Skip to Content
Technical Articles
Author's profile photo Raja Gupta

How to Become Expert in SAP BTP Security– A Complete Learning Journey


There is no doubt that security is the MOST critical topic for any organizations.  Nowadays organizations cannot afford to have any security issues in their solutions. Specially in cloud world, it is extremely important to bridge the gap between development and security.


In my previous blog series Fundamentals of Security in SAP BTP, we learnt how an SAP BTP developer or administrator can onboard themselves on topics related to SAP BTP security.

In this blog, I will provide a complete learning journey to become expert in SAP BTP security. If you are an SAP BTP developer, architect, administrator, or consultant and looking for a complete guided path on how to become expert in SAP BTP security, this blog is exactly for you.


What are the prerequisites to learn SAP BTP Security?

Before you start learning security aspect of SAP BTP, you must gain basic understanding of what SAP BTP is and how to build application on SAP BTP. If you are completely new to the topic, go through below resources to learn basics of SAP BTP.


What is SAP Business Technology Platform (SAP BTP)?

Explaining SAP Business Technology Platform (SAP BTP) to a Beginner


How do I get free access to SAP Business Technology Platform?

Now that you know what SAP BTP is, the next task should be getting a system and explore further.

If you are an SAP partner or customer, you can get started with SAP BTP for free with the Pay-As-You-Go plan. A step-by-step tutorial is also available on how to create SAP BTP account and use.

If you are a student or learner, you can get a free SAP BTP trial account. You may also look into other SAP BTP related product trials.


Note: Don’t overload yourself to become SAP BTP expert before learning security topics. You can parallelly learn SAP BTP while gaining expertise on security.


Let’s start!


Step 1: Get your basics right – Learn fundamentals of SAP BTP Security

If a security professional (or a security code scanner) tells you – “Make sure you Stop SQL injections!”.  And you immediate next thought is – “What the hell is SQL injection?”.

Or if you say – “I don’t know OAuth, but I will follow the step-by-step guide to implement it.”

Then – Be 100% sure that your solution will not be fully secure.


Although the implementation might be different across different platforms and languages, there are few basic concepts which are always same. Don’t be too focused on implementing security that you skip the basic concepts behind it. Before implementing security, you should learn these concepts. For example:

  • What is SAML?
  • How does OAuth work?
  • How Does Single Sign-On (SSO) Work?
  • What is XSUAA?
  • Why do we need App Router in SAP BTP?
  • etc.

Go through below materials to get your basics right!


Once you finish the theory, it would great to put it onto action. Complete few hands-on to develop a secure application in SAP BTP.

If you want to quickly proceed to next topics, at least complete the first hands-on from below list.


Step 2: Become Expert in SAP BTP Security

Once you finish the fundamental topics, it’s time to go in-depth in SAP BTP Security. Go through below materials to become expert.


SAP Cloud Identity Services

SAP Cloud Identity Authentication service (IAS) and SAP Cloud Identity Provisioning service (IPS) are now part of the product SAP Cloud Identity Services. SAP has combined them under one official product name, but technically they are independent services.



SAP Cloud Identity Authentication service (IAS) enables single sign-on for SAP cloud business. It serves in principle two fundamental usage scenarios:

  • It can act as an identity provider (IdP) that validates user’s credentials and offers single sign-on for relying parties
  • It can act as a proxy for integration into an already existing single sign-on infrastructure with a corporate IdP.

To know more about it, check SAP Cloud Identity Services – Identity Authentication


SAP Cloud Identity Provisioning service (IPS) enables user data synchronization between different SAP applications. For example: If a company uses SAP SuccessFactors, they would like for every new employee created in SAP SuccessFactors to automatically have a user in Identity Authentication, so they can access SAP S/4HANA cloud. Many SAP cloud solutions come pre-integrated with this service and SAP continues to expand this list of applications.

To know more about it, check SAP Cloud Identity Services – Identity Provisioning


SAP Cloud Application Programming Model (CAP)

SAP Cloud Application Programming Model is

  • Not a specific product but a framework, a set of tools, languages, and libraries.
  • It brings together SAP’s own technologies like SAP Business Application Studio, Core Data Services (CDS), SAP HANA and open-source technologies like Node.js or Java
  • And lets you efficiently and rapidly build enterprise services and business applications in a full-stack development approach



CAP offers out-of-the-box support for security implementations. It does not require you to manually code for authorization while still gives you flexibility to design in your way.

If you are developing a full-stack enterprise application on SAP BTP, SAP highly recommends using CAP.

To know more about it, check below materials:


SAP Credential Store

SAP Credential Store service provides a repository for passwords, keys and keyrings for applications that are running on SAP BTP.

It enables the applications to retrieve credentials and use them for authentication to external services, or to perform cryptographic operations and TLS communication. SAP Credential Store is exposed to the applications via a REST API.

To know more about SAP Credential Store, check below materials:


SAP Custom Domain Service

SAP Custom Domain service allows subaccount owners to make their SAP BTP applications accessible via a custom domain that is different from the default one ( – for example

To know more about it, check below materials:

SAP Custom Domain Service – help page

SAP Custom Domain Service – Discovery Center


Step 3: Stay Updated on SAP BTP Security

SAP BTP is an evolving technology. Once you become expert on SAP BTP security, it is a good idea to be updated on latest changes and innovations. Once in a while, you may look into below resources to stay current.


Join the community for SAP security products and solutions. Here you can also find expert content such as blogs, how to guides and many more on SAP BTP Security topics.

Subscribe to the SAP newsletter to stay informed about the latest news on SAP’s portfolio of security products and upcoming events.



I believe this blog would have helped you to design your learning journey for SAP BTP Security. If you have any question, or if you think I have missed any important topic, please let me know in the comment.


If you have any queries, let me know in comment or get in touch with me at LinkedIn!


If you are looking for a end-to-end guide on SAP BTP and it’s core capabilities, you may look into SAP’s free learning content on SAP BTP. It is made for both integration designers and extension developers from all levels of expertise and will help you stay up to date with the latest SAP BTP innovations.


Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Tushar Maheshwari
      Tushar Maheshwari

      Well Explained. Thank you Raja.

      Author's profile photo Raja Gupta
      Raja Gupta
      Blog Post Author

      Tushar Maheshwari thanks! Glad it helped.

      Author's profile photo Ramin Shafai
      Ramin Shafai

      Great information. Thanks.

      What about user roles?... I understand IAS can provide central Authentication and SSO. But what about Authorizations?

      To use your example, a new user in SuccessFactor can SSO into BTP. But what are they going to see when they log into BTP? What tiles will be available to them in BTP's Launchpad Services?

      How does BTP provide users with role-based content if the user roles are in the end-applications (like SuccessFactor, Ariba, Concur)?



      Author's profile photo Raja Gupta
      Raja Gupta
      Blog Post Author

      Hi Ramin Shafai ,

      First of all, very interesting way to put the question, using the edited image 😀

      There are different scenarios possible and each scenario requires different approach. Let's say a customer has an S/4HANA Cloud, SuccessFactors and BTP system. Customers can have only one IAS tenant. Hence all the SAP cloud solution as well as BTP will be integrated with same IAS tenant. Now, IAS itself has capabilities to have user details including roles, user group etc. While implementing SSO and application security, we can map a BTP role collection to user group based on which user authorization works.
      If customer wants to integrate, say S/4HANA Cloud APIs with BTP app, then we can use principal propagation in destination to forward the user details securely from BTP App to S/4HANA system.
      In case of SuccessFactors, there might be requirement of user data synchronization. For example, if a customer is using SAP SuccessFactors, and would like for every new employee created in SAP SuccessFactors to automatically have a user in Identity Authentication, so they can access SAP S/4HANA cloud. OR, you would like to provision or deprovision user attributes. Say a user has been promoted from employee to manager in SuccessFactors and corresponding privileges should be provisioned to the user in IAS.  For this, you may use SAP Cloud Identity Service - Identity Provisioning service
      In case, you just need to just configure SuccessFactors with IAS without putting SAP BTP in between, check this blog -


      Author's profile photo Ramin Shafai
      Ramin Shafai

      Thanks Raja. I have much reading to do 🙂

      Author's profile photo Vincent DOUX
      Vincent DOUX

      Hi all,

      In addition to  SAP Cloud Identity Service - Identity Provisioning service please be aware that SAP also propose the cloud solution SAP Cloud Identity Access Governance  that integrate with SAP OP and Cloud applications and propose additional features: user access request form, approval workflow and automated provisioning for application roles, access risk analysis (segregation of duties), Business role management and Privilege Access Management.

      Please find here the currently supported integration scenarios

      SAP Cloud Identity Access Governance propose a standard integration scenario with SAP SuccessFactors to be able to govern multiple applications role assignment to user based on the employee assignment to position in SuccessFactors:




      Author's profile photo Ramin Shafai
      Ramin Shafai

      Thanks for the information Vincent.