Skip to main content
Version: 2.0.0

Install / Deploy

Prerequisites

Before deploying IWA, ensure the following are available and configured:

DependencyPurpose
SAP BTP Global Account & SubaccountHosts the IWA application runtime; the target subaccount must be created with sufficient Cloud Foundry quotas.
SAP HANA Cloud — HDI ContainerRequired entitlement for the application database schema.
XSUAAAuthorization & Trust Management service instance for authentication.
Destination ServiceRequired for external connectivity.
SAP BTP CIS (Cloud Identity Services)Used for source group detection, role collection mapping, and automated user provisioning/deprovisioning.
Azure Active Directory (Azure AD)External identity source for federated user onboarding and authentication.
SAP Authentication Service (IAS)Provides the login page gateway for all IWA users.
Application Logging(Optional) For runtime log collection.
Auto Scaler(Optional) For dynamic scaling.
MTAR artifactThe IWA deployment package, ready for CF CLI or CI/CD pipeline deployment.
Resource Requirements

IWA 2.0 backend application requires 1.28 GB of disk space and memory.

Deployment Architecture

IWA is deployed on SAP BTP and integrates with the following identity and access systems:

┌─────────────────────────────────────────┐
│              IWA Application            │
│           (SAP BTP Runtime)             │
└────────────┬────────────┬───────────────┘
             │            │
   ┌─────────▼──────┐  ┌──▼──────────────────┐
   │  SAP BTP CIS   │  │   Azure Active       │
   │ (Source Groups,│  │   Directory          │
   │  Role Collections)│  │ (User Federation) │
   └────────────────┘  └─────────────────────┘

   ┌─────────▼──────────┐
   │ SAP Authentication │
   │ Service (Login)    │
   └────────────────────┘

A single MTAR package is deployed per environment. The MTAR contains:

  • Java service module
  • DB deployer module
  • HANA HDI container resources

Multi-Schema Strategy: A single application instance supports multiple logical environments (e.g., DEV, QA, DEMO) by routing requests to different HANA schemas. Multiple HDI containers are bound to the same application — each container represents one logical environment. The target schema is selected at runtime based on an HTTP request header.

Runtime Request Flow

Each API request is processed in the following order:

  1. Client sends a request with an environment header (Env).
  2. Spring Security validates authentication via XSUAA.
  3. The environment interceptor reads the header and sets the DB context (schema).
  4. The RBAC interceptor evaluates module, feature, and API-level access.
  5. Hibernate connects to the selected schema.
  6. Response is returned to the client.
note

In Production, no environment header is required — the application defaults to the production schema. The header is only needed in multi-schema CAF environments (DEV / QA / DEMO).

Deployment Steps

Step 1 – Verify Subaccount & Space

  1. Log in to your SAP BTP Cockpit.
  2. Navigate to the target Subaccount and confirm it is active.
  3. Ensure the Cloud Foundry environment is enabled and the CF space exists with sufficient quotas.
  4. Confirm all required entitlements (HANA Cloud, XSUAA, Destination Service) are assigned.

Step 2 – Set Up SAP Authentication (XSUAA / IAS)

  1. Create or bind an Authorization & Trust Management (XSUAA) service instance, or configure SAP Identity Authentication Service (IAS).
  2. Register the IWA application as a trusted service provider.
  3. Configure user attribute mappings (email, user ID, roles) in the identity provider.

Step 3 – Configure Identity Sources

SAP BTP CIS:

  1. Ensure SAP BTP CIS is provisioned in the target landscape.
  2. Configure the destination or service binding to allow IWA to read source groups and role collections.

Azure Active Directory:

  1. Register IWA (or the SAP IAS tenant) as an enterprise application in Azure AD.
  2. Configure SAML or OIDC federation between Azure AD and SAP IAS.
  3. Map Azure AD groups to the identity provider to allow IWA to detect them as user sources.

Step 4 – Deploy MTAR

Deploy the MTAR using CF CLI or SAP CI/CD pipeline:

cf deploy IWA.mtar

Expected outcome:

  • Java application deployed
  • DB deployer executed once
  • HDI containers created
  • Application bindings established

Step 5 – Verify Service Bindings

Confirm the application is bound to the following services:

ServiceRequired
XSUAAMandatory
Destination ServiceMandatory
HDI Container(s)Mandatory (one or more)
Application LoggingOptional
note

The DB deployer stops automatically after successful execution.

Step 6 – Validate HANA Schemas

  1. Access the SAP HANA Database Explorer.
  2. Verify that schemas are created for the required environment (e.g., CW_IWA).
  3. Ensure all schemas have identical table structures.

Step 7 – Post-Deployment Verification

  • The IWA login page is accessible and the SAP Authentication login screen is displayed.
  • An administrator account can log in and reach the IWA home page.
  • The Application Management module is accessible and can connect to the configured identity sources (SAP BTP CIS / Azure AD).
  • User creation, role creation, and provisioning flows complete without errors.
  • The Audit Log captures entries correctly after a test action.

Domain Configuration

When creating the first application in IWA after deployment:

  1. Navigate to Application Management → Create Application.
  2. In the Domain field, enter the organization's email domain (e.g., @incture.com).
  3. Press Enter to add the domain. Multiple domains can be added for the same application.

Access Control for Administrators

Ensure the IWA administrator role collection is assigned to at least one administrator user in the SAP BTP Cockpit before handing over the system. Users without the IWA role access will see an Access Denied screen upon login.