What is SAP Passport?

SAP Passport is essentially a client certificate that you can obtain from SAP. It offers a secure and straightforward alternative to traditional username and password authentication. Instead of manually entering credentials or dealing with additional login prompts (such as Captchas), you can rely on your certificate to authenticate against SAP services automatically.

How to Use SAP Passport?

1. Obtain Your SAP Passport: Visit SAP Support and follow the instructions to download your .pfx certificate file (SAP Passport).
2. Store the Certificate Securely: Keep it in a safe location, and use environment variables or vaults to store the passphrase required to unlock the certificate.

Short Introduction: What is wdi5?

wdi5 is a test framework for UI5 applications running on WebdriverIO. It simplifies end-to-end testing for UI5-based solutions by providing UI5-specific commands and integration. Since version 2.1.1, wdi5 supports SAP Passport-based authentication to easily log in to SAP BTP applications without dealing with credentials or Captchas in test pipelines.

Why Use Certificate Authentication with wdi5?

When testing UI5 apps deployed on SAP BTP, you may encounter difficulties. Sometimes, a Captcha challenge appears, which cannot be automatically solved by a test runner. By using a certificate (SAP Passport), you bypass these potential manual challenges. With wdi5 v2.1.1, certificate-based logins can be automated both locally and in CI/CD pipelines, improving reliability and security for your tests.

How to Use the New wdi5 Feature for SAP Passport Authentication

wdi5 version v2.1.1 introduced new configuration options to enable certificate-based authentication against SAP BTP. You just need to provide your certificate path, passphrase, and the necessary origin and URL for the authentication flow.

Sample wdi5 Configuration (wdi5 >= 2.1.1)

// wdio.conf.js (or your WebdriverIO config)
exports.config = {
    baseUrl: "https://your-deployed-ui5-on-btp.app",
    capabilities: [
      {
        browserName: "chrome",
        "wdi5:authentication": {
          // enable certificate-based authentication
          provider: "Certificate",
          // always use "https://accounts.sap.com" as the certificate origin
          certificateOrigin: "https://accounts.sap.com",
          // the URL opened for certificate-based login (if omitted, wdi5 uses baseUrl)
          certificateUrl: "https://emea.cockpit.btp.cloud.sap/cockpit#/",
          // local path to your PFX certificate
          certificatePfxPath: "./sap.pfx",
          // passphrase to unlock the certificate (use environment variable!)
          certificatePfxPassword: process.env.SAPPFX_PASSPHRASE
        }
      }
    ],
    // ... other wdio/wdi5 config
};

Sample GitHub Workflow (Using SAP Passport)

Below is an example workflow demonstrating how to decode a base64-encoded PFX file, place it in the repository at runtime, and run wdi5 tests that authenticate with SAP BTP via certificate.

name: WDI5 Certificate Auth Tests
on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  test-wdi5:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Use Node.js 22
        uses: actions/setup-node@v4
        with:
          node-version: 22

      - name: Install dependencies
        run: npm ci

      - name: Install Playwright browsers (optional, if also using Playwright behind the scenes)
        run: npx playwright install --with-deps chromium

      - name: Decode PFX file (will create a pfx file from GitHub Secret)
        env:
          SAPPFX_BASE64: ${{ secrets.SAPPFX_BASE64 }}
        run: echo "$SAPPFX_BASE64" | base64 -d > sap.pfx

      - name: Run wdi5 Tests with Certificate Auth
        env:
          SAPPFX_PASSPHRASE: ${{ secrets.SAPPFX_PASSPHRASE }}
        run: npm run test
  

Notes:

• Store your PFX file as a base64-encoded string in the repository secrets (SAPPFX_BASE64).
• Keep the passphrase in another secret (SAPPFX_PASSPHRASE).
• The certificate is written to sap.pfx only during the CI run and removed automatically afterwards.

Wrap-Up

By leveraging SAP Passport for certificate-based authentication, you can eliminate the need for manual credential input (and potential Captcha challenges) in SAP BTP test scenarios. Using wdi5 v2.1.1 makes this process straightforward and automatable in both local and CI/CD environments. Securely manage your certificate and passphrase, and you’ll have a smooth authentication flow for your automated UI5 tests on SAP BTP.

For more details, see the official wdi5 docs: SAP BTP with Client Certificate Authentication .
You can see here the commit with the new feature being introduced.