Skip to main content
Rate this page

On-Premise Connectivity

Why On-Premise Systems Are Different

The crucial problem with SAP S/4HANA On-premise systems is, that they are not exposed to the internet. Typically, they are located within a company's internal network. The SAP Cloud SDK has some useful features that allow you to connect to On-premise systems.

Since this isolation contradicts to modern requirements of data availability, SAP has introduced the Cloud Connector. The Cloud Connector works like a reverse proxy opening a connection between some allowlisted service endpoints of the On-premise system, and the connected Cloud Foundry account. Only applications running in the connected Cloud Foundry account can access the services. Applications that are supposed to access On-premise systems need a binding to the connectivity service.

Destination in CF

Implementation Details

Connectivity Service

As a first step, the SAP Cloud SDK looks up the destination. If the Proxy Type of the destination is OnPremise the SAP Cloud SDK will try to establish a connection via the Cloud Connector.

As mentioned above, the application needs a service binding to the connectivity service. A service binding leads to client credentials in the VCAP environment variable. The environment variables are accessible for the application at runtime. The SAP Cloud SDK uses the client credentials and if given the tenant id of the JWT to obtain a client credentials grant. If multiple connectivity services bindings exist, the SAP Cloud SDK uses the first entry per default.

The SAP Cloud SDK takes the client grant to call the connectivity service and receives the host, password, and authorization of the connectivity proxy. Then the SAP Cloud SDK creates an HTTP agent considering this proxy and the necessary Proxy-Authorization headers. The proxy is the entry point to the Cloud Connector instance connected the account. The proxy is only reachable from the Cloud Foundry space, so you cannot use that flow for applications running outside of Cloud Foundry. The final destination containing the proxy information will look like:

url: "",
headers: {...}, //contains authorization headers for the SAP S/4HANA system
proxyConfiguration?: {
host: ""
port: 1234
protocol: "http"
headers?: {
Proxy-Authorization: "AuthHeaderForTheProxy"

It will be used by the HTTP client of the SAP Cloud SDK to execute the request. We would like to mention two minor aspects of the SAP Cloud SDK.

Principal Propagation

In case the Authentication property on the destination is PrincipalPropagation the SAP Cloud SDK adds the SAP-Connectivity-Authentication header to the request. The header contains user information included in the JWT and enables user propagation from the cloud application to the SAP S/4HANA system.

Multiple Cloud Connectors

If you have multiple Cloud Connectors connected to your account, the LocationId defines which one of these to use for the request. In case the destination contains a LocationId property, the SAP Cloud SDK adds the SAP-Connectivity-SCC-Location_ID header to the request.

Rate this page