How to enable Basic Authentication for Cloud Integration on SAP Cloud Foundry


This blog describes how to set up inbound communication using Basic Authentication when using SAP Cloud Integration in the Cloud Foundry environment, as this is very different to setup in a Neo environment.

WIT 20220531 101449web

Cloud Integration on Neo does not (yet) have an end of life, but SAP is now only delivering new integration tenants on Cloud Foundry. SAP would prefer all clients to migrate to Cloud Foundry as soon as possible. Also, going forward, new features will be delivered first in Cloud Foundry environments, so now is a good time to get started with Cloud Foundry.

In a Neo Environment, it was possible to consume an integration flow (iFlow) using Basic Authentication with a SAP S- or P-user. This user needed to be provided with the necessary predefined role ‘ESBMessaging.send’ or a user-defined role with the role being assigned to the iFlow. Configuration appeared as follows:

Blog 1

In a Cloud Foundry Environment, this has changed. The preferred authentication methods are now Client Certificates or OAUTH2 tokens. While Basic Authentication remains possible, this is no longer recommended for production use. Moreover, using a S- or P-user will no longer work. Instead, you will need to generate credentials in a Cloud Foundry service instance.

Nonetheless, there are instances in which you may want to use Basic Authentication. Perhaps you need to run a test from an API test tool. Or perhaps you just need something short-term that is more simple than the recommended methods. This blog will explain the steps necessary to generate and use the credentials required for a Cloud Foundry service instance. Let’s get started!

Related References:

Secure iFlow with User Role authorization

Optional: Create user-defined role

It is possible to secure an integration flow with a user-defined role instead of using the predefined ESBMessaging.send role. The following explains how.

In the Cloud Foundry environment, a monitor exists in the Cloud Integration monitoring to maintain user roles.

Open the ‘User Role’ monitor in the ‘Manage Security’ section in the ‘Monitoring’ section in the Cloud Integration tenant.

Create a new role by selecting the ‘Add’ option.

Blog 2

In the creation dialog, enter the ‘Role Name’ and a ‘Role Description’.

Blog 3

This will result in the following.

Picture4 1

Configure Sender Channel Authorization Option

Next, you must configure ‘User Role’ as the authorization option in the sender channel in the integration flow.

Blog 4

The default role provided by SAP is ESBMessaging.send. This role can be used if no additional integration flow-specific authorization checks are needed. If only specific users should be allowed to send messages to this integration flow, you can enter your own role. (See above how to create this custom role).

Blog 5
Blog 6

Create Service Instance and Service Key

With a service instance, you define how to access a certain SAP Business Technology Platform (BTP) service.

In the context of SAP Cloud Integration, a service instance is the definition of an OAuth client.

However, during runtime, no access token is retrieved from the token server. Instead of an access token, the

‘clientid’ and ‘clientsecret’ values from the service key are used as the user credentials to access the integration flow endpoint.

As a pre-requisite, make sure your sub-account is entitled to Process Integration Runtime, as follows:

Blog 7

And that your sub-account has Cloud Foundry enabled, and a space created:

Blog 8

Now you can create the a new Service Instance in the SAP BTP Cockpit: Services -> Instance and Subscriptions -> Create

Blog 9
Blog 10

For the required basic info, provide the following information:

  • Service: Process Integration Runtime
  • Plan: Integration-flow (API is also possible if you want to create client credentials for API management instead of Cloud Integration).
  • Runtime Environment: Cloud Foundry
  • Space: Select your created Cloud Foundry space (for example DEV)
  • Instance Name: Provide a CLI-friendly name for the service instance

Note: SAP recommends using a CLI-friendly name to enable managing your instances with the SAP BTP command line interface as well. A CLI-friendly name is a short string (up to 32 characters) that only contains alphanumeric characters (A-Z, a-z, 0-9), periods, underscores, and hyphens. Your instance name can't contain white spaces if you want your instance name to be CLI-friendly.

Blog 11

For the instance parameters, provide the following information:

  • Grant-Type: Client Credentials
  • Roles: Either use the pre-defined standard role ESBMessaging.send or replace it with your own user-defined role:
Blog 12

Note: There is no drop-down selection possible for ‘Roles’. You must use exactly the same name as was created earlier in the User Role monitor!

Next step is to create a service key by selecting the instance. Under ‘Service Keys’, press ‘Create’:

Blog 13
Blog 14

Provide a ‘Service Key Name’ and for ‘Key Type’ select ‘ClientID/Secret’.

I recommend providing a meaningful name here. For example, you could include the external party with whom you will share these authentication credentials. This will help you to easily determine the purpose of these keys later on.

Once the service key is created (it can take some minutes), press the ‘View Credentials’ button and you will be able to retrieve the generated ‘clientid’ & ‘clientsecret’ that can be used for authentication.

Blog 15
Blog 16

‘clientid’ corresponds to the basic authentication username and ‘clientsecret’ to the password.

Here are example Basic Authorization details to use in SOAPUI :

Blog 17

Note: You should create a service instance per (user-defined) Authorization Role.

For each service instance, you can create multiple service keys, allowing you to secure an iFlow with a specific user role and create several basic authentication secrets which you can share with the iFlow consumers.


And that’s it! You should now be able to successfully generate and use Basic Authentication credentials for inbound communication when using SAP Cloud Integration in the Cloud Foundry environment. While Client Certificates or OAUTH2 tokens are now the methods of authentication recommended by SAP, Basic Authentication can still be useful… as, I hope, was this article!

About the author

Photo of Peter Permentier
Peter Permentier

Peter Permentier is Senior SAP Basis & Integration Consultant at Expertum. He has more than 22 years of experience in SAP Technical Consulting. Within Expertum he takes the lead in everything related to interfacing, focusing on SAP PI/PO and CPI.

Read more articles by Peter Permentier

Related articles