and restage the application (required after each redeployment)

09:00 – Switch to Consumer subaccount and subscribe: routes are automatically generated

09:45 – Assign role collection

10:10 – Unsuscribe

Code Snippets and Commands

cf set-env myappsaas-srv cf_api_user '<email>'
cf set-env myappsaas-srv cf_api_password '<password>'
cf restage myappsaas-srv



In this video tutorial, we are going to take a look at how you can advantage of multitenant-aware  services within Cloud Foundry, for example a destination service to access a backend system. This destination service needs to be unique for each tenant, yet we do not want to create a dedicated destination service for each subscription. Other examples are the job scheduler or the connectivity service.

00:00 – Introduction

01:00 – From the terminal in SAP Business Application Studio run the yeoman generator again with default settings except for

  • Would you like to include creation/deletion of tenant routes on subscribe/unsubscribe (using the CF API)? y
  • Would you like to include an example of using the destination route service? y

01:30 – Code walkthrough: destination service added to mta.yaml with getDestination called and defined in server.js and library.js. An entry in index.html enables us to show the response of the call.

05:45 – Build and deploy application

06:10 – Using SAP Cloud Platform cockpit create destination in the tenant subaccount

06:30 – Create new tenant subaccount (“consumer 2”) with destination

07:30 – Verify deployment of application and services, including the destination service

07:50 – Subscribe as consumer 1 and 2 and authorise users (end user role)

08:30 – Run the application to get information about destination of subscriber 1 and 2


Registry API

In this video tutorial, we learn how to make use of the SaaS Provisioning service Restful API to manage consumer/tenant subscriptions. An example of using the RESTful API from the multitenant application is shown – followed by how to access the API via Postman.

This topic is documented in the SAP Cloud Platform Guide:

00:00 – Introduction and documentation

01:10 – From the terminal run the yeoman generator with default settings except for

  • Would you like to include an example of the SaaS API (view subscription)? y

03:20 – Code walkthrough:

  • index.html: link to subscription added
  • server.js: lib.getSubscriptions
  • library.js: getSubscriptions and access token

03:30 – Build and deploy

03:45 – SAP Cloud Platform cockpit: subscribe, add role collection, add route, and show API output

05:45 – Get call URL, client secret and client ID from service bindings

06:45 – Get the token

07:30 – Call URL with token as header (authorisation: Bearer <token>)


Persistence – Part 1, 2, and 3

In this video tutorial, we are going to build, deploy and test the multitenant business application example with schema separation using SAP HANA Cloud and HDI containers. We also learn how to get details of HDI containers created via service manager using a ServiceManagement plugin for the Cloud Foundry CLI.

00:00 – Introduction and concepts

00:00 – Introduction

00:50 – SAP HANA Cloud instance created with all IP addresses allowed (advanced settings)

01:15 – From the terminal run the yeoman generator with default settings except for

  • Would you like to include HANA persistence (schema separation) y
  • Would you like to include creation/deletion of tenant routes on subscribe/unsubscribe (using the CF API)? y

01:20 – Code walkthrough:

  • mta.yaml: db module and service manager
  • db module
  • index.hmtl
  • server.js: referencing service manager, lib.createSMInstance
  • package.json: hdbext
  • library.js

00:00 – Introduction

00:30 – Build and deploy

00:50 – Set API user and password as environment variables for CF API and restage app

01:10 – SAP Cloud Platform cockpit: apps and services

02:25 – Install Service Management CF-CLI plugin for SAP Business Application Studio

03:35 – Subscribe first consumer, add role collection, go to application

05:00 – Subscribe second consumer

06:50 – Unsubscribe

07:30 – Recap

Code Snippets and Commands

See the SAP HANA Academy GitHub repository for the plugin

curl -LJ0
cf install-plugin ServiceManagement.linux64

To view the Service Management instances use command

# cf smsi <instance name.
cf smsi myappsaas-sm


Custom Domains

In this video tutorial, we learn how to configure a multitenant business application with a custom domain. This involves generating, building, deploying and testing an example application and explains how to configure “wildcard” host mapping.

Custom domains are only available on production global accounts and not on the trial environment.

As prerequisite, first watch the SAP Cloud Platform Onboarding Video tutorials to learn how to configure your subaccount, create certificates, and other requirements.

00:00 – Introduction and prerequisites

01:00 – Custom domain service as service instance in SAP Cloud Platform cockpit

01:30 – SAP Business Application Studio showing cf domains and cf cdl commands

02:30 – From the terminal run the yeoman generator with default settings except for

  • Would you like to include an example of the SaaS API (view subscription)? y
  • Would you like to include HANA persistence (schema separation) y
  • Will you be using a wildcard custom domain (eg: If so please enter it here <>
  • Would you like to include an example of using the destination route service? y

03:20 – Code walkthrough:

  • xs-security.json: oauth2-configuration added
  • mta.yaml: host and domain added to each application and tenant host pattern
  • server.js: subscribe/unsubscribe

06:55 – Build and deploy

07:15 – Check the routes and add custom route

08:10 – Subscribe and validate configuration

Code Snippets and Commands

cf domains
cf cdl
cf routes
# cf map-route <router application> <custom domain> --hostname "*"
cf map-route myappsaas --hostname "*"


Share and Connect 

Enjoyed the blog? Post a comment, share on social media, and/or give a like. Thanks!

If you would like to receive updates, connect with me on


Denys van Kempen


You must be Logged on to comment or reply to a post.
  • Hi @denys.kempen,

    Thanks alot for this blog. It covers almost all the topics needed for saas. I have tried and things are working fine in trial account. But in canary when I am trying to access the “/srv/info”, it’s taking to uaa’s domain to login isntead of tenant’s authentication domain which is : “”. The same behaviour occurs when I am trying to deploy a sample SAAS application using manifest.yaml.

    My subdomain looks like this: “someorgname-saas-dev”

    Is there any specification for having a subdomain/org name in order redirect to the correct authentication URL or if there’s anyone that can help in resolving the issue.

    Best regards,


    • Hi Gopal,

      You get this generic login screen when the approuter hasn’t been able to determine the subdomain name of your subaccount via the TENANT_HOST_PATTERN environment variable. You need to either adjust the TENANT_HOST_PATTERN or potentially change the hostnames of the app from the default. It very much depends on how similar or different the subdomain name and the org name are.

      If you can share the full route (URL) of your deployed approuter module as well as your TENANT_HOST_PATTERN value and the subdomain name of the subaccount (visible in overview page of cockpit) and the org name of the subaccount I should be able to help further.



      • Hi Philip,

        Here’s My url:

        The subdomain & org name is : “referenceapps-ga-saas”.

        The tenant host pattern:



        • Hi Gopal,

          So the issue here is the syntax in manifest.yml.

          There’s no need to enclose TENANT_HOST_PATTERN in quotes – in fact using quotes causes the matching to fail.

          Use the following syntax for manifest.yml:

           TENANT_HOST_PATTERN: >-

          Whereas in a mta.yaml you need to enclose in single quotes:

           TENANT_HOST_PATTERN: '^(.*)'



  • Hi Gopal

    I ran into the same issue. Create a subdomain and org name without any dashes ‘-‘ in it. I have an open support ticket with SAP where I detailed the issue.

    Let me know how you go.\



    • Hi Neil,

      I have examples working that include dashes in the subdomain/org name. So I suspect your issue might be something else.

      When you get the “XS Advanced” authentication screen it means the approuter wasn’t able to extract the tenant (subaccount subdomain) name from the called application URL (route) so was unable to generate the correct authentication URL for the tenant.





    • Hi Neil Prince

      the issue was with tenant host pattern, I was using quotes to enclose the host pattern which was causing the issue.

      My subaccount, org together have 3 dashes in the name, it’s still working there. 🙂

      Please look above for Philip’s solution.


      Best regards,