Get Started with Creating a Custom Domain in SAP Build Work Zone, standard edition

Beginner

2 hr.

SAP Build Work Zone, standard edition, Beginner, Tutorial, SAP Business Technology Platform, Cloud

Using the SAP Custom Domain service, administrators of SAP Build Work Zone, standard edition can configure a custom domain for exposing a site instead of using the default domain.

You will learn

How to create and manage custom domains for SAP Build Work Zone, standard edition
- How to configure custom domains using SAP Cloud Identity Services - Identity Authentication
- Where to find documentation in order to complete the configuration

Boaz Wimmer, Hani Lachnish, Lindsay BertOctober 23, 2025

Created by

March 10, 2025

Contributors

Prerequisites

You have entitled the Custom Domain Manager to your subaccount. For more information, see Manage Entitlements Using the Cockpit.
You have entitled the SAP Custom Domain service (plan: custom_domains) to your subaccount. Every server certificate requires 1 unit of quota.
You have subscribed to the Custom Domain Manager in the SAP BTP cockpit. For more information, see Initial Setup.
You have acquired the domain names to be used by your applications. Have a look at the Prerequisites.
You have entitled the SAP Build Work Zone, standard edition application to your subaccount.
You have subscribed to the SAP Build Work Zone, standard edition application by using the SAP BTP cockpit. For more information, see Initial Setup.
You have a tenant of SAP Cloud Identity Services.
You have access to the Domain Name System (DNS) management dashboard.
If you’re using tunnelled access to access on-premise apps, you have to configure clickjacking protection as follows:
- SAP S/4HANA Cloud - Protect Against Clickjacking.
- SAP S/4HANA - Using an Allowlist for Clickjacking Framing Protection.
- SAP IBP - Protect Against Clickjacking.
- SAP BTP ABAP environment - Protect Against Clickjacking.

Overview

Instead of using the default domain that is assigned to your subaccount, you can purchase a custom domain with a unique name that’s easily recognizable by your users, making them more secure about accessing your site. For example, if your default domain is subaccount.launchpad.cfapps.eu10.hana.ondemand.com, you can purchase the domain mycompany.com, create a custom domain prod.mycompany.com, and securely expose your site under this custom domain. Using the same domain for a site as well as for all the embedded content including Identity Authentication, enables broader integration scenarios, by avoiding third-party cookies with the respective security drawbacks. Note, if you decide to use a custom domain, make sure that you update links and inform end users to update their bookmarks. If users want to still use the default ondemand.com domain, this is possible. Note that there is no option to block the default domain.

Illustration of the custom domain configuration process

To make sure that your domain is trusted by way of activated server certificates and that all application data is protected, you must set up secure TLS/SSL communication. Then, make your application reachable via your custom domain and route traffic to it.

Step 1
A default site is the site that opens when no site ID is specified in the URL. The default site can be set per custom domain and doesn’t affect all domains in a subaccount. Note that a custom domain must be mapped to a single point and that’s why it’s mapped to the default site and not to a specific site.

You define the default site in the Site Directory of your SAP Build Work Zone, standard edition subaccount as follows:

Go to your subaccount in the SAP BTP cockpit.

Click the SAP Build Work Zone, standard edition link.

Open the Site Directory in your SAP Build Work Zone, standard edition application.

Choose the site that you want to define as the default site.

Click the ... icon on the site tile.

From the action menu, select Set as Default.

Step 2

To make your applications reachable and secure under your own domain, use the Custom Domain Manager to create and manage your reserved and custom domains. The reserved domain should be your parent domain (for example, mycompany.com). The custom domain is created based on your reserved domain (for example, prod.mycompany.com).

Open the SAP BTP cockpit, and log on to the Custom Domain Manager.
Choose the Domains tile.
Click Add to add a domain name that you want to reserve for this landscape and associated extension landscapes. For example: mycompany.com.

Note that the domain name is now displayed in the list of Reserved Domains.
Switch to the Custom Domains tab and click Create, and select for your Subaccount’s SaaS Subscriptions.
A wizard opens displaying your subscribed applications, in their corresponding landscapes. Now do the following:
- From the Select Subscribed Application Name step, select SAP Build Work Zone, standard edition as the SaaS application and click Next Step.
- From the Select Reserved Domain step, select the desired domain from the list of Reserved Domains which in our case is mycompany.com. Now click Next Step.
- From the Create Subdomain Name step, enter a single subdomain name, for example prod and click Finish. The result is a new custom domain. For example, prod.mycompany.com

Create a custom domain for every runtime destination. For example: xyz200.mycompany.com (xyz200 in this example is the on-premise backend). The custom domain for the runtime destination must be part of this hierarchy, meaning it should be a single subdomain under the reserved domain, otherwise an error will occur. This is because SAP Build Work Zone code suppresses the subdomain (for example, prod.mycompany.com) used for the SAP Build Work Zone site when performing requests to on-premise backend applications.

If you have content providers in multiple subaccounts (e.g. dev/test/prod), make sure that every subaccount has its own custom domain for the SAP Build Work Zone subscription and destination. The destination content could be similar, but the destination’s name should be different.

Here’s an example:

Runtime Destination Domain	DNS CNAME	SaaS Route	SAP Build Work Zone Domain
xyz200.mycompany.com	CNAME api.cf.eu10.hana.ondemand.com.	portal-prod-sapdelim-xyz200.launchpad.cfapps.eu10.hana.ondemand.com	prod.mycompany.com
xyz300.mycompany.com	CNAME api.cf.eu10.hana.ondemand.com.	portal-qa-sapdelim-xyz300.launchpad.cfapps.eu10.hana.ondemand.com	qa.mycompany.com.
xyz400.mycompany.com	CNAME api.cf.eu10.hana.ondemand.com.	portal-dev-sapdelim-xyz400.launchpad.cfapps.eu10.hana.ondemand.com	dev.mycompany.com.

Create a custom domain for SAP Cloud Identity Services. For example, ias.mycompany.com.

The custom domains are created and displayed in a list, along with their corresponding landscape and status.

Repeat the above steps for creating custom domains in your DEV, QA, and PROD environments.

Step 3
The purpose of this step is to configure a custom domain for your Cloud Identity Service tenant. Use the custom domain that you’ve created in step 2 above.
You’ll use it later when establishing trust to your SAP BTP subaccount and in the Domain Name System (DNS) setup.

For more information, see Use Custom Domain in Identity Authentication
Step 4
In this step you’ll create a trust between your SAP BTP subaccount and your Cloud Identity Services tenant. This trust is required for user authentication. After completion, your SAP BTP subaccount will appear as an application in the administration console of Cloud Identity Services.

For more information, see Establish Trust and Federation Between SAP Authorization and Trust Management Service and SAP Cloud Identity Services
Step 5
This step is done in the Custom Domain Manager. You’ll create new TLS configurations that can be used for one or mulitple server certificate activations.

Choose the TLS Configurations tile.

Click Create to open a wizard to create each required configuration.

Enter a configuration name, for example myTLS and click Next Step.

From the Client Authentication (mLTS) step, you’ll see that the client authentication is displayed as disabled by default. Therefore a user name and password are required for authentication. Click Next Step.

The Summary information displays the entered configuration name and the status of the mTLS mode again. Click Finish to exit the wizard and manage the created configuration.

For more information, see the Custom Domain Manager documentation: Manage TLS Configurations.
Step 6
This step is done in the Custom Domain Manager. You’ll create a new server certificate for custom domains associated with the SAP Build Work Zone, standard edition application and runtime destinations. You will also create a certificate for your custom domains from a trusted certificate authority (CA).

Choose the Server Certificates tile.

Choose Create and select for your (wildcard) Custom Domains.

A wildcard certificate secures multiple applications of a domain. So a domain called *.mycompany.com covers any application under the domain mycompany.com, for example prod.mycompany.com, but not the domain mycompany.com itself.
This also works with subdomains, so the subdomain *.prod.mycompany.com covers any application under the subdomain prod.mycompany.com, for example, myapp.prod.mycompany.com, but not the subdomain prod.mycompany.com itself.

The wizard opens with the General Information step in focus. Now do the following:

Enter the desired alias, keep the key size with the default value, and then click Next Step.

In the Select Landscape step, keep the landscape with the default value, which should be the main landscape (e.g. cf-eu10). Then click Next Step.

In the Set Subject Alternative Names step, select the domains which you want to assign to the server certificate.

In the Set Subject step, keep the CommonName (CN) parameter with the default value, then click Finish.

Note that the CommonName can’t be longer than 64 characters.

Select the server certificate that you created to expand the details section. To order and install your new server certificate, you must first create the certificate signing request and then send this file to a trusted certificate authority of your choice to get it signed.

Click Get Certificate Signing Request to copy the content and create the .pem file. You can also paste the content into a web page of your CA, if available.

On receiving the new server certificate and full certificate chain (including the root CA), choose Upload Full Certificate Chain to upload them.

In the Add Certificate section, insert the certificate chain into the text field and click Next Step.

Check the certificate and choose Next Step.

Confirm that the certificate is correct and click Finish.

In this final step, you must activate your new server certificate.

This activation has to be done for one or more of the certificate’s SANs and the TLS configuration of your choice that you configured in the Manage TLS configurations section. The activation can be modified or removed at any time and will take a few minutes until it’s effective in the landscape load balancer.

In the Details pane, click Activate.

Select the SANs you want to activate, and click Next.

Confirm the TLS configuration and click Next.

Review the summary and choose Finish.

The list of server certificates created are displayed and as long as they are active, they can’t be deleted. Inactive certificates can be deleted by using the Delete button.
Step 7
This step is also done in the Custom Domain Manager. You’ll select your existing SaaS subscriptions and create custom routes for them - in addition to their standard routes.

Before you do this step, make sure that you’ve written down the default URL of the SAP Build Work Zone, standard edition application.

Now you can map the application to your custom domain as follows:

Choose the SaaS Routes tile.

Click Create to open a wizard where you will map a route to your application.

In the Select Tenant step, leave as is and click Next Step.

In the Select Saas Subscription step, select the SAP Build Work Zone, standard edition subscription and click Next Step.

In the Edit Route step, don’t change the standard route and click Next Step.

Note: even if your subaccount is in an extension landscape, such as EU10-004, you should use the main landscape URL, which is part of the subscription to SAP Build Work Zone, standard edition.

In the Select Custom Domain step, select the desired custom domain from the list and click Next Step. In this example, select prod.mycompany.com.

In the Select a Hostname step, click Finish. There’s no need to add a hostname.

The route mapping is created and is displayed as a list.

If you’re using tunnelled access to access on-premise apps, repeat the above steps for every runtime destination, but in the Edit Route step of the Manage SaaS Route procedure (step # 5), use the following format:

For the ondemand.com domain: [subdomain of the subaccount]-sapdelim-[Runtime destination name].[service name (launchpad or workzone or workzonehr)].cfapps.[data center].hana.ondemand.com

For the workzone.cloud.sap domain: [subdomain of the subaccount]-sapdelim-[Runtime destination name].[data center].workzone.cloud.sap

Example of a runtime destination mapping:

App Name SAP Launchpad
Custom route prod.mycompany.com
Standard route subprod-sapdelim-xyz200.launchpad.cfapps.us10.hana.ondemand.com
Step 8
In this step, you’ll create a CNAME record in the Domain Name Service (DNS) so that the custom domain points to the SAP BTP data center.

Example:

name prod.mycompany.com
type CNAME
data api.cf.eu10.hana.ondemand.com
TTL 14400

You also need to configure the Domain Name System (DNS) in order to route traffic to an application on your custom domain. For each custom domain that you use, you must create a CNAME mapping from the custom domain to its Cloud Foundry domain. For example, you must create a separate CNAME mapping for your runtime destination custom domain in case you’re using tunnelled access to access your on-premise apps.

Example:

name <runtime destination>.mycompany.com
type CNAME
data api.cf.eu10.hana.ondemand.com
TTL 14400

For more information, see Configure the DNS for a Custom Domain.

If your Cloud Foundry environment, API endpoint is on an extension landscape such as eu10-004, you need to map your DNS to the main landscape (e.g. eu10). This is because the SAP BTP service that your subaccount is subscribed to, is located in the main landscape. For more information, see Custom Domains in Extension Landscapes.
Step 9
In this step, (which is only relevant for subscriptions that were created prior to September 4th 2025), you’ll configure an OpenID Connect application in the administration console of SAP Cloud Identity Services for the authorization code flow.

Sign in to the administration console for SAP Cloud Identity Services.

From the Applications and Resources tab, choose the Applications tile.

Choose the SAP Build Work Zone, standard edition <your subaccount name> application.

Note: Type the subaccount GUID in the search field to filter the list items. One of the applications, named SAP BTP Subaccount <your subaccount name> will refer to the trust between your SAP BTP subaccount and the SAP Cloud Identity Service tenant. The redirect URI for this trust, which is created automatically, will be for example: https://mysubaccount.authentication.eu10.hana.ondemand.com/login/callback/sap.custom.
The second application, named SAP Build Work Zone, standard edition <your subaccount name>, will refer to the trust between your Cloud Identity Service tenant and the SAP Build Work Zone, standard edition subscription. You need to add your custom domain to the redirect URI of this trust.

Click the Trust tab.

Under Single Sign-On, choose OpenID Connect Configuration.

Manually enter the communication settings negotiated between Identity Authentication and the client as follows:

Name (mandatory) Provide a name of your choice.

Redirect URIs (mandatory) The redirection URIs to which the response can be sent. You can add up to 20 redirect URIs. Example: https://prod.mycompany.com/** or https://*.mycompany.com/**

The above URI covers both login and logout flows, so there’s no need to add also a URI to the Front-Channel Logout URIs.

Save your selection. Once the application has been changed, the system displays a message that the application is updated.
Step 10
In this step, you’ll select the custom domain for your subaccount in order to support SAP Mobile Start application navigation.

Go to your subaccount in the SAP BTP cockpit.

Click on the SAP Build Work Zone, standard edition link.

Access the Subaccount Settings from the side navigation panel and open the Custom Domain tab.

Select the preferred custom domain for your subaccount from the list of available domains configured in the Custom Domain Service.

For more information, see Subaccount settings.
Step 11
You can assign multiple custom domains to the same subaccount, each one opens the default site when no site ID is specified in the site URL.

To open different sites with two different custom domains, you need to add the site ID part to the URL. The site ID can also be customized to have a friendly name by using the site alias functionality.

For example, if the custom domains are dev & prod, you can open two different sites as follows:
https://dev.mydomain/site/alias1?sap-language=en#Shell-home
https://prod.mydomain/site/alias2?sap-language=en#Shell-home

Another example is having two site aliases for one domain: prod.mydomain:
https://prod.mydomain/site/alias1?sap-language=en#Shell-home and https://prod.mydomain/site/alias2?sap-language=en#Shell-home

For more information about using a site alias, see Configure a Site Alias.