Showing results for 
Search instead for 
Did you mean: 

Best strategy to use the Ui5 application in cloud platform and odata in R/3 Gateway

Active Contributor

Hi experts,

I'm try to explain my doubt.

We have a SCP to deploy an application SAPui5 and this aplication get the data in SAP NW R/3 with Gateway using oDATA by destinations.

What is the best strategy to manage the user login?

With the team we consider a strategy through Cloud Identity Management tenand but we are not sure.

Active Contributor
0 Kudos

Can you provide details what the target audience is? Is it existing users in the R/3? Or corporate users available in i.e. Active Directory? Or do you go for a B2B / B2C audience?

Active Contributor
0 Kudos


The target audience is users that exist in R/3 without Active directory. The idea is to use SAP Cloud identity as Active directory


Accepted Solutions (1)

Accepted Solutions (1)

Active Contributor

Hello Enric,

SAP Cloud Identity Service is a cloud solution for identity lifecycle management for SAP Cloud Platform applications and can be used optionally for on-premise applications. However, in your scenario, you do ALSO connect the SAP CP to the On-Premise ABAP system. So, you should not ONLY consider the authentication of the users, requesting access to this SAPUI5, in front of the SAP CP (in case of using SAP Identity Authentication Service).

You need to consider the fact that this SAP UI5 application needs authorization in front of the AS ABAP (especially when "The target audience is users that exist in R/3 without Active directory." . In order to connect the SAP CP with the AS ABAP you do need a SAP Cloud Connector.

In other words, the call (about retrieving data from ABAP) goes from SAP Cloud Platform - SAP Cloud Connector - SAP Gateway - SAP AS ABAP . The SAP Getway will not be visible by the SAP CP unless you do use SAP Cloud Connector.

The possible authentication methods are:

  • No Authentication
  • BasicAuthentication
  • Principal Propagation
  • SAPAssertionSSO


With the SAPAssertionSSO destination an assertion ticket is created in order to propagate the currently logged-on SAP Cloud Platform user to an SAP back-end system. You can only use this authentication type if the user IDs on both sides are the same!

More details SAP Assertion SSO Authentication


With the Principal Propagation the identity of an on-demand user to the Cloud Connector, and from there – to the back-end of the relevant on-premise system. In this way, the on-demand user will no longer need to provide his/her identity every time he/she makes a connection to an on-premise system via the same Cloud Connector. More details in Principal Propagation


All in all, using (or not) the SAP Identity Authentication Service is only half of the solution. Directly answering to your question, as per definition, one can use SAP IAS as an application for administration of the S-users. I do not know your system landscape. Identity Authentication Service can connect with the following corporate user stores:

● Microsoft Active Directory

● SAP NetWeaver AS JAVA, with the following variants:

- SAP NetWeaver AS JAVA - UME

- Multiple Active Directories connected to SAP NetWeaver AS JAVA - UME

- SAP NetWeaver AS ABAP connected to SAP NetWeaver AS JAVA - UME

More details in the SAP Cloud Platform Identity Authentication Service - Administration Guide

In case you do have AS ABAP single stack only, then you can NOT use the AS ABAP user store with SAP IAS. Then it is better to use the SAP IAS (with purpose as you say "Active Directory")

In case you do have any further questions, please let me know.


Active Contributor


The answer is very useful

Answers (0)