Single Sign-On for SAP GUI - FAQ

Find answers to frequently asked questions about single sign-on for SAP GUI.

General Questions

Which products and solutions does SAP offer for single sign-on and when shall I use what?

SAP offers the following products and solutions for single sign-on (SSO):

  • SAP Cloud Identity Services - Identity Authentication
  • SAP Secure Login Service for SAP GUI
  • SAP Single Sign-On

SAP Cloud Identity Services - Identity Authentication is a cloud-based identity provider that supports SAML 2.0 and OpenID Connect. It is the preferred option for browser-based applications (for both cloud and on-premise SAP applications).

SAP Secure Login Service for SAP GUI is a cloud-based service for customers that are still using SAP GUI but want to integrate it with their existing corporate identity provider to benefit from its authentication capabilities. It is the preferred option for SSO with SAP GUI.

SAP Single Sign-On is our tried and proven on-premise solution for SSO with SAP GUI.

Which scenarios are supported with SAP Secure Login Service for SAP GUI?

The following scenarios are supported with SAP Secure Login Service for SAP GUI:

  • SSO with X.509 certificates provisioned by a cloud service that is part of SAP Secure Login Service for SAP GUI
  • SSO with X.509 certificates provisioned by customer-specific means
  • SSO with Kerberos
How is SAP Secure Login Service for SAP GUI different from SAP Single Sign-On?

SAP Single Sign-On is our tried and proven on-premise solution for SSO with SAP GUI desktop clients. For issuing short-lived X.509 certificates, it relies on the on-premise Secure Login Server running on a SAP NetWeaver Application Server Java.

SAP Secure Login Service for SAP GUI is the new solution and covers the main scenarios of SAP Single Sign-On (Kerberos- and X.509 certificate-based SSO). However, it eliminates the dependency to SAP NetWeaver Application Server Java. Instead, the server functionality for enrolling X.509 certificates is now provided by a cloud service. As a result, you no longer need to operate an AS Java.

Furthermore, you can easily reuse your existing identity provider solution, such as SAP Cloud Identity Services – Identity Authentication or a corporate identity provider, for example Microsoft Azure AD or Okta. This way you benefit from their authentication capabilities, such as multi-factor authentication, for example.

I am currently using the SAP Single Sign-On product. Shall I switch to the new solution now?

The SAP Single Sign-On product will stay in mainstream maintenance until the end of 2027. So, there is no need to migrate to the new solution immediately. However, the two main reasons why you might consider migrating to the SAP Secure Login Service for SAP GUI solution and benefiting from its new functionality are:

1. Better integration with identity providers:

When using an X.509 certificate for SSO, end-users need to authenticate once to receive it. With SAP Secure Login Service for SAP GUI, this initial authentication can be easily integrated with an identity provider. With the SAP Single Sign-On product, this integration is also possible but there are some restrictions, such as the dependency on SAP NetWeaver AS Java, limited integration of the browser pages into the authentication flow, and lack of support for multi-user environments.

2. Reduced TCO:

With the SAP Single Sign-On product, many of the advanced features, such as multi-factor authentication, require you to operate an SAP NetWeaver AS Java, with a dedicated configuration of the authentication stack. With the SAP Secure Login Service for SAP GUI solution, the authentication process and certificate enrolment are done by cloud services. Also, the existing authentication configuration of the identity provider can be reused.

Does SAP Secure Login Service for SAP GUI support multi-factor authentication?

With multi-factor authentication (MFA), you can implement a strong form of authentication for access to corporate resources. With SAP Secure Login Service for SAP GUI, you can use MFA by leveraging the capabilities of SAP Cloud Identity Services – Identity Authentication or a 3rd party identity provider, for example Microsoft Azure AD or Okta. Authentication factors and policies depend on the identity provider configuration.

I want to use Kerberos tokens for SSO with SAP GUI. What solution should I use?

SAP Secure Login Service for SAP GUI does support SSO via Kerberos tokens, even if you don’t need to use the new cloud service in that scenario. You only require the Secure Login Client on the client side, which is a component of SAP Secure Login Service for SAP GUI. The necessary functionality on the server side already comes with the AS ABAP kernel (SAP Cryptographic Library).

What is the road map for SAP Secure Login Service for SAP GUI?

You can find the official road map in the SAP Road Map Explorer tool here.

Learn More

Where can I find more information about the different SSO solutions offered by SAP?

Further Questions?

Can’t find an answer to your question?

Ask your question in the Single Sign-On for SAP GUI Community.