Hi Nabil (or Tadros, I hope I got it right 😉 ),

well, with such a diverse user base, I would recommend to go for a solution where a central identity provider handles this complexity (internal vs. external users, with and without email address, ...).

When we talk about Kerberos or x.509 we are usually talking about employees. Kerberos relies on a Key Distribution Center, which usually is the Active Directory Domain Controller. However, I would presume that many of your users don't have an AD user. In addition, that scenario usually does not work on mobile devices and I don't know how good the MAC integration is. I think I read that it is possible, but I have no experience with AD managed MAC devices. For x.509 certificates, you run into the problem of the certificate distribution and upkeep. You have to sign these certificates and distribute them to the machines. That is either a complex process for the users or you control all the machines... Hence, it is probably not a generally applicable solution in your case.

I would go for a SAML or OIDC approach for the browser world and the Secure Login Service for the SAP Gui world. Both rely on a central Identity Provider (usually SAP Cloud Identity, which federates to your corporate IdP of choice). At the central IdP all the authentication (be it password based, MFA, Kerberos, WebAuthn, ...) is handled. And the IdP is usually capable of applying different options to different user groups.

Hence, I would presume that such an integration pattern fits your scenario best.

For the implementation of Secure Login Service, I can point you to the help pages, which are quite helpful in this case: https://help.sap.com/sls For SAML/OIDC and the SCI configuration, I unfortunately have not experience with documentation since I am doing it from memory... However, if you are unsure about the steps and architecture it might also be a good idea to involve someone with experience in that area to guide you through the process.

All the best for your implementation :).

Best regards,
Tobias