Skip to Content
Technical Articles
Author's profile photo Tia Xu

Multitenancy – Develop and Register Multitenant Application to the SAP SaaS Provisioning Service on the SAP BTP: Hands-on Tutorial on Cloud Foundry

In this post, you can get a step-by-step tutorial which helps you develop a NodeJS application from the scratch to show how to use the SaaS registry to build a multi-tenant application on BTP Cloud Foundry Runtime.

For more general descriptions on how many steps it takes to do from a normal application to a multitenant application, you can read this blog.

More information on this Series – Multitenancy:


Business applications

  • If you come with prepared applications project, please skip to the next item.

  • If you come with no project, you can use the application generator tool, express-generator, to quickly create an application skeleton by following this tutorial: Express application generator. Or, you can git clone the skeleton project directly from: here.

    npm install express --save
    npm install -g express-generator

For more information on how to develop and run business applications on SAP Business Technology Platform (SAP BTP) using our cloud application programming model, APIs, services, tools, and capabilities, see Development on BTP.

BTP account

Here are some channels prepared for you to get BTP accounts:


Persona: SaaS Application Provider

Let’s assume you are a SaaS Application provider, for example: Provider: TIA. Provider: TIA would like to provide an application which displays the logged in user’s name and customer’s tenant related information, shown as below:

Final project with multitenancy can be found: here.

Persona: Customer

A consumer can subscribe to the application through the SAP BTP Account Cockpit.


  • Create and Configure the Approuter Application

  • Create and Configure Authentication and Authorization with XSUAA

  • Implement Subscription callbacks API

  • Register the Multitenant Application to the SAP SaaS Provisioning Service

  • Deploy the Multitenant Application to the Provider Subaccount

  • Subscribe SaaS Application by a Consumer

Step 1: Create and Configure the Approuter Application

Each multitenant application has to deploy its own application router, and the application router handles requests of all tenants to the application. The application router is able to determine the tenant identifier out of the URL and then forwards the authentication request to the tenant User Account and Authentication (UAA) service and the related identity zone.

For general instructions, see Application Router.

Create folder cf_multitenant_approuter_app under the root directory.

mkdir cf_multitenant_approuter_app
cd cf_multitenant_approuter_app

Under the folder cf_multitenant_approuter_app, create a file package.json with the following content:

    "name": "cf_multitenant_approuter_app",
    "dependencies": {
        "@sap/xsenv": "^3",
        "@sap/approuter": "^8"
    "scripts": {
        "start": "node node_modules/@sap/approuter/approuter.js"

Then we should configure the routes in the application router security descriptor file (xs-app.json) so that application requests are forwarded to the multitenant application destination. Under the folder cf_multitenant_approuter_app, create a file xs-app.json with the following content:

    "authenticationMethod": "none",
    "routes": [{
        "source": "/",
        "target": "/",
        "destination": "dest_cf_multitenant_node_app"

Update the backend NodeJS app in the mta.yaml file to provide a destination to approuter app:

     - name: dest_cf_multitenant_node_app
         node_app_url: '${default-url}'

Add the approuter app into the mta.yaml file:

 - name: cf_multitenant_approuter_app
   type: nodejs
   path: cf_multitenant_approuter_app
      disk-quota: 256M
      memory: 256M
      host: ${org}-cf-multitenant-approuter-app
    - name: Router_api
         url: ${default-url}
         application: ${app-name}
      - name: dest_cf_multitenant_node_app
        group: destinations
          name: dest_cf_multitenant_node_app
          url: '~{node_app_url}'
          forwardAuthToken: true

Step 2: Create and Configure Authentication and Authorization with XSUAA

To use a multitenant application router, you must have a shared UAA service and the version of the application router has to be greater than 2.3.1.

For general instructions, see SAP Authorization and Trust Management Service in the Cloud Foundry Environment.

Create and configure an XSUAA instance in the mta.yaml (Also, we can create a security descriptor file xs-security.json in JSON format that specifies the functional authorization scopes for the application instead):

  • Define the application provider tenant as a shared tenant

  • Provide access to the SAP SaaS Provisioning service (technical name: saas-registry) for calling callbacks and getting the dependencies API by granting scopes:

 - name: uaa_cf_multitenant
   type: org.cloudfoundry.managed-service
    - name: Router_api
      XSAPPNAME: ${xsuaa-app}
      #path: ./xs-security.json
      service-plan: application
      service: xsuaa
      shared: true
      xsuaa-app: ${space}-~{Router_api/application}
         xsappname: ${xsuaa-app}
         ### tenant-mode
         tenant-mode: shared
         description: Security profile of called application
          - name: "$XSAPPNAME.Callback"
            description: With this scope set, the callbacks for tenant onboarding, offboarding and getDependencies can be called.
             - "$XSAPPNAME(application,sap-provisioning,tenant-onboarding)"
             - "http*://*.${default-domain}/**"

Add this instance into both the apps in the mta.yaml:

      - name: uaa_cf_multitenant

Update the xs-app.json file:

    "authenticationMethod": "route",
    "routes": [{
        "source": "/",
        "target": "/",
        "destination": "dest_cf_multitenant_node_app",
        "authenticationType": "xsuaa"

Add libraries for enabling authentication in the cf_multitenant_node_app/app.js file:

//**************************** Libraries for enabling authentication *****************************
var passport = require('passport');
var xsenv = require('@sap/xsenv');
var JWTStrategy = require('@sap/xssec').JWTStrategy;

Enabling authorization in the cf_multitenant_node_app/app.js file:

//*********************************** Enabling authorization  ***********************************
var services = xsenv.getServices({ uaa: { tag: 'xsuaa' } }); //Get the XSUAA service
passport.use(new JWTStrategy(services.uaa));
app.use(passport.authenticate('JWT', { session: false })); //Authenticate using JWT strategy

The application router must determine the tenant-specific subdomain for the UAA that in turn determines the identity zone, used for authentication. This determination is done by using a regular expression defined in the environment variable TENANT_HOST_PATTERN.

More details:

 - name: cf_multitenant_approuter_app
      TENANT_HOST_PATTERN: "^(.*)-cf-multitenant-approuter-app.${default-domain}"

Now, if you try to deploy the MTA application, the backend application would return your tenant information accordingly.

Step 3: Implement Subscription callbacks API

Under the routes/index.js file implements two APIs:

//******************************** API Callbacks for multitenancy ********************************

 * Request Method Type - PUT
 * When a consumer subscribes to this application, SaaS Provisioning invokes this API.
 * We return the SaaS application url for the subscribing tenant.
 * This URL is unique per tenant and each tenant can access the application only through it's URL.
router.put('/callback/v1.0/tenants/*', function(req, res) {
    var consumerSubdomain = req.body.subscribedSubdomain;
    var tenantAppURL = "https:\/\/" + consumerSubdomain + "-cf-multitenant-approuter-app." + "<custom-domain>";

 * Request Method Type - DELETE
 * When a consumer unsubscribes this application, SaaS Provisioning invokes this API.
 * We delete the consumer entry in the SaaS Provisioning service.
router.delete('/callback/v1.0/tenants/*', function(req, res) {

Replace the <custom-domain> with your custom domain for your multitenant application.

Step 4: Register the Multitenant Application to the SAP SaaS Provisioning Service

 - name: reg_cf_multitenant
   type: org.cloudfoundry.managed-service
    - name: uaa_cf_multitenant
      service: saas-registry
      service-plan: application
         xsappname: ~{uaa_cf_multitenant/XSAPPNAME}
         appName: cloud-cf-multitenant-saas-provisioning-sample-hands-on
         displayName: Multitenancy Sample in Cloud Foundry 
         description: 'A NodeJS application to show how to use the SaaS registry to build a multi-tenant application on BTP Cloud Foundry Runtime'
         category: 'Provider: TIA'
            onSubscription: https://${org}-cf-multitenant-node-app.${default-domain}/callback/v1.0/tenants/{tenantId}
            onSubscriptionAsync: false
            onUnSubscriptionAsync: false
            # callbackTimeoutMillis: 1200000

Specify the following parameters:

Parameters Description
xsappname The xsappname configured in the security descriptor file used to create the XSUAA instance (see Develop the Multitenant Application).
getDependencies (Optional) Any URL that the application exposes for GET dependencies. If the application doesn’t have dependencies and the callback isn’t implemented, it shouldn’t be declared.NoteThe JSON response of the callback must be encoded as either UTF8, UTF16, or UTF32, otherwise an error is returned.
onSubscription Any URL that the application exposes via PUT and DELETE subscription. It must end with /{tenantId}. The tenant for the subscription is passed to this callback as a path parameter. You must keep {tenantId} as a parameter in the URL so that it’s replaced at real time with the tenant calling the subscription. This callback URL is called when a subscription between a multitenant application and a consumer tenant is created (PUT) and when the subscription is removed (DELETE).
displayName (Optional) The display name of the application when viewed in the cockpit. For example, in the application’s tile. If left empty, takes the application’s technical name.
description (Optional) The description of the application when viewed in the cockpit. For example, in the application’s tile. If left empty, takes the application’s display name.
category (Optional) The category to which the application is grouped in the Subscriptions page in the cockpit. If left empty, gets assigned to the default category.
onSubscriptionAsync Whether the subscription callback is asynchronous.If set to true, callbackTimeoutMillis is mandatory.
callbackTimeoutMillis The number of milliseconds the SAP SaaS Provisioning service waits for the application’s subscription asynchronous callback to execute, before it changes the subscription status to FAILED.
allowContextUpdates Whether to send updates about the changes in contextual data for the service instance.For example, when a subaccount with which the instance is associated is moved to a different global account.Defaut value is false.

Bind this instance to your NodeJS application, update your mta.yaml file:

 - name: cf_multitenant_node_app
      - name: uaa_cf_multitenant
      - name: reg_cf_multitenant

Step 5: Deploy the Multitenant Application to the Provider Subaccount

You can build with the Cloud MTA Build Tool and Cloud Foundry CLI.

Download the Cloud MTA Build Tool:

Install the Cloud MTA Build Tool:

npm install -g mbt

Navigate to the project root folder, and build your MTA project:

mbt build -p=cf

Install CF plugin to deploy MTA applications:

cf install-plugin multiapps

Make sure you are logged into a CF org/space:

 cf login -a <api-endpoint> -o <org> -s <space>

In China you probably need to export an environment variable before you run “cf deploy” command.

export DEPLOY_SERVICE_URL=deploy-service.cfapps.<landscape-domain>


For instance:


Deploy with mtar file:

cf deploy mta_archives/cloud-cf-multitenant-saas-provisioning-sample-hands-on_1.0.0.mtar -f

More details: MultiApps CF CLI Plugin, Build and Deploy Multitarget Applications using Cloud MTA Build Tool and Cloud Foundry CLI

Step 6: Subscribe SaaS Application by a Consumer

Now, a consumer can subscribe to the application through the SAP BTP Account Cockpit.

Switch to another subaccount under the same Global Account with the multitenant application provider subaccount, you can see and subscribe to the multitenant application.

Create an instance for the SaaS Application:

Click on Create button:

Once it is subscribed, you can try to access it by clicking on the Go to Application button:

You will get a 404 error that says requested route does not exist:

In the last step, the SaaS Application Provider needs to add a new route to ensure that a consumer’s request goes to the app router.

cf map-route cf_multitenant_approuter_app --hostname trial3-tia-cf-multitenant-approuter-app

Try to clean cache and access it again:

Deploying the application again would remove all the routes required by your customers. To keep all the routes as it is, adds one parameter into your approuter application:

 - name: cf_multitenant_approuter_app
        routes: true

Try to deploy it again.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.