In the SAP Integration Suite landscape, the Cloud Connector (SCC) serves as a secure bridge between on-premise systems and SAP Business Technology Platform (BTP). While basic configurations like initial setup and simple HTTP/S access are widely known, advanced Cloud Connector configurations are essential for robust enterprise-grade integrations using SAP Cloud Platform Integration (SAP CPI).
This article explores these advanced configurations to help SAP architects, integration developers, and administrators extend their CPI capabilities securely and efficiently.
SAP Cloud Connector (SCC) plays a key role in hybrid integration, enabling secure tunnel communication from SAP BTP to on-premise systems without exposing internal networks to the public internet. When working with SAP CPI, SCC allows Integration Flows (iFlows) to securely access services such as:
Let’s delve into the critical areas of advanced configuration.
Cloud Connector allows mapping one on-premise system to multiple SAP BTP subaccounts, which is useful for environments with:
Configuration Steps:
Subaccount tab🔐 Tip: Always use role-based access control to prevent unintended exposure across subaccounts.
To ensure end-to-end user identity, especially for audit and compliance, principal propagation is essential.
Configuration Requirements:
🎯 Use Case: Propagating the identity of a CPI-triggered user to an S/4HANA system for data-level authorization checks.
Cloud Connector allows fine-grained control of which services and paths are exposed.
Example Scenarios:
/odata/v2/salesorders)/sap/bc/gui/sap/its/webguiBest Practices:
/sap/* in production)In critical integration landscapes, SCC must be highly available.
Recommended Setup:
🔄 CPI Retry Logic: Ensure CPI iFlows include retry policies to handle failovers gracefully.
In complex network environments, backend systems may be accessed via internal DNS names not resolvable in CPI.
Solution:
Cloud Connector supports logging for:
Security Enhancements:
/sap/opu/odata/sap/API_PURCHASEORDER_SRV/sap/opu/odata/sap/API_PURCHASEORDER_SRV🎉 Result: Secure, audit-compliant integration with user-level traceability and system redundancy.
Issue: CPI cannot reach backend
→ Check: Access control list, subaccount bindings, certificate validity
Issue: Identity mismatch during SSO
→ Check: SAML configurations, IdP settings, certificate mapping
Issue: Unexpected 404 or 403 errors
→ Check: Exact resource path whitelisted in SCC, method access (GET/POST/PUT)
Advanced Cloud Connector configurations empower organizations to scale and secure their CPI-based integrations. By mastering areas such as identity propagation, high availability, and fine-grained access control, integration specialists can ensure resilient, secure, and compliant enterprise-grade solutions.
As SAP Integration Suite continues to evolve, keeping Cloud Connector configurations aligned with architectural best practices is not just an option—it's a necessity.