Skip to Content
Technical Articles
Author's profile photo Amith Nair

SAP Build Work Zone: Integrate SAP S/4HANA Public Cloud content to SAP Mobile Start


There is no special introduction needed on how relevant it is to have a mobile application to expose SAP’s business content in a safe and secure environment using our smart phone.

In this blog, we would like to cover how the contents like roles, groups, apps etc. from an SAP S/4HANA public Cloud system can be federated into SAP Launchpad service on BTP and then further make it available for mobile users using SAP Mobile Start.

SAP Mobile Start is a native app that serves as the mobile entry point to SAP’s business applications and content, providing users with a consumer-grade experience.


    • SAP Business Technology Platform tenant with dedicated subaccount with Administrator role
    • SAP Build Work Zone, standard edition subscription
    • SAP Cloud Identity Services – Identity Authentication with Administrator role
    • SAP S/4HANA Public Cloud with Administrator role.

1. Create a Sub Account and Enable SAP Build Work Zone:

    • In the SAP BTP cockpit, log on to your sub-account as administrator.
    • Go to Services and choose Instances and Subscriptions.
    • In the header bar, choose Create.
    • Search for SAP Build Work Zone, standard edition.
    • Choose the standard subscription plan.
    • Save your entries.

In order to configure the SAP Build Work zone, you need the role Launchpad_Admin and this achieved by going into the Role Collection under Security.

2. Communication Arrangement in SAP S/4HANA Cloud

   2.1 Create Communication System:

In the Host Name field, enter the host of SAP Build Work Zone, standard edition, that is, <subdomain of your subaccount>.launchpad.cfapps.<region>


Fig1: HostName

    2.2 Create a Communication User

Create the Users for Inbound and Outbound Communication.

    • In the Users for Inbound Communication section choose Add
    • You need to select the authentication method:
      • Username and Password
    • Press New User to create a new user and you will get redirected to the Communication User app
      • Provide a username (e.g. Subaccount name with the suffix _COM_0647, which is the related communication scenario for exposing the content)

The user for my inbound communication is  LPD_EXPOSURE_USR and user for outbound Communication is set to None

   2.3 Communication Arrangement for Exposing Content

Create new Communication Arrangement, select the communication scenario SAP_COM_0647. The arrangement name is prefilled with SAP_COM_0647. As suffix, add _LPD_EXPOSURE and I named it: SAP_COM_0647_LPD_EXPOSURE


Fig 2: Communication Arrangement


Protect against Clickjacking:

Add your SAP Build Work zone standard edition as trusted host to the allowlist.

    • Open the app Maintain Protection Allowlist.
    • Choose + to a new host.
    • Add the trusted Host Name: <subdomain>.launchpad.cfapps.<region>
    • Schema: HTTPS
    • Port: 443

3. Runtime and Designtime Destinations in SAP BTP

  1. Destination for exposing the content: You define the location from which SAP Build Work Zone, standard edition fetches the exposed content.
  2. Destination for consuming the content: You define the location for fetching data for dynamic tiles.
  3. Destination (default) for consuming the content: You define the location for launching apps in an iFrame using a direct URL to the SAP S/4HANA Cloud UI host.

   3.1 Destination for Exposing the content.

Name N5T_Starter_dt
Description design-time connection
URL https://<S/4HANACloudtenantID>
Proxy Type Internet
Authentication Basic Authentication
Password ***************

Additional Properties

HTML5.DynamicDestination true
Use default JDK trust store Checked

   3.2  Destination for consuming the content of the runtime tiles.

Name N5T_Starter_rt_tiles
Description runtime tiles
URL https://<SAP S/4HANA Cloud tenant ID>
Proxy Type Internet
Authentication SAML Assertion
Audience https://<SAP S/4HANA Cloud tenant ID>
AuthnContextClassRef urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession

Additional Properties

HTML5.DynamicDestination true
nameIdFormat urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Use default JDK trust store Checked

   3.3 Create destinations for consuming the content for launching in an iFrame.

Name N5T_Starter_rt_apps
Description RunTimeApps
URL https://<SAP S/4HANA Cloud tenant ID>
Proxy Type Internet
Authentication No Authentication

Additional Properties

HTML5.DynamicDestination true
sap-platform ABAP
Use default JDK trust store Checked

4. Downloading Files from BTP for Trust Establishment

         4.1 Export the SAML Metadata of the Subaccount

    • Login as Administrator in the SAP BTP Cockpit
    • Go to Security –>Trust Configuration
    • Download SAML Metadata
    • Save the Metadata File while setting up Trust with Identity Authentication

4.2 Export the Trust Certificate of the Sub Account

    • Login as administrator in SAP BTP Cockpit
    • Go to Connectivity–>Destinations
    • Download the Trust to export the file
    • Save the Metadata File while setting up Trust with Identity Authentication

5. Setting Up Content Consumption

     5.1 Create Communication System for consuming Content

This step is performed to establish trust with SAP BTP subaccount using necessary SAML2                Configurations.

Create a communication system and upload the SAML certificate downloaded from Trust Certificate  of the Sub Account. Refer to step: 4.2

6. Set up Identity Management

Configure Identity Authentication tennant as a proxy to corporate Identity Provider(IdP) for the SAP BTP SubAccount.

      a. Choose + Create to add an application Name from Application & Resources > Applications

      b. Application Type choose SAP BTP solution –>Save

      c. In the application you’ve created, choose SAML 2.0 configuration.

      d. Browse the file exported from SAP BTP Cockpit. All fields are pre-filled –>Save

      e. Under Subject Name Identifier, choose Basic Configuration and select the basic attribute E-Mail

      f. Choose Email as the Default Name ID format.

      g. Conditional Authentication: Choose Identity Authentication as default Identity provider.

      h. Assertion Attribute: Groups

    6.1 Create a User Group

           Go to Users and Authorizations –> User Groups–> Create. 

User Group

Please make a note of the Group Name.

    6.2 Export SAML Metadata of Identity Authentication

  • Access Identity Authentication Administration Console as Administrator
  • Go to Application and Resource and Choose Tenant Settings
  • Authentication–> Single Sign On –> SAML 2.0
  • Download and save the file (say) Metadata_IAS

    6.3 Set up Trust with Identity Authentication

Establish New Trust Configuration in BTP cockpit of your respective Sub Account.

  • Go to Sub Account–> Security–> Trust Configuration
  • New Trust Configuration–> Upload SAML 2.0 metadata file. Refer to step 6.2

7. Generate the Credentials for Notifications

7.1 Launch SAP Build Work Zone, standard edition from your subaccount

7.2 In the site Directory, choose + Create Site.

7.3 Enter a Site name of your choice. For e.g. SAP Start.

7.4 Click the cog wheel icon to display the Settings and navigate to Notifications



 7.5 Go to Notification tab

 7.6 Choose Generate to get the credentials required to configure Communication System

(You can bookmark the URL to access SAP Build Work Zone, standard edition more quickly)

8. Setting up Notifications in SAP S/4HANA Cloud

8.1 Create Communication System using the credentials generated from Step 7.4


 8.2 Create Communication Arrangement using the Comm.Scenario SAP_COM_0683. In the           Outbound Services Outbound HTTP Service for Notifications Publish section, make sure that   Path is set to /v2 and the Port is set to the 443 default value.

9. Define SAP S/4HANA Cloud System as the content provider

  • Launch SAP Build Work Zone, standard edition from your sub-Account
  • Navigate to Channel Manager and add new Content Provider


Click on the pencil(Edit) button and enter the details as below which is consumed from the Destination created



Title Refer to your S/4HANA System ID
ID Automatically derived from Title
Design-Time Destination Select the destination for exposing N5T_starter_dt
Runtime Destination Select the destination for runtime apps
Runtime Destination for Dynamic Data Select the destination for fetching data for dynamic tiles
Content Addition Mode Automatic addition of all content Items

10. Import Roles

 10.1 Select Roles to Expose Content

  • Open the app Maintain Business Roles app
  • Select the roles you want to expose, for example, BR_Accountant role
  • Choose Expose to SAP BTP–> Expose

The content is ready to be consumed by SAP Build Work Zone, standard edition.

Note: It takes ~2-3 minutes for the role to reflect in the site Editor.

Since we already created Site( refer Step 7.1 to 7.3), click the cog wheel icon to display the site Settings.


Site Directory

  • Click ‘Edit’ button from header and use the + Assign icon to add roles that were included in the section Roles to Expose the Content in S4HANA Cloud


Site Editor

11. Role Collection Mapping in SAP BTP

11.1 In your SAP BTP Account, go to the respective Sub Account and navigate to Trust Configuration under Security Tab.

11.2 Click on the Custom Identity Provider  created from step 6.3

11.3 Navigate to Role Collection Mappings

11.4 Click New Role Collection Mapping

11.5 Select the Role you have imported from Step 10

          11.6: Select the attribute in this case: Groups from the step: 6(h)

11.7: Select the Value as Group Name from Step 6.1


Role Collection

12. Review the SAP Mobile Start application

  12.1 Install the app: SAP Start from the App store or Play store

  12.2  Scan the QR Code from the site: Under User Profile –> Settings –> SAP Mobile Start Application. Register( not Install)


Scan the QR Code: Register

Demo: Receiving SAP S/4HANA Cloud Workflow Notifications


SAP Mobile Start puts people at the heart of business processes — anywhere and anytime.

  • Monitor your Business from Phone Screen
  • Discover Business Content at your fingerprints
  • Stay up to date anywhere and anytime
  • Explore all of your apps in one place
  • Be Aware of Business Critical Situations
  • Take Quick Action within App using Notification Service.


Integration Guide

Trust Configuration: Mapping

Learning Journey

SAP MobileStart: Intelligent Enterprise at your fingerprints

SAP MobileStart: Community Page

Voice Commands Using Siri Shortcuts (iOS Only)

Courtesy: Dennis Koehler for offering his expertise in this topic.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Saumitra Deshmukh
      Saumitra Deshmukh

      Back with a Bang! Amith Nair !

      Very important and a great timing to bring this out for our Ecosystem.