Skip to Content
Product Information
Author's profile photo Tamir Menahem

Connecting from SAP Business Application Studio to SAP BTP Cloud Foundry environment

SAP Business Application Studio (BAS) is a modern development environment that enables you to develop various applications for various target platform runtimes, such as ABAP platform (on-premise and cloud), SAP BTP Cloud Foundry environment (CF), SAP HANA Cloud, and SAP Mobile Platform.

BAS itself is an SAP Business Technology Platform (BTP) service decoupled from these runtimes. In fact, it runs on a dedicated set of Kubernetes clusters.

While most of the development supported by BAS are targeted for CF, one might mistakenly think that connection to CF is mandatory for any scenario. This, of course, is not the case. BAS can be used without any relation to CF. If your target runtime is not CF, then you do not have to create a CF Org or Space, you do not have to be a CF Org or Space member, and you do not need to log in to CF to work with BAS. You only need to subscribe to the BAS service from your subaccount.

Now that we understand that BAS is a standalone development environment, let’s take a closer look at the ways in which you can connect to CF when you use BAS to develop CF applications.

Note: The following section describes how different identity management settings in your BTP subaccount influence the CF login process. However, all other CF operations, such as Set Org and Space, are the same when performed in BAS (regardless of the identity management settings).


BAS offers two ways to connect to CF:




  • In both cases, the CF CLI is used, indirectly (UI-based) or directly (CLI-based), so that the specific target operation is achieved in both ways.
  • The CF CLI usage from the BAS terminal is identical to that of the CF CLI in your local machine (e.g. laptop).
  • The UI-based approach provides the best user experience, but typically, when you compare the UI and CLI approaches, you find that the CLI provides the full capabilities, while the UI (which is based on the given CLI) covers the common operations and not necessarily all the capabilities.


Now, as long as you keep the default identity management settings in your subaccount, things are quite straight forward. However, the difference between using the UI and CLI with regards to the CF login becomes more important when we consider the different Identity Providers (IdP).

Here are some key players in BTP Identity Management:

  • Application IdP
  • CF IdP
    • Relevant for CF users.
    • Serves for CF login.
    • Based on CF UAA (User Account and Authentication).
  • SAP ID Service (a.k.a. SAP Tenant)
    • Default IdP.
    • A pre-configured, easy-to-use global standard SAP public IdP ( that is shared by all customers.
    • You cannot delete the SAP ID configuration, but you can add different IdPs (Custom IdP, or Corporate IdP) for customized user management.
  • Custom IdP
    • A tenant-specific Identity Authentication Service (IAS) with local users.
  • Corporate IdP (a.k.a. External IdP)
    • A tenant-specific IAS that acts as a proxy to your own IdP.


  • The Application IdP and the CF IdP can be set to the SAP ID Service, the Custom IdP, or the Corporate IdP separately, or you can set them to the same IdP.
  • To add the CF IdP (currently supported in Feature Set A), Custom IdP, or Corporate IdP, you need to open a ticket using the BC-CP-CF-SEC-IAM component. There is no self-service.


The table below provides a comparison between the different CF IdPs for CF login in BAS:

SAP ID Service Custom IdP Corporate IdP
BAS UI-based login Supported Not supported Not supported
BAS CLI-based login Supported Supported Supported
CLI-based login example


cf login


cf login --origin <IdP Name>


cf login --sso

Authorization flow OAuth Resource Owner Password OAuth Resource Owner Password OAuth Authorization Code Grant (browser flow) + One-Time Passcode

Additional aspects to consider:

  • If you do not know the CF IdP origin (IdP Name) then you should contact your administrator. The CF IdP origin is also not being exposed in SAP BTP cockpit.
  • Both the Custom IdP and the Corporate IdP require an origin to know which IdP is being used. For the Custom IdP, it can be done on the CLI level, while for the Corporate IdP, it must be done on the UI level (SAP BTP CF Login screen, outside of BAS). (UI level) settings should be defined for each browser that you use, and it is not supported in browser private mode (a.k.a. Incognito mode) since it is based on persistent cookies. This limitation is result of the CF UAA usage and improvement is expected.
  • The Corporate IdP doesn’t support the OAuth Resource Owner Password (OAuth Password flow). Therefore, the OAuth Authorization Code Grant (browser flow) flow is mandatory (based on cf login --sso).
  • The OAuth Authorization Code Grant + One-Time Passcode flow (based on cf login --sso), can be used in all use cases (SAP ID Service, Custom IdP, Corporate IdP) and is a more secure way.
  • SSO is only supported in the browser flow (i.e. not supported OAuth Password flow).
  • CF Login command: cf login [-a API_URL] [-u USERNAME] [-p PASSWORD] [-o ORG] [-s SPACE] [--sso | --sso-passcode PASSCODE] [--origin ORIGIN]


Login Sample


SAP ID Service
Note: For the SAP ID Service, you can perform this command from the Command Palette.
cf login -a
API endpoint:

Custom IdP
cf login -a --origin <IdP Name>
API endpoint:

Corporate IdP
cf login -a --sso
API endpoint:
Temporary Authentication Code ( Get one at ): <Temporary Authentication Code, e.g. yF1e16KTjS>


Single command option:
cf login -a --sso-passcode <Temporary Authentication Code, e.g. yF1e16KTjS>
API endpoint:



  • BAS is a standalone development environment, decoupled from the target platform runtimes.
  • You need to connect from BAS to CF when you develop CF applications.
  • You connect to CF based on CF IdP, which is relevant for CF users, and not based on application IdP, which is relevant for business users and serves for BAS login.
  • The way you login from BAS to CF, UI-based (Command Palette) or CLI-based (Terminal) using different parameters, depends on the identity management set up in your subaccount:
    • SAP ID Service – UI or CLI (cf login)
    • Custom IdP – CLI (cf login --origin <IdP Name>)
    • Corporate IdP – CLI (cf login --sso)


This is it. I hope now you have a better understanding of the differentiation between BAS and CF, between Application IdP and CF IdP, between the different IdPs and their impact on the CF login procedure, and most important, that you successfully connected from BAS to CF.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Valerio Proietti Marcellini
      Valerio Proietti Marcellini

      thx, very helpful!

      Author's profile photo Isaac Perez
      Isaac Perez

      I am trying to test the services of my CAP Application (developed in my SAP BTP Trial account) from Postman. As it is the first time that I do it, there are many things that I do not know.

      This publication has helped me to clarify several doubts.

      Sincerely, thank you very much.

      Author's profile photo Alain VIGUIE
      Alain VIGUIE

      Hi Tamir.

      Very interesting blog post. Thanks!

      Author's profile photo Bart de Jonge
      Bart de Jonge

      Hi Tamir,

      I just started exploring BTP Cloud Foundry and Business Application Studio with a Pay As You Go Global Account (this is not a trial account).

      In my BTP Cloud Foundry subaccount I've added a SuccessFactors (demo) system as Trust Configuation:


      Afterwards I've created a new user with this IdP and assigned all role collections to this user, including the BAS-related roles:


      In the BAS dev space I'm trying to login to Cloud Foundry with this SuccessFactors user/IdP.

      I'm entering the following command in a terminal window: cf login --sso

      A link is given that redirects to a page to get a temporary authentication code.


      Here I enter the Origin Key of the SuccessFactors system, just as it is stored in the Trust Configuration of the SuccessFactors system (see the first image above).

      But then I get the message that the origin provided in the login hint is invalid.


      I also tried to login using the following command in a terminal window:

      cf login --origin

      But this also fails with an invalid origin:


      My question is, why I'm not able to login with the SuccessFactors user/IdP as origin?

      Is some configuration missing/incorrect in my (sub)account?

      Can a SuccessFactors system not be used as IdP to login?


      I hope you can help me out here (much appreciated).

      Thanks in advance.

      Kind regards,


      Author's profile photo Tamir Menahem
      Tamir Menahem
      Blog Post Author

      Hi Bart,

      First, please make sure that you add your CF IdP by opening a ticket for BC-CP-CF-SEC-IAM component. This is mentioned in the blog (above the comparison table). If it was not done, this could be the problem.

      You can also try the scenario directly with CF CLI, without Business Application Studio, just to isolate the different parts.

      Anyway, for troubleshooting, I would recommend to open ticket in BC-CP-CF-SEC-IAM.

      Thanks, Tamir

      Author's profile photo Gregor Wolf
      Gregor Wolf

      Hi Tamir, Hi Bart,

      my guess is that your Global Account was created with Feature Set B. According to SAP Note 3140806 - "The origin provided in the login hint is invalid" when using custom identity provider to logon in CF CLI (error message on the console "The origin provided is invalid") providing the origin does only work when the Account is still using Feature Set A. Would be great if this could also be updated in the documentation.

      @Tamir: Do you know when Feature Set B will support origin?

      Best Regards

      Author's profile photo Bart de Jonge
      Bart de Jonge

      Hi Tamir,

      Thanks for your quick response and explanation.

      The picture is getting clearer now.

      I can connect BAS to CF with the SAP ID service.

      This is acceptable for my current mission (= basic exploration of BTP/Cloud Foundry functionality and possibilities).

      Maybe a more sophisticated setup will be needed in the future. If so, I will remember to return to this blog.

      Thanks again for your support.

      Kind regards,


      Author's profile photo Lizhang Sun
      Lizhang Sun

      Very helpful blog! Thanks Tamir.


      Does cloud foundry support non-interactive login such as using client credential flow? We are looking into building a CI/CD pipeline, and are not comfortable with storing username/password there.


      Searching through the cf cli reference I also found cf auth, is it supported?