Getting Started

Deploy CPI Developer Studio to your BTP Cloud Foundry subaccount. Takes about 10 minutes.

Prerequisites

Step 1 — Log in to Cloud Foundry

cf login -a https://api.cf.REGION.hana.ondemand.com

Replace REGION with your BTP region, e.g. eu10, us10, us10-001, ap10. Find it in BTP Cockpit → Cloud Foundry → API Endpoint.

Steps 2–4 — Deploy the app

⚡ Option A — one bash command (recommended)

This script handles everything: creates the XSUAA service, pushes the Docker image, binds the service, and sets your license key.

bash <(curl -sL https://cpistudio.nxgenz.com/deploy.sh) YOUR-LICENSE-KEY

Omit the license key to deploy in 14-day trial mode. After it finishes, the app URL is printed — jump straight to Step 5.

or do it manually
🔧 Option B — manual steps

Step 2 — Save xs-security.json

Create xs-security.json in your working directory. This defines the three CPI Studio roles and pre-creates the BTP Role Collections automatically on first deploy.

{
  "xsappname": "cpi-studio",
  "tenant-mode": "dedicated",
  "scopes": [
    { "name": "$XSAPPNAME.admin",     "description": "Full admin access" },
    { "name": "$XSAPPNAME.developer", "description": "Read/write iFlows"  },
    { "name": "$XSAPPNAME.viewer",    "description": "Read-only access"   }
  ],
  "role-templates": [
    { "name": "Admin",     "scope-references": ["$XSAPPNAME.admin"]     },
    { "name": "Developer", "scope-references": ["$XSAPPNAME.developer"] },
    { "name": "Viewer",    "scope-references": ["$XSAPPNAME.viewer"]    }
  ],
  "oauth2-configuration": {
    "redirect-uris": [
      "https://*.cfapps.*.hana.ondemand.com/auth/btp/callback",
      "https://*.hana.ondemand.com/auth/btp/callback",
      "http://localhost:*/auth/btp/callback"
    ]
  },
  "role-collections": [
    {
      "name": "CPI Studio Admin",
      "description": "Assign to administrators",
      "role-template-references": ["$XSAPPNAME.Admin"]
    },
    {
      "name": "CPI Studio Developer",
      "description": "Assign to integration developers",
      "role-template-references": ["$XSAPPNAME.Developer"]
    },
    {
      "name": "CPI Studio Viewer",
      "description": "Assign to read-only users",
      "role-template-references": ["$XSAPPNAME.Viewer"]
    }
  ]
}

The wildcard redirect-uris cover all BTP regions and CF subdomains automatically — no need to change anything.

Step 3 — Create the XSUAA service

cf create-service xsuaa application cpi-studio-xsuaa -c xs-security.json

This creates the OAuth2 application in your BTP subaccount. The Role Collections (CPI Studio Admin, CPI Studio Developer, CPI Studio Viewer) are created automatically.

Already have a service? Run cf update-service cpi-studio-xsuaa -c xs-security.json instead to apply the latest redirect URIs and role definitions.

Step 4 — Save manifest.yml and deploy

Create manifest.yml in the same directory:

applications:
  - name: cpi-developer-studio
    memory: 512M
    disk_quota: 1G
    docker:
      image: ghcr.io/nxgenz/cpi-studio:latest
    health-check-type: port
    services:
      - cpi-studio-xsuaa
    env:
      HTTPS_ENABLED: "true"
      FLASK_DEBUG: "false"
      # LICENSE_KEY: "YOUR-LICENSE-KEY"

Then push the app:

cf push

CF pulls the Docker image, binds the XSUAA service, and starts the app. The URL is printed at the end — something like https://cpi-developer-studio.cfapps.REGION.hana.ondemand.com.

Optional: Add your license key to manifest.yml under env before pushing — or set it later with cf set-env cpi-developer-studio LICENSE_KEY "YOUR-KEY" followed by cf restage cpi-developer-studio.

Step 5 — Configure BTP Trust (corporate SSO)

If your users log in via a corporate identity provider (Azure AD, IAS, Okta), you need to register it in BTP Trust Configuration once per subaccount. This is what allows BTP Role Collections to work for corporate users.

  1. Go to BTP Cockpit → your subaccount → Trust Configuration
  2. Click Establish Trust (or New Trust Configuration)
  3. Select your IAS tenant or paste your corporate IdP metadata
  4. Save — XSUAA now federates login through your corporate IdP automatically

Already using FIGAF or another BTP tool with corporate SSO? Trust Configuration is already done — skip this step entirely.

Step 6 — Assign users in BTP Cockpit

  1. Go to BTP Cockpit → Security → Role Collections
  2. Open CPI Studio Admin, CPI Studio Developer, or CPI Studio Viewer
  3. Click Edit → Users tab → add users by email
  4. The user's identity provider (e.g. your corporate IAS) must match what was configured in Trust Configuration

Step 7 — Connect your CPI tenant

  1. Open the app URL from Step 4 (or the URL printed by the deploy script)
  2. Click Sign in with Corporate SSO and log in
  3. Go to Settings → CPI Tenant
  4. Enter your CPI host URL, OAuth token URL, client ID, and client secret
  5. Click Test Connection, then Save Profile

Updating to a new version

When a new version is released, run the deploy script again — it's idempotent:

bash <(curl -sL https://cpistudio.nxgenz.com/deploy.sh) YOUR-LICENSE-KEY

Or if you deployed manually, two commands are all you need:

cf update-service cpi-studio-xsuaa -c xs-security.json
cf push

The first command applies any new role definitions or redirect URI changes to your XSUAA service. The second pulls the latest Docker image and redeploys.

Troubleshooting

ErrorCauseFix
User shows "viewer" despite having role collection User logging in via corporate IdP but XSUAA service doesn't have their subaccount's Trust Configuration set up Complete Step 5 (Trust Configuration)
invalid_grant on login XSUAA service missing redirect URI registration Run cf update-service cpi-studio-xsuaa -c xs-security.json then cf push
mismatch_state CSRF warning Session lost during login (container restart) Click login again — handled automatically on retry
App not found after push CF region URL wrong or not logged in Re-run cf login with the correct API endpoint
Next: BTP Auth deep dive → Configuration →