SAP Secure Login Service for SAP GUI Now Available

Martina_K · ‎05-04-2023

On May 4, 2023, SAP released the SAP Secure Login Service for SAP GUI. This new solution builds on top of the tried and proven SAP Single Sign-On product and offers single sign-on in a cloud-oriented way. It allows you to rely on a lean cloud service that integrates with your existing corporate identity provider to benefit from its authentication capabilities.

Why do we offer a new solution for single sign-on with SAP GUI?

SAP Secure Login Service for SAP GUI supports both digital certificates and Kerberos for secure authentication and single sign-on to your SAP systems. So, you can provide your SAP GUI users with simple and secure access to their ABAP-based business applications, just like with the existing SAP Single Sign-On product. In addition, the new solution comes with a set of new capabilities bringing enhanced user experience, better integration with your existing authentication infrastructure, and lower TCO.

For issuing short-lived X.509 certificates, the SAP Secure Login Service for SAP GUI no longer relies on an on-premise server running on an SAP NetWeaver Application Server Java. Instead, the server functionality for enrolling X.509 certificates is now provided by a cloud service. As a result, you no longer need to operate an AS Java.

But there is more! You can easily reuse your existing identity provider solution, such as SAP Cloud Identity Services – Identity Authentication or a corporate identity provider, for example Microsoft Azure Active Directory or Okta. This way you benefit from their authentication capabilities, such as multi-factor authentication, for example.

The necessary functionality on the AS ABAP server side already comes with the AS ABAP kernel (SAP Cryptographic Library), same as before.

Now let’s take a closer look at the enhanced capabilities that SAP Secure Login Service for SAP GUI is offering.

Use X.509 certificates based on a lean cloud service

As already mentioned above, the SAP Single Sign-On product relies on an on-premise server running on an AS Java for the advanced scenarios using X.509 certificates, such as multi-factor authentication. Customers need to operate an AS Java with a dedicated configuration of the authentication stack.

With SAP Secure Login Service for SAP GUI, the authentication process and certificate enrollment are performed by cloud services. Furthermore, the existing authentication configuration of the identity provider can be reused. Simply take the authentication options that have already been implemented for browser-based UIs on your identity provider and use them for SAP GUI as well!

Easily integrate with your existing identity provider

The SAP Single Sign-On solution already offered some limited integration with identity providers. However, the component used on the client side, the so-called Secure Login Web Client, provided a sometimes confusing user experience that people had to get used to. And it did not work in multi-user environments.

SAP Secure Login Service for SAP GUI offers a better integration with identity providers. With the new solution, the Secure Login Client seamlessly integrates with the identity provider UIs. As a result, when users start an SAP GUI connection, they will get the exact same user experience as they would have in the browser. This will further increase user acceptance of the solution.

Authentication factors and policies depend on the identity provider configuration. This way you benefit from their authentication capabilities: for example, using strong multi-factor authentication, biometric authentication, or Web Authentication and FIDO.

Offer single sign-on based on Kerberos technology

Many of our existing customers are still using Kerberos technology for single sign-on with SAP GUI. This scenario is based on the corporate Windows domain and Microsoft Active Directory. Will this still be possible with the new solution? The simple answer is yes!

SAP Secure Login Service for SAP GUI does support single sign-on via Kerberos tokens. In that scenario, you only require the Secure Login Client on the client side, which is a component of SAP Secure Login Service for SAP GUI. There is no need to access the cloud.

A picture is worth a thousand words

Finally, let’s have a quick look at the architecture overview of the SAP Secure Login Service for SAP GUI solution:

SAP Secure Login Service for SAP GUI: Architecture overview

More information

For more information about the SAP Secure Login Service for SAP GUI, check the following resources:

Solution brief

Product overview presentation

Documentation on the SAP Help Portal

SAP Note 3318561 - Fixes for SAP Secure Login Client 3.0 SP 02 Patch 16

If you want to learn more about the new solution, actively engage with SAP subject matter experts and your peers, and stay up to date about the topic of single sign-on for SAP GUI, join our community here:

https://community.sap.com/topics/single-sign-on

Can't find an answer? Ask your question directly here in SAP Community!

Colt · ‎05-05-2023

Great! I am absolutely thrilled that the long-awaited feature is finally here 🙂

arturka · ‎05-09-2023

Example scenario

SAP Secure Login Service for SAP GUI configured and deployed without kerberos only with x.509.

What in case if cloud service isn't available due to network/SAP/AWS/AZ/GCP issues ?

Christian_Cohrs · ‎05-09-2023

The cloud service is only required during the provisioning of the certificate. As the certificate validity usually covers the working day, users need to access the cloud service once per day and can then work with their ABAP systems without any dependency to the cloud service.

arturka · ‎05-09-2023

I know that.
Working hours are for example 8:00 - 16:00
Certificate lifetime due to corporate policy is set to 10 hrs.

Network/Cloud service has failure at 7:45, and this is serious issue that can't be fixed immediately due to problem complexity, SAP service support delay, Cloud provider service delay.
And no one is able to logon (except admins and so one)

I'm asking because I saw situations that cloud services were not available more than few minutes.

dyaryura · ‎05-09-2023

Hi Christian

I'd be good to understand how customers with the current infrastructure with Secure Login Server can transition to the cloud and if there's a benefit from a commercial standpoint or if they can use both products in parallel.

As fallback for the scenario mentioned by Artur I'm thinking customers can leverage a on-prem SLS to generate certificates if that's included from a license perspective. As long as both solutions can generate the cert with i.e CN=<SAP user ID> and both CAs (SLS CA + cloud CA) are added to the SNC Sapcryptolib trust config both certificates can be used in parallel.

Thanks,

Diego

Christian_Cohrs · ‎05-09-2023

The new service runs on SAP BTP, and it is covered by the availability commitments of the platform. Also, most of the initial (8am) authentication process is handled by the identity provider. This should support high availability in any case, as your browser-based applications need it all day.

If you really need to avoid any dependency on outside communication, you can still use smart cards or Kerberos, purely on-premise.

Christian_Cohrs · ‎05-09-2023

Hi Diego,

for customer's using Secure Login Server (from SAP Single Sign-On), the main benefits of switching to SAP Secure Login Service are at this point in time:

the significantly improved integration with cloud-based identity providers and their authentication options

the TCO reduction, as the new service no longer requires them to operate an AS Java

Technically, you could also run both solutions in parallel. However, as these are separate products, it would makes sense commercially to fully migrate once you feel confident.

Best regards,

Christian

arturka · ‎05-10-2023

If we are talking about switching from Secure Login Server to SAP Secure Login Service we have to mention about other SAP SLS features.

SSL certificate lifecycle management – great functionality allows you to centrally manage SSL certificates Server/Client/Trusted (not only for ABAP systems, for Java, Hana, WebDispatchers, Diag Agents, Host agents)

Integration with corporate CA

NEA - I suppose customer should plan migration to SAML where possible.

Short live x.509 certificates for SAP Cloud Connector principal propagation.

In other words, it isn't just simple migration in some cases a quite big project. And not always we will achieve significant TCO reduction.

Regards
Artur

Benedikt_Blömer · ‎05-15-2023

Hi martina.kirschenmann / christian.cohrs

is it intended, that the "SAP Secure Login Service for SAP GUI" is not subscribable from CPEA Global Accounts for some quick evaluation?

regars

Benedikt

Christian_Cohrs · ‎05-15-2023

Hi Benedikt,

I'm afraid CPEA is currently not supported. Your SAP contact can help you get a minimal subscription for getting started, though.

Best regards,

Christian

Benedikt_Blömer · ‎05-17-2023

Hi christian.cohrs

is it planned to make this available for CPEA also?
Would be great to do a quick prototyping before contacting our Sales person at SAP for a longterm subscription...

regards

Benedikt

Christian_Cohrs · ‎05-17-2023

Hi Benedikt,

we'll keep this in mind and see what we can do mid-term.

Best regards,

Christian

holger_thorwart · ‎05-24-2023

Is SAP Secure Login Service for SAP GUI the official successor for SAP Single Sign-On 3.0 after end of maintenance end of 2027?

Are there any benefits compared to SAP Single Sign-On 3.0 if you are running a complex on-premise SAP landscape with using SAP Single Sign-On 3.0 via Kerberos with SAP Secure Login Client for SAP GUI? Why should i migrate to SAP Secure Login Service for SAP GUI?

Christian_Cohrs · ‎05-24-2023

When it comes to single sign-on with Kerberos, there is no difference between the products as they both rely on the same Secure Login Client. So while SAP Single Sign-On is still in maintenance and you don't need any other functionality, there is no need to move to SAP Secure Login Service.

Best regards,
Christian

holger_thorwart · ‎05-25-2023

Hi Christian,

is SAP Secure Login Service for SAP GUI the official successor for SAP Single Sign-On 3.0 after end of maintenance end of 2027?

Are we forced to subscribe SAP Secure Login Service for SAP GUI to use SSO with SPNego/Kerberos in on-premise ABAP-Systemlandscape (S/4HANA) starting 01.01.28? Or can we use SNCCONFIG, SPNEGO (as part of SAPCRYPTOLIB) and SAP Secure Login Client without?

Best regards
Holger

Christian_Cohrs · ‎05-30-2023

Hi Holger,

yes, SAP Secure Login Service for SAP GUI will succeed SAP Single Sign-On.

With respect to licensing, some S/4HANA licenses include the usage of the Secure Login Client for Kerberos-based single sign-on. If you do not have such a license, then you will indeed have to switch to the SAP Secure Login Service subscription.

Best regards,
Christian

mark_singularit · ‎05-31-2023

Hi Martina,

For many years now we have been using the SAML-based SSO provided by SAP Business Client, and moving away from "pure" SAPgui completely. Isn't the implementation of all this complex infrastructure to achieve SAPgui SSO a somewhat backwards step?

Best regards,

Mark

Christian_Cohrs · ‎05-31-2023

Hi Mark,

if you are able to run all of your business applications in the browser, then a SAML/OIDC identity provider like SAP's Identity Authentication Service is the way to go.

However, there are still cases where users want to / have to use the desktop clients to perform their work. One thing we achieve with the new product is that the identity provider authentication factors can now easily be reused for SAP GUI. For SAP GUI users that's a big step forward.

Best regards,
Christian

Colt · ‎05-31-2023

Hi Mark, if you like to get some more background about SAML vs. Kerberos/X.509 or in general using SAP GUI vs. browser-based apps, feel free to check out this blog

Cheers Carsten

hieutranphan · ‎06-05-2023

Hi Ms. martina.kirschenmann christian.cohrs I am researching the SAP Secure Login Service for SAP GUI solution, and I couldn't find any specific information indicating whether this product supports SAP Fiori or SAP GUI HTML. Could you please provide me with further information on this matter?

Thanks you !

sebastian_peroni · ‎06-05-2023

Actually, this product is for granting temporary X.509 Certificates that can be used to log in SAP GUI and also in any SAP Webdynpro / FIORI service, also could be used to authenticate in 3rd party web services where x.509 is available.

Best regards!

tskwin · ‎06-18-2023

Hello Experts,

We intend to implement SSO in our new S/4HANA system landscape on premise.

Would you recommend implementing Secure Login Service, currently no SSO is used, or introducing SSO on premise first (e.g. Kerberos) ?

How is Secure Login Service licensed, also per user, as with SSO on premise or per one service? What are the benefits of configuring Secure Login Service to IAS Service ?

Thanks very much

Best Regards

Martina_K · ‎06-19-2023

Hello Tatjana,

We recommend to use our new solution SAP Secure Login Service for SAP GUI. The solution supports both X.509 certificates and Kerberos. Maintenance for the SAP Single Sign-On product will end in 2027.

The two main benefits of SAP Secure Login Service for SAP GUI when compared to the on-premise solution (Secure Login Server) are an improved integration with cloud-based identity providers and a TCO reduction (as the operation of an AS Java is no longer needed).

The SAP Secure Login Service for SAP GUI is licensed on a cloud subscription model (based on users). For licensing details, please contact your SAP Account Executive.

Best regards,

Martina

Juliuspereira · ‎06-23-2023

Hi Martina,

Thank you for sharing. I had 2 specific questions. But before that some background information.

Currently we have configured an SAP launchpad in SAP Netweaver Portal to login into various systems in the organization. SSO has been enabled for these systems and thus the users are taken directly into the system without having the need to enter login credentials. From the SAP portal, we send a text file with the system name, client number, user id and a logon ticket. The file will download automatically, open the SAP Gui desktop app and login without credentials because of the passed logon ticket.

We are currently in the process of implementing a similar launchpad in SAP build workzone - standard edition to launch various sap and non sap systems. We also have enabled SSO to SAP build workzone - standard edition with our corporate IdP (Azure AD). From SAP build workzone - standard edition, we want to open the SAP ECC System in the SAP GUI for windows. We learnt that while launching SAP GUI for windows is not possible, what we could do is run SAP Build Work Zone inside SAP Business Client and then open the SAP ECC systems.

So far I have been able to configure this as shown below.

And when I click on the tile ECC - Production, I currently get a login screen to enter my ECC credentials

and after I enter my credentials, the ECC system opens.

So now, I want to enable SSO such that when I click on the ECC system tile, I do not have to enter my login credentials, but I should be automatically signed in. Since I'm already SSO into the SAP Build workzone - std edition launchpad using the corporate IdP, I'm expecting that the same SSO could somehow be propagated to the launching of the SAP ECC system and then I do not have to enter my ECC login credentials.

My questions:

Is it possible to use the SAP secure login service for this Scenario? If that is the case, can you provide some insights and or documentation on how I could achieve this?

For the the SAP secure login service, do we have to use the identity authentication tenant or can we just use our corporate IdP (which is Azure AD in our case)?

Thank you

Julius

former_member184682 · ‎06-26-2023

Hi, can you please confirm if Certificate lifecycle management is part of the "SAP Secure Login Service for SAP GUI" ? If not, is it planned to be made available in the coming versions ? In the documentation it was not very clear

We currently use only the sap secure logon client (with kerberos) and hence no need of java stack

however for the purpose of CLM, we are about to deploy a java stack. Considering this, would this new product help us to avoid using a java stack?

thx

tskwin · ‎06-26-2023

Hello Martina,

Thanks very much.

after end of SAP Single Sign-On 3.0 maintenance of 2027, is there no more SAP support for SSO 3.0 on premise? Do I have to switch to Secure Login Service?

Many thanks

Best Regards

Christian_Cohrs · ‎06-26-2023

Hi,

certificate lifecycle management is not part of SAP Secure Login Service for SAP GUI. We are thinking about ways to provide this functionality in the future as a cloud based alternative to the on-premise Java stack, but details and timelines are open.

Best regards,
Christian

Christian_Cohrs · ‎06-26-2023

Hi Julius,

yes. You need to ensure that the shortcuts are configured to use Secure Network Communication (SNC). When that is done, a logon screen will appear during the first SAP GUI connection. Afterwards, users will have single sign-on for the rest of the day, based on the X.509 certificate from SAP Secure Login Service for SAP GUI.

Identity Authentication Service is always in the process but can be used as a proxy to Azure AD. In that case, end-users will only see the Azure AD screens.

Best regards,
Christian

Juliuspereira · ‎06-26-2023

Thank you Christian. I appreciate your prompt response.

I wanted to try this out in my trial account where I already have the above described build workzone configured. Is this service available in a trial account and if that is the case, what is the name of this service?

Currently only see this one. Thoughts on this?

Thank you

Julius

Christian_Cohrs · ‎06-27-2023

Hi Julius,

I'm afraid we don't have a trial version. Please get in touch with your SAP contact so that they can look into the licensing.

Best regards,
Christian

Martina_K · ‎06-27-2023

Hello Tatjana,

Yes, that is correct. The SAP Secure Login Service for SAP GUI will succeed SAP Single Sign-On 3.0 after its end of maintenance. And you will have to switch to the SAP Secure Login Service for SAP GUI subscription.

Best regards,

Martina

denismartin · ‎07-19-2023

Hi Martina (and/or others 🙂 )

So with the new version os secure client (sp16) We can use Azure Idp without using a BTP tenant for authentication ? (Or we still need the special subscription on BTP )

Looking at the schema I just don't follow th way we get a CA from a the SAP-managed Cloud CA ... it is a one time shot ? (like getting a certificate to install somewhere (STRUST?)

After that I don't find any scenario describing this on Azure documentation portal (is it too recent to have them doing that ? )

Christian_Cohrs · ‎07-19-2023

Hi Denis,

Secure Login Client relies on the BTP-based SAP Secure Login Service for certificate provisioning and the Identity Authentication Service for authentication. The integration with Azure AD happens via a proxy configuration in Identity Authentication Service and Azure AD, as described for example here: https://developers.sap.com/tutorials/cp-ias-azure-ad.html

This is pure identity provider functionality, not specific to our scenario.

The certificates that you receive are short-lived and managed by the Secure Login Client.

Best regards,
Christian

former_member119420 · ‎09-08-2023

Nice post Martina !!! very nice !!!

We have SAP Secure Login Server and we want to migrate to SAP Secure Login Service, but we have some doubts about services that we do not see in SAP Cloud Secure Login Service:

In SLServer we can create Root certificates/intermediates, etc...

In SLServer we can sign certificates from SAP ABAP/JAVA systems with the respectives CSR and then install to target ABAP/JAVA systems

How or where...can we do this tasks in SAP Cloud Secure Login Service ? We don't find any documentation about this.

Regards,

kalyan · ‎09-12-2023

christian.cohrs martina.kirschenmann Thank you for this blog. May be a rookie question. If we want to use our corporate IDP(on-prem one), is it fair to assume the secure login service on BTP will only work within clients Network as outside of the Network BTP cannot talk to corporate IDP. Is this a fair comment? Please advise. Also are there any blogs / documents / FAQ for transition from on-prem Netweaver SSO(java) to BTP secure login service. Even if there is a readiness checklist, would be great for planning

Christian_Cohrs · ‎09-12-2023

We rely on the identity provider proxy mechanism of SAP's identity authentication service, as described at https://help.sap.com/docs/identity-authentication/identity-authentication/corporate-identity-provide... .

In this scenario, there is no network connection between the 2 identity providers required, as all communication is channeled through the browser of the end user. So the only requirement is that both the identity authentication service and your corporate IdP need to be accessible from the end user desktop.

We do not yet have a migration guide. Good point, we'll look into this.

Best regards,

Christian

Christian_Cohrs · ‎09-12-2023

At this point, SAP Secure Login Service focuses on client certificates for single sign-on, with an SAP-managed CA. We plan to support customer-managed CAs in the cloud as well, but it's still a roadmap item. Certificate Lifecycle Management is something that we are looking into, but we have not yet decided on the scope and roadmap. So this capability of the on-premise server is not yet available in the cloud.

Best regards,

Christian

Colt · ‎09-13-2023

Hey all,

many of the Q&A and addt. information can be found in this article

Cheers Carsten

alberto_yoldi · ‎09-26-2023

We are using the current SSO on top of a Java stack to manage our system's certificates (CLM). Please let us know how can we get informed/involved about the future SAP strategy for CLM. Thanks in advance!

Christian_Cohrs · ‎09-28-2023

We are still reviewing our options regarding the future of CLM. As soon as we have news, we will notify customers via this forum. However, this will take some time.

Best regards,

Christian

amogh_jadhav29 · ‎11-28-2023

Hi @martina.kirschenmann

Thanks for the valuable information. We have a requirement to do a SSO GUI via OKTA.Can you please help with any documentation on it? also is it Kerberos based or X.509 based?

Can you help me with connect details if possible?

Thanks,

Amogh

Martina_K · ‎11-30-2023

Hi Amogh,

Yes, your scenario works via X.509 certificates using the SAP Secure Login Service for certificate provisioning and the Identity Authentication Service (IAS) for authentication. The integration with Okta happens via a proxy configuration in IAS.

You will find the documentation about SAP Secure Login Service here:

https://help.sap.com/sls

Documentation for integration of Okta with IAS see here:

https://help.sap.com/docs/identity-authentication/identity-authentication/corporate-identity-provide...

The following blog posts might also be useful for configuring your scenario:

Explore: Securing SAP GUI with SAP Secure Login Service

Connect Okta to Identity Authentication Service Using SAML

Connect Okta to Identity Authentication Service Using OpenID Connect

Best regards,

Martina

S0000839939 · ‎12-11-2023

Hello,

Can you please make the service available for CPEA subscription?

Kind Regards,

Jan

Christian_Cohrs · ‎12-12-2023

Hi Jan,

Unfortunately, at this point we are unable to support CPEA. If things change in the future we will announce it here.

Best regards,

Christian

javier_iribarne1 · ‎12-19-2023

Hello Martina

Thanks for your post.

In case the SAP system is in the SAP private cloud ( SAP Rise), is it possible to access from SAPlogon from outside the corporate network, i.e. from the internet?

In other words, in the case of SAP Rise the usual connection between SAPgui and SAP Backend is through a VPN type solution. Is it possible to enable public access from the internet (without vpn solution) to SAP Backend in SAP Rise? That is to say, is it possible to request the opening of a port to be able to use the SAP Secure Login Service for SAPGui solution from the internet (without vpn)?

Thanks

Javier

Martina_K · ‎12-20-2023

Hi Javier,

from a technical point of view this might not be a problem. However, normally ABAP systems are not openly accessible in the internet, but protected via a VPN. Please get in contact with the SAP RISE team for your specific scenario and what the options are.

Best regards,

Martina

javier_iribarne1 · ‎12-20-2023

Hello Martina

Yes, we are working on it, we have already opened 2 cases to SAP, 1 Service Request, a thread mail with ITSM .... We have been trying for 1 week to get them to understand our request...

It's hopeless!

Thanks

Javier

Colt · ‎12-20-2023

Hi Javier,

nothing new 🙂 Our customers are facing challenges due to a lack of clarity from the RISE team, making support difficult. The current situation isn't ideal, and the ticket workload for our customers is becoming burdensome. Simple tasks, such as guiding users on the correct way to access their Fiori Launchpad through a web dispatcher/load balancer, are turning into extensive discussions.

Regarding your question: it's worth mentioning that ECS/HEC is a private cloud service and not a public one. Access to SAP systems is facilitated through VPN. Additionally, SLS for SAP GUI is a public cloud service designed for user authentication and obtaining an SSO token. However, the connection to customers' on-premises or HEC systems presents a different set of challenges.

Cheers Carsten

mgahealey-tk · ‎02-29-2024

Hello @Martina_K

Can you please confirm if there is a one to one relationship between instances of "SAP Secure Login Service for SAP GUI" and "SAP Cloud Authentication Service" ?

e.g. if a customer has three IAS instances ( necessitated by one to one relationship with Successfactors instances ) e.g.

Production IAS - connected to Successfactors Production and S4HANA Production
Non-Production 1 IAS - connected to Successfactors Test and S4HANA Test
Non-Production 2 IAS - connected to Successfactors Development and S4HANA Development

Will 3 instances of SAP Secure Login Service for SAP GUI be required too if SSO to SAP GUI is required for S4HANA Prod, S4HANA Test and S4HANA Production i.e. each configured with corresponding IAS Service?

.....and do the charges as per SLS for GUI Pricing of the service only apply for Production usage?

Kind regards

Mike

Christian_Cohrs · ‎03-01-2024

Hello Mike,

SAP Secure Login Service does not have its own user store. It will leave the authentication always to the identity provider, like IAS. So if you want to enable SSO for a specific S/4HANA system, you need to use an instance of SAP Secure Login Service, which is integrated with an IAS tenant that holds the relevant user accounts. If your productive IAS tenant does not have all the user accounts, then you would indeed need additional instances of SAP Secure Login Service to cover those other IAS tenants.

Pricing is based on the number of persons / employees. The number of SAP Secure Login Service instances does not have an impact.

Best regards,

Christian