SAP Single Sign-On: Protect Your SAP Landscape wit...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
SAP Single Sign-On offers support for X.509 certificates. X.509 certificates are highly interoperable, supporting both SAP and 3rd party web applications and clients, including many legacy systems. You can set up your own dedicated public-key infrastructure (PKI) to issue X.509 certificates, or have the Secure Login Server software, a component of SAP Single Sign-On, issue short-lived certificates. With the Secure Login Server software, you do not need to set up a full-blown PKI with its inherent administrative processes, such as certificate revocation lists, but you can still benefit from the same level of security. Enabling this kind of scenario means that users can sign on once to gain access not only to their SAP business applications but also to many of their non-SAP applications.
Implementing Single Sign-On with X.509 Certificates and Secure Login Server
In the following video series, you will learn how you can use X.509 certificates issued by the Secure Login Server component to provide single sign-on functionality as well as secure communication for SAP GUI/browser applications and SAP NetWeaver Application Server ABAP. The videos will describe the necessary configuration step-by-step.
thank you very much for this Blog. It is really easy to follow. I have configured our landscape in the way you presented, but with SPNEGO Authentication to SLS and SPNEGO-Credentials in SNC of the users. The SSO with SAP Gui works fine, but WebGui does not work. Can you give me an advice what could be wrong?
It would be fine if you could provide us with a Blog configuring AS Java this way, too.
In case you don’t want to use short-lived certificates issued by Secure Login Server for single sign-on at all, but Kerberos/SPNEGO instead, please have a look at our implementation videos here: SAP Single Sign-On: Authenticate with Kerberos/SPNEGO.
Hope this helps. If you still run into problems, please open a customer ticket.
Your blogs are very helpful. In your blog, you mentioned "X.509 certificates are highly interoperable, supporting both SAP and 3rd party web applications and clients," but I could not find information on how to support 3rd party or non-SAP application. Could you elaborate that a little bit?
digital certificates that comply with the X.509 public key infrastructure (PKI) standard are supported by many business software products available today. Users can sign on once to gain access not only to their SAP software but also to many of their non-SAP applications (as long as the latter support X.509 certificates, of course). The configuration steps required to enable certificate-based authentication in these non-SAP applications are specific for the respective third-party application used.
For a good overview about how SAP Single Sign-On implements X.509-based authentication, I recommend reading the SAP Insider article Secure Single Sign-On Across SAP Landscapes.
Dear Martina, does this require that the users in ABAP exist in Java UME ..or the Secure Login Server only just issue x509 certificate and ABAP user does not have to be in Java UME..
Is there any license restriction on how many system/users can be setup for SSO using this Secured Login server/client.
Does this setup work in Citrix environment. ie secure login client is installed in Citrix and it connects to Secure Login Server to get certificate when users login to Citrix to SSO to SAP using SAPGUI..
thank you much for Information. I am planning SSO our System Landscape, we have BI AS ABAP on HANA, AS JAVA (new installed), BO (new installed), SAP-BI/BO Tools (BEx, Lumira etc.). we dont have any non-sap application. Could you please advice me, which SSO-Solution i need? x.509 or Kerberos? Should i install for all Clients “Sap Secure login Client Tool” for SSO ? can i also use without Secure Login Client tools to SSO?
SAP Single Sign-On supports Kerberos, X.509 certificates and SAML authentication technologies. Depending on what your backend systems support you can uses either technology.
The Secure Login Client is responsible for the certificate-based and Kerberos-based authentication to the SAP application server when Windows-based SAP clients are used (such as SAP GUI).
The Secure Login Client is also always necessary when the Secure Login Server is in use as a light-weight PKI (issuing X.509 certificates). When X.509 certificates are used for web scenarios, it is also possible to use the Secure Login Web Client instead of the Secure Login Client.
SPNEGO does not require a client (no Secure Login Client needed).
Hello,
Nice and detailed article. Thank you for sharing it.
We have successfully setup SSO 3.0 with x.509 certs and working fine with abap system.
Please let us know the procedure if we have multiple client in abap system and how to achieve it using x.509 certs
Do we need to perform any specific configuration to get the SSO working for multiple clients with GUI. Because, though we have maintained the user mapping in SU01 for all clients. it is not working for all the other clients except the default login client.(for default login client SSO works fine)
we are not getting the screen to make the selection to choose the desired login client with SSO.But instead it gets logged in automatically to default client.
Next topic, we are also looking to configure SSL for the same ABAP system and get the SSO working for webgui. Issue is while we test the url for webgui or ping as per your 5th video, we are presented with the client certificate but the system still again requests for user id and password. icm/verify_client is set to 1.SSL certificates have been signed by SLS3.0 server and the Root certficates from it have been imported in browser as well.
Not able to figure out what exactly is going wrong.
Hi Martina,
We currently have PKI infrastructure and X.509 in our landscape. We want to configure SSO for fiori using X.509 certificates. In your video series which parts are more appropriate for us?
Or do you have any other blog or sap documentation which can point me to. Please share any inputs you have for me. I truly appreciate any help from your side.
Thanks for the reply...the blog which you referred, i have already checked.
I am trying to perform with x.509 certificate and the blog says about Kerbos..... also in my case the windows userid & the portal userid are different. So looking for a blog or step by step document which can help me.
client authentication via X.509 certificates to Application Server Java is described in the SAP NetWeaver manuals. You can find the documentation here:
The customer can decide how to issue the X.509 certificates for the users. You can use the Secure Login Server of the SAP Single Sign-On product or your own existing PKI system.
This is a very helpful document and we configured it all according to this and works fine. Is there any way, can we use LDAP as the user master data and authentication from AD directly from Secure login Server. Currently, it authenticates users from the Secure login Server which is JAVA and works fine. We would like to use the user master data as Active Directory. Is this possible?
An alternative would be to use Kerberos/SPNEGO as SSO technology. This would be much easier to configure than configuring LDAP authentication profile. You will find a how-to guide in this blog:
In case you want to use SNC without SSO functionality, you can use the so-called SNC Client Encryption 2.0. It allows you to encrypt the communication between client (SAP GUI) and server (AS ABAP), and is part of the SAP NetWeaver Application Server license. But it does not offer single sign-on functionality.
Yes, you need a license for the SAP Single Sign-On product if you want to use X.509 certificates for SSO. If the end users still use SAP GUI, then SAP Single Sign-On is mandatory, using Kerberos or X.509 certificates as SSO tokens. Please note that SAP GUI is not compatible with the SAML protocol. In case you have browser-based applications and you want to use SAML for SSO and use your own third-party IdP for this, then no license for the SAP Single Sign-On product is required.
SAP Single Sign-On conf. using X.509 certificates has been already configured and has been fully tested also. Users can successfully login via SNC (SAP Gui) and SSL (Web Access like Fiori).
A new requirement is being analyzed. To use SAML to access Fiori with Azure AD (AAD) as identity provider (Idp).
What is the best approach to integrate the current scenario with this new one?
- Should the IDMFEDERATION add-on to be deployed on the Secure Login Server (SLS) and configure it as an Idp as well?
- In case the above is required. How these to Idps should be linked?
- Since the requirement is only for Fiori Access, is a good practice to use SAML for that kind of access and maintain SAP GUI access through X.509 certs as is currently being used?
We were able to find info with regards to SSO for Fiori using Azure AD, but not able to find a scenario where SAP SSO 3.0 is in place and working. Would be helpful to get advices on how to integrate and maximize these approaches.
Azure AD is a cloud-based SAML Identity Provider and you can use it for SSO with browser-based business applications, such as SAP Fiori.
However, Azure AD does not support desktop clients such as SAP GUI (as these are not compatible with the SAML protocol). If you want to implement SSO for scenarios that include SAP GUI, you need to use the SAP Single Sign-On product that supports SNC with either Kerberos or X.509 client certificates as SSO tokens.
You could use SAML also for SSO with SAP GUI through the Secure Login Web Client, which is a component of the SAP Single Sign-On product. The Secure Login Web Client can accept a SAML 2.0 assertion as security token and in return provision an X.509 certificate for single sign-on of desktop applications such as SAP GUI. See documentation here: https://help.sap.com/viewer/df185fd53bb645b1bd99284ee4e4a750/3.0/en-US/bf25ca2ceb8f4baba6069d955fbb2...
We no longer recommend to use the Federation component, our on-premise Identity Provider. SAP Cloud Identity Services – Identity Authentication service is our strategic solution for web applications. It is our cloud-based SAML Identity Provider. You will find more information here: https://community.sap.com/topics/cloud-identity-services.
I have a few questions on SAPGui rollout with SNC settings and the Secure login client.
Do we have to configure the SAPGui Network settings to enable SNC? Is there a way the user can login without SNC setting configured on local SAPLogon.ini using Secure Login client?
Can Secure Login Client software be packaged with SAPGui installation using SAPSetup?
For secure communication between SAP GUI and AS ABAP you need to enable SNC. You need to configure SNC in SAP GUI Network tab. You cannot configure SNC only in Secure Login Client.
There are times when user may not have single sign-on credentials for target system. Should the checkbox “SNC logon with user/password (no Single Sign-On” be selected or unselected to allow Encryption only as authentication method?
You can encrypt the communication between SAP GUI and AS ABAP server, even when not using single sign-on. You select "SNC logon with user/password (no Single Sign-On)". The user still has to enter his userID and password as no SSO is provided.
I am facing a problem in Business Client 770 PL13, SLC v3 sp2 Pl12 and SS3.0 that NWBC connections are not working as GUI can directly login using x509 certificate (SLC) from BC. It always asking me for Id and Password.
first, I would like to thank you for all the extensive work within this area, all your blogs are incredible and helpful.
As many others I'm coming here to seek your guidance.
I'm working on the test solution of SSO using Identity provider - Secure Login Server (AS JAVA) - SAP Secure Login Client - SAP GUI.
I was able to connect IP with SLS using SAML2.0. Now I want to bring in SAP Secure Login Client, this should be done somehow using authentication profile.
But I'm informationally stuck between all the blogs, documentation on SAP Help portal, implementation guides, and I'm not able to find the right one for my case.
Could you please advise solution to follow?
Also, I have noticed some cases on blogs, where licensing of SAP Secure Login Client is mentioned when using kerberos. But again, I'm not able to decipher the specific information if my solution needs specific license or not.
As you know, SAP GUI is not compatible with the SAML protocol. If you want to implement SSO for scenarios that include SAP GUI, you need to use the SAP Single Sign-On product that supports SNC with either Kerberos or X.509 client certificates as SSO tokens.
For your scenario, you can use the Secure Login Web Client, which is a component of the SAP Single Sign-On product. The Secure Login Web Client can accept a SAML assertion from the corporate IdP as security token and in return provision an X.509 certificate for SSO of desktop applications such as SAP GUI.
Thanks for the videos. I have been tasked to setup SSO in our environment. I have a question with sncwizard if i have a root certificate that was signed by external Authority how can add the root certificate from SLS to the same subject see the screenshot below. In your video you start with a new certificate. Looking forward to your reply
With the SNC wizard you can configure the SNC server certificate. Looks like you have already configured this through the STRUST transaction. You no longer need to do this in the SNC wizard and can just continue in the wizard.
I have got a question. We have already set up SSO using SAP IAS (Identity Authentication Service).
The customer do not have a local windows domain controller and everything goes via their Azure AD. So, SNC using Kerberos method (Service account) is not possible.
We are looking for a solution to set up SNC using X509 certificate but without the SSO. How is it possible, please?
If you still want to use SAP GUI, then our current SAP Single Sign-On solution is mandatory, using Kerberos or X.509 certificates as SSO tokens and the SNC protocol. SAP GUI is not compatible with the SAML protocol and thus you cannot use the Identity Authentication Service.
But we are planning a new cloud-based solution to support SSO for SAP GUI. It is planned that the new solution integrates with an existing corporate identity provider, such as Azure AD, to benefit from its authentication capabilities.
You will find the road map of this new solution and more details in the SAP Road Map Explorer here:
Thanks very much for all your input; it's very helpful. My company is using Secure Auth as the IDP (where all users are authenticated against) and want to use SAP SSO 3.0 for SAPGUI SSO using X509 certificates. I'm not sure if Secure Auth is supported as an IDP for SAP SSO 3.0 because the official list of LDAPs does not include Secure Auth.
I reached out to SAP support and they were not very clear with their response. Would you be able to tell me? If it is supported, is a service user in Secure Auth required to set up a connection from SSO 3.0 or is a certificate based trust sufficient?
We have just released the new solution SAP Secure Login Service for SAP GUI that offers integration with corporate identity providers. I am not familiar with the Secure Auth IDP solution. If it is an IDP that supports SAML 2.0, then integration should be possible.
SAP Secure Login Service for SAP GUI builds on top of the successful concepts of SAP Single Sign-On and offers much better integration with existing corporate identity providers. You can find more information in the release blog post here:
This does not make sense at all for such investment.
Other well known enterprise GUI application come with free SSO access enabled.
Our organization not only use SAP , so we can compare. The offering is very bad by SAP.