Update remote-services.md (#2630)

Added subsection about configuring `on-behalf-of` for IAS app-2-app
destinations.

---------

Co-authored-by: Stefan Henke <stefan.henke@sap.com>
Co-authored-by: René Jeglinsky <rene.jeglinsky@sap.com>

Author: 3 people

java/cqn-services/remote-services.md

@@ -213,6 +213,38 @@ At runtime, this destination configuration will use the bound `identity` service
 
 [Learn more about consuming APIs from other IAS-Applications in the **SAP Cloud Identity Services documentation**.](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications){.learn-more}
 
+##### Configuring the Authentication Strategy
+
+By default, when calling a remote IAS-based API through a destination, CAP propagates the user identity associated with the current `RequestContext` (`currentUser`). If the `RequestContext` contains a named user, CAP propagates the named user. If not, CAP requests a technical user token.
+
+For background processing or technical integrations, you may want to force the remote API call to use a technical user. Use the `destination.onBehalfOf` configuration to control this behavior:
+
+::: code-group
+```yaml [srv/src/main/resources/application.yaml]
+cds:
+  remote.services:
+    RemoteIasService:
+      destination:
+        name: my-ias-destination
+        onBehalfOf: systemUser
+```
+
+The following options are available:
+
+| Value | Description |
+|-------|-------------|
+| `currentUser` | Propagates the named user if available, or falls back to a tenant-specific technical user. **(default)** |
+| `systemUser` | Uses a tenant-specific technical user, based on the tenant set in the current Request Context. |
+| `systemUserProvider` | Uses a technical user of the provider tenant. Useful for internal communication that does not require tenant-specific authorization. |
+
+::: tip Behaves similar to binding-based configuration
+This behaves identically to the [`onBehalfOf` option in binding-based configurations](#configuring-the-authentication-strategy). Use it when your IAS app-2-app communication is configured via a BTP destination with `cloudsdk.ias-dependency-name` rather than a direct service binding.
+:::
+
+::: warning Only applicable to IAS app-2-app destinations
+The `onBehalfOf` option applies only to IAS app-2-app destinations (destinations with the `cloudsdk.ias-dependency-name` property set). It has no effect on other destination types.
+:::
+
 #### Retrieve Destinations
 
 The CAP Java SDK obtains the destination for a _Remote Service_ from the `DestinationAccessor` using the name that is configured in the _Remote Service_'s destination configuration.