Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 


With the opportunity to use the Cloud Platform Integration (CPI) as subscription on the Cloud Foundry (CF) environment, we've the ability to connect the CPI to Enterprise Messaging Service (EMS) and connect events with iFlows. Because the Strategy of SCP is moving to the CF, I do recommend to think about a migration in the next years 😉

In this small post I want to show the way to go to get a inbound-user for calling iFlows from external service providers (in our case, it's PostMan ?).


  • Be sure to be have already subscribed to the CPI service on a CF subaccount and be a member of the subaccount to be able to create spaces and service-instances inside spaces

  • Create or use an existing space, to be ready to bind service-instances of CPI

  • Be able to connect to other resources (like S/4 HANA tenants) by using tile "Security Material" @ CPI. There I did deploy credentials for our S/4 HANA tenant (e.g. S4HANA_SANDBOX)

  • Create a simple iFlow (in this post I read costcenters with simple oData stuff) and deploy this iFlow


Let's go

We have to understand first that we need an oAuth client to receive messages from external resources with CPI on CF. In the NEO environment we had to create S-Users or use the Identity Authentication Service (IAS) as identity provider (find Hoangs post for details).

This oAuth client will be deployed to an instance of a CF-Space. For every new service user we do have create a new instance of this service.


Open the CPI in Cloud Foundry and go to the new tile "User Roles":

There you find one default delivered role by SAP, known from the NEO environment: "ESBMessaging.send"


You can create own user roles - I did to restrict access just for iFlows for germany.

You're able to restrict access to iFlows by providing them inside the "adapter specific" tab of your oData call:


Go to a already deployed space (I named this one "INTEGRATION_TOOLS") of your subaccount (in my case: "STAGE_CF") and open "Service Marketplace":


Find and click on "Process Integration Runtime"

Note: If you do not find this tile for the Process Integration Runtime, check the subscription in the subaccount and the connection to an service plan / entitlement.


Click "Instances"

-> Create "New Instance"

-> Choose a service plan

-> At "Specific Parameters" we need to provide the access method and the roles for this oAuth client as a json string:

{"roles": ["ESBMessaging.send"]}

Note: In my use case I did create a second role, called ESBMessaging_DE. Change the value of your json here, if you provided your own role in the CPI.

Grant-types refer to different options, provided by SAP for this oAuth Client:

If you enter grant-type client_x509, make sure that you exclusively use this option.

The list of supported grant-types is: refresh_token, urn:ietf:params:oauth:grant-type:saml2bearer, client_credentials, password, authorization_code, user_token, client_x509.

Find more details about this here

Example for certificate based oAuth client:

{"roles": ["ESBMessaging.send"],"grant-type": ["client_x509"]}

-> Do not bind your instance to an application

-> Provide a name of your instance, like "cpi-user-secret" or "cpi-instance" and press "finish"


-> Wait till the instance is "Created" and go inside the instance by clicking on the name of the instance

-> "Create Service Key" to create a new pair of credentials (provide a name of the service key and finish it)

-> Your "Service Key" will appear and show you the credentials of your oAuth client:

Use the clientID as user and the clientSecret as password for accessing the API from external.

Note: You can create as many "Service Keys" as you want. But unfortunately, they have all the same user and secret ?

For every new oAuth client you need to create a new service-instance. So do not create multiple "Service Keys", create instances!

Final testing:

Open postman and provide the Endpoint of your iFlow.

Use the clientId and the clientsecret for "BasicAuth":

That's it - you're ready to go and you're ready to test your iFlows with postman!

Labels in this area