Hello Everyone,

After analyzing and successfully implementing Custom Domain Service in SAP Build Work Zone, Standard Edition, I’m writing this blog to share my learnings. This post explains the concept of Custom Domain Service in SAP BTP and provides end-to-end steps to configure and use it with SAP Build Work Zone.

This blog will help you get started with SAP Custom Domain Service in SAP BTP Build Work Zone (Standard Edition).

Business Requirement

Our client required the use of a custom (client-specific) domain instead of the SAP standard domain.

By default, when accessing an SAP Build Work Zone site, the URL looks like this:

https://<SubAccount>.launchpad.cfapps.<DataCenter>.hana.ondemand.com/site/<site-alias>#Shell-home

(Here, we are using SAP Build Work Zone – Standard Edition.). We can use it for advanced edition too.

The requirement was to replace this with a client-friendly URL, for example:

https://abc.com  
OR  
https://abcservices.abc.com

We initially tried redirecting traffic from
https://abcservices.abc.com to the SAP BTP Work Zone URL.
However, this approach didn’t meet the requirement because:

• Network-level redirection works, but

• The browser address bar changes to the SAP BTP URL,

• The client URL (https://abcservices.abc.com) is no longer visible.

To solve this, we implemented SAP Custom Domain Service.

Prerequisites

Before starting the configuration, ensure the following prerequisites are met:

1. Enable Custom Domain Service

Add Custom Domain Service to your subaccount with the Standard plan.

Note: Another plan exists but is deprecated at the time of writing this blog.

SAP Help Document:
https://help.sap.com/docs/custom-domain/custom-domain-manager/initial-setup

Below is the screen shot from sub account for reference:

Please note SAP will charge based on how many certificate you have uploaded in the Cusotm Domain Manager irrespective of Number of Custom Domain.

2. Finalize Reserved and Custom Domains

Finalize your reserved domain and custom domains in advance.

Do’s:

• Do not rush this step. 

• Finalize domains separately for Non-Prod (DEV & QA) and Prod subaccounts.

• Changing domains later can be complex and time-consuming.

Dont’s:

• Do not signed the CSR form Trusted CA authority because it involved cost and time. 
• If possible dont configure the Non Prod and Prod Custom domain in single custom domain manager because it will mess the things. Try to keep the Custom Domain Service for Production seperately.
• Dont configure the Custom Domain Manager for Production untill you get success in the Non Prod environment.
•  

3. Runtime Destination Naming

Ensure the runtime destination names are finalized as per project standards, as these are referenced by applications.

Implementation Steps

Step 1: Define a Default Site

A default site is the site that opens when no site ID is specified in the URL.

Key points:

• A default site is configured per custom domain.

• It does not affect all domains in the subaccount.

• A custom domain can be mapped to only one entry point, which is why it’s mapped to the default site and not to a specific site. Below is the screen shot of the default site:

Step 2: Identify the Reserved Domain

The reserved domain should be the parent domain, for example:

abc.com or abcservices.abc.com

The custom domain is created using the reserved domain, such as:

wz.abcservices.abc.com

Step 3: Define Custom Domains for Applications

Create custom domains for the following applications as needed:

1. SAP Build Work Zone

2. On-Premise Backend Systems (S/4HANA, CRM, BW, etc.) – Optional

3. Identity Authentication Service (IAS) – Optional

IAS works with the SAP standard domain by default. A custom domain for IAS is optional.

IAS Considerations

In our case, we did not configure a custom domain for IAS because:

• IAS requires a separate CSR and CA-signed certificate.

• This involves additional cost.

• Wildcard certificates used in Custom Domain Manager do not work for IAS.

Reference Documents:

• https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/use-custom-domain-in-ident...

• https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/regional-availability?vers...

Step 4: Configure Custom Domain Manager

Add the reserved domain and custom domains in Custom Domain Manager.

Required Roles:

Assign the following roles to the user (Default or Custom IAS):

• Custom Domain Administrator – Manage configurations

• Custom Domain Viewer – View configurations

Once roles are assigned, you can access Custom Domain Manager from the subaccount.

Step 5: Create SaaS Routes

Create a SaaS route for each custom domain.
These routes act as redirection endpoints for:

• SAP Build Work Zone

• Backend systems (if applicable)

Step 6: Create TLS Configuration

Create a TLS configuration for secure communication.

SAP Help Document:
https://help.sap.com/docs/custom-domain/custom-domain-manager/manage-tls-configurations

Step 7: Generate CSR (Certificate Signing Request)

Generate a CSR from Custom Domain Manager and get it signed by a trusted Certificate Authority (CA).

CSR Generation Options

Option A: Individual Certificates
Generate one CSR per domain, for example:

• s4.abcservices.abc.com

• crm.abcservices.abc.com

• bw.abcservices.abc.com

Option B: Wildcard Certificate
Generate a wildcard CSR:

CN: *.abcservices.abc.com  
SAN: *.abcservices.abc.com, abcservices.abc.com

Certificate Signing Guidelines

• Internal network → Internal CA is acceptable and all the applicaiton will work.

• Public access → Internal CA will cause browser warnings as below and navigation to the backend 

• 

   

  Use a trusted CA like DigiCert if you want to access the custom domain publically.

   

Important Notes:

• Verify CN and SAN before submitting CSR.

• Certificates are valid only for the Custom Domain Manager instance from which the CSR was generated.

• Non-Prod certificates cannot be reused in Prod.

• We have generated the Wild Card Certificate for Production and Single Certificate (Included all SAN) for Non Prod System. Below is the Certificate Screen shot:

DigiCert Reference:
https://docs.digicert.com/en/certcentral/manage-certificates/reissue-an-ssl-tls-certificate.html

(Optional) IAS CSR Generation

Wildcard certificates do not work for IAS.
A separate CSR and certificate are required.

We skipped IAS custom domain due to additional cost and renewal overhead.

Step 8: Upload and Activate Certificate

Once signed, upload the certificate to Custom Domain Manager.

The certificate package includes:

• Actual certificate

• Intermediate certificate

• Root certificate

Certificate Chain Format

Actual Certificate  
+ Intermediate Certificate  
+ Root Certificate

Tips:

• Combine the full chain in a text file.

• Remove extra spaces or blank lines.

• Activate the certificate after upload.

Once activated:

• Certificate expiry days are visible.

• Renewal can be planned proactively.

Final Result

After successful activation, SAP Build Work Zone is accessible using the custom domain:

https://wz.abccompany.company.com

Errors that can occur: After all the configuration, If you stuck in the IAS authentication while accessing the work zone and getting the below error then add the custom domain in the IAS application:

Add you custom domain in the following path in the IAS if not came automatically:

Login to IAS -> Applications & Resources -> Applications -> Select the Application of Build Work Zone -> Single Sign On -> OpenID Connet Configuraiton and then in the Redirect URIs andPost Logout Redirect URIs section add the URl as https://*.abcservices.abc.ae/** (Your custom domain so that IAS will trust this domain)

Conclusion

I hope this blog helps you understand the Custom Domain Service concept and implement it successfully in SAP Build Work Zone projects.

Happy learning and implementing! 🚀

Regards,
Rohit Gera