A request is received for execution of a cloud service for a user of a customer of a cloud-computing platform, the request including a user identifier of the user but not a password for the user. The customer is determined from the user identifier included in the request for execution of the cloud service. A cloud connector endpoint for the customer is determined, where the cloud connector endpoint identifies a secure cloud connector tunnel for communication with a user mapper installed in a customer landscape of the customer. An authorization and authentication request is sent to the user mapper using the secure cloud connector tunnel, where the user mapper is configured to authenticate the user within the customer landscape and determine whether the user is authorized to use the requested cloud service. An authorization and authentication response is received from the user mapper that indicates whether the user is an authenticated user who is authorized to use the cloud service. In response to the authorization and authentication response indicating that the user is an authenticated user who is authorized to use the cloud service, a cloud token is granted that enables use of the cloud service.