Single Sign-On for SAP GUI - FAQ
Find answers to frequently asked questions about single sign-on for SAP GUI.
General Questions
SAP offers the following products and solutions for single sign-on (SSO):
- SAP Cloud Identity Services - Identity Authentication
- SAP Secure Login Service for SAP GUI
- SAP Single Sign-On
SAP Cloud Identity Services - Identity Authentication is a cloud-based identity provider that supports SAML 2.0 and OpenID Connect. It is the preferred option for browser-based applications (for both cloud and on-premise SAP applications).
SAP Secure Login Service for SAP GUI is a cloud-based service for customers that are still using SAP GUI but want to integrate it with their existing corporate identity provider to benefit from its authentication capabilities. It is the preferred option for SSO with SAP GUI.
SAP Single Sign-On is our tried and proven on-premise solution for SSO with SAP GUI.
The following scenarios are supported with SAP Secure Login Service for SAP GUI:
- SSO with X.509 certificates provisioned by a cloud service that is part of SAP Secure Login Service for SAP GUI
- SSO with X.509 certificates provisioned by customer-specific means
- SSO with Kerberos
SAP Single Sign-On is our tried and proven on-premise solution for SSO with SAP GUI desktop clients. For issuing short-lived X.509 certificates, it relies on the on-premise Secure Login Server running on a SAP NetWeaver Application Server Java.
SAP Secure Login Service for SAP GUI is the new solution and covers the main scenarios of SAP Single Sign-On (Kerberos- and X.509 certificate-based SSO). However, it eliminates the dependency to SAP NetWeaver Application Server Java. Instead, the server functionality for enrolling X.509 certificates is now provided by a cloud service. As a result, you no longer need to operate an AS Java.
Furthermore, you can easily reuse your existing identity provider solution, such as SAP Cloud Identity Services – Identity Authentication or a corporate identity provider, for example Microsoft Azure AD or Okta. This way you benefit from their authentication capabilities, such as multi-factor authentication, for example.
The SAP Single Sign-On product will stay in mainstream maintenance until the end of 2027. So, there is no need to migrate to the new solution immediately. However, the two main reasons why you might consider migrating to the SAP Secure Login Service for SAP GUI solution and benefiting from its new functionality are:
1. Better integration with identity providers:
When using an X.509 certificate for SSO, end-users need to authenticate once to receive it. With SAP Secure Login Service for SAP GUI, this initial authentication can be easily integrated with an identity provider. With the SAP Single Sign-On product, this integration is also possible but there are some restrictions, such as the dependency on SAP NetWeaver AS Java, limited integration of the browser pages into the authentication flow, and lack of support for multi-user environments.
2. Reduced TCO:
With the SAP Single Sign-On product, many of the advanced features, such as multi-factor authentication, require you to operate an SAP NetWeaver AS Java, with a dedicated configuration of the authentication stack. With the SAP Secure Login Service for SAP GUI solution, the authentication process and certificate enrolment are done by cloud services. Also, the existing authentication configuration of the identity provider can be reused.
With multi-factor authentication (MFA), you can implement a strong form of authentication for access to corporate resources. With SAP Secure Login Service for SAP GUI, you can use MFA by leveraging the capabilities of SAP Cloud Identity Services – Identity Authentication or a 3rd party identity provider, for example Microsoft Azure AD or Okta. Authentication factors and policies depend on the identity provider configuration.
SAP Secure Login Service for SAP GUI does support SSO via Kerberos tokens, even if you don’t need to use the new cloud service in that scenario. You only require the Secure Login Client on the client side, which is a component of SAP Secure Login Service for SAP GUI. The necessary functionality on the server side already comes with the AS ABAP kernel (SAP Cryptographic Library).
You can find the official road map in the SAP Road Map Explorer tool here.
Learn More
Visit our topic pages in SAP Community here:
Further Questions?
Ask your question in the Single Sign-On for SAP GUI Community.