SAP BTP Platform Technical User for CTMS Integration

SAP BTP Platform Technical User for CTMS Integration

Introduction:

In SAP BTP environments integrated with SAP Identity Authentication Service (IAS), technical users are often required for

Platform automationCI/CD integrationsDestination-based authenticationCloud Foundry accessAPI consumption

This blog explains the step-by-step process to create and configure a BTP platform technical user authenticated via IAS and used with OAuth2Password authentication in destination configuration.

In this setup:

IAS acts as Custom Identity ProviderTechnical user is created in IASUser is added to BTP subaccounts (Org & Space level)OAuth2Password flow is used for authenticationCTMS Destination is configured using CF login endpoint

Creating a Technical User in IAS tenant:

Go to UsersClick Add UserMaintain:Username (e.g., CTMSADM)Dummy Email ID (must be verified)Strong password

Add Technical User to BTP Subaccounts

In SAP Business Technology Platform cockpit:

Go to Global AccountNavigate to SubaccountChoose Custom IAS IDPAdd user to:OrgSpaceRequired Role Collections

Add the IAS tech user in all subaccounts space and org by choosing the custom IDP IAS

After adding the users in all subaccounts

Longin to the below CF url with the technical user

https://login.cf.sa30.hana.ondemand.com/

Before configuring this user in destination make sure you that you able to login the above URL

Mention Origin key of your Custom IDP and login and it will take you to IAS sign in page

Successfully logged in

Now update the CTMS destination authentication to Oauth2Password

Maintain client ID as cf and secret should be empty

Token service url = https://login.cf.sa30.hana.ondemand.com/

Add the additional property origin and value should origin key of your platform user IDP

Now the destination for Deploy service will work as expected with Technical user created in IAS

Why Enable Technical User in IAS?

1) Secure Platform Automation

Allows:

Background jobsAPI integrationsDeployment pipelinesDestination authentication

Without exposing human credentials.

2) Clear Separation of Duties

Separates:

Human UsersService Accounts

This is critical for:

Audit complianceSOX / ISO controlsSecurity governance

3) Controlled Access

You can:

Assign minimal role collectionsRestrict space-level accessMonitor login activity

4) Centralized Identity Management

Since IAS is the trusted IDP:

All authentication flows through IASPassword policies enforced centrallyUser lifecycle managed in one place

Conclusion:

Enabling a dedicated technical user through SAP Identity Authentication Service for SAP Business Technology Platform integrations ensures a secure and scalable approach for automation scenarios. By separating service accounts from human users, organizations can enforce stronger security controls, simplify identity management, and maintain compliance with enterprise governance standards.

This approach is particularly useful for integration scenarios such as CI/CD pipelines, CTMS transport automation, API-based integrations, and destination authentication within Cloud Foundry environments. By implementing technical users with minimal required privileges and centralized authentication via IAS, administrators can ensure both operational efficiency and improved security posture across their BTP landscape.

SAP BTP Platform Technical User for CTMS Integration Introduction: In SAP BTP environments integrated with SAP Identity Authentication Service (IAS), technical users are often required forPlatform automationCI/CD integrationsDestination-based authenticationCloud Foundry accessAPI consumptionThis blog explains the step-by-step process to create and configure a BTP platform technical user authenticated via IAS and used with OAuth2Password authentication in destination configuration.In this setup:IAS acts as Custom Identity ProviderTechnical user is created in IASUser is added to BTP subaccounts (Org & Space level)OAuth2Password flow is used for authenticationCTMS Destination is configured using CF login endpointCreating a Technical User in IAS tenant:Login to IAS Admin Console:Go to UsersClick Add UserMaintain:Username (e.g., CTMSADM)Dummy Email ID (must be verified)Strong passwordAdd Technical User to BTP SubaccountsIn SAP Business Technology Platform cockpit:Go to Global AccountNavigate to SubaccountChoose Custom IAS IDPAdd user to:OrgSpaceRequired Role Collections Add the IAS tech user in all subaccounts space and org by choosing the custom IDP IASAfter adding the users in all subaccountsLongin to the below CF url with the technical userhttps://login.cf.sa30.hana.ondemand.com/Before configuring this user in destination make sure you that you able to login the above URLMention Origin key of your Custom IDP and login and it will take you to IAS sign in pageSuccessfully logged inNow update the CTMS destination authentication to Oauth2PasswordMaintain client ID as cf and secret should be emptyToken service url = https://login.cf.sa30.hana.ondemand.com/Add the additional property origin and value should origin key of your platform user IDPNow the destination for Deploy service will work as expected with Technical user created in IASWhy Enable Technical User in IAS?1) Secure Platform AutomationAllows:Background jobsAPI integrationsDeployment pipelinesDestination authenticationWithout exposing human credentials.2) Clear Separation of DutiesSeparates:Human UsersService AccountsThis is critical for:Audit complianceSOX / ISO controlsSecurity governance3) Controlled AccessYou can:Assign minimal role collectionsRestrict space-level accessMonitor login activity4) Centralized Identity ManagementSince IAS is the trusted IDP:All authentication flows through IASPassword policies enforced centrallyUser lifecycle managed in one placeConclusion:Enabling a dedicated technical user through SAP Identity Authentication Service for SAP Business Technology Platform integrations ensures a secure and scalable approach for automation scenarios. By separating service accounts from human users, organizations can enforce stronger security controls, simplify identity management, and maintain compliance with enterprise governance standards.This approach is particularly useful for integration scenarios such as CI/CD pipelines, CTMS transport automation, API-based integrations, and destination authentication within Cloud Foundry environments. By implementing technical users with minimal required privileges and centralized authentication via IAS, administrators can ensure both operational efficiency and improved security posture across their BTP landscape. Read More Technology Blog Posts by Members articles

#SAP

#SAPTechnologyblog

M	T	W	T	F	S	S
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

Keras Tutorial: Checkpointing distributed models with Orbax

Become the CEO of your role

SQL to Insights in Minutes with Copilot for Data Factory | Data Exposed

From the news desk 📰: How to generate music with Lyria 3

SAP BTP Platform Technical User for CTMS Integration

More From Author

Poco X8 Pro series official launch date announced

Poco X8 Pro series official launch date announced

Poco X8 Pro series official launch date announced

“How to Load API Keys from a .env File and Use the OpenAI API in Google Colab”

How to use BPA API Trigger using Fiori

You May Also Like:

Poco X8 Pro series official launch date announced

Poco X8 Pro series official launch date announced

Poco X8 Pro series official launch date announced

Samsung Galaxy M17e is real, specs and launch date officially confirmed

Samsung Galaxy M17e is real, specs and launch date officially confirmed

Samsung Galaxy M17e is real, specs and launch date officially confirmed

SAP Fiori Elements: New Documentation Structure

SAP Fiori Elements: New Documentation Structure

Top Tagged

“How to Load API Keys from a .env File and Use the OpenAI API in Google Colab”

How to use BPA API Trigger using Fiori