Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert
Single sign-on (SSO) is a centralized session and user authentication service in which a set of login credentials can be used to access multiple applications. SSO thus assists you to sign in to connected domains or applications with one username and password.

SSO has a clear, positive impact on productivity. The amount of time saved might seem quite small, but all the time you usually spend looking up users and passwords for logging into individual applications adds up. With SSO, you spend more time working. SSO minimizes the password-related frustrations, as you only need to remember and enter a single set of credentials. This is a huge benefit when you consider that most users have to remember an average of 40 passwords.
Apart from SAP Conversational AI’s focus on better customer experience, this feature specifically impacts the employee experience domain.

How does SAP Conversational AI use SSO?

At many points in your conversation, you most likely want to retrieve business information or connect to an external system to perform actions. You would want your bot to assist the enterprise users by executing certain business operations on their behalf, for example, creating a leave request. For this, the bot will need to call an external service. The external service allows secure transmission of information by issuing a user token that uniquely identifies the user on that external service (JSON Web Token or JWT). The user needs to log on to acquire this token.

Single Sign-On (SSO) permits users to use a set of login credentials to access the SAP Conversational AI Web Client.

The SAP Conversational AI Web Client is a web frontend developed by SAP for connecting to SAP Conversational AI bots via the SAP Conversational AI Web Client channel. It is a rich web client capable of rendering the bot responses using SAP Fiori compliant UI controls. To know more about SAP Conversational AI Web Client, refer to SAP Conversational AI Web Client.

The SAP Conversational AI Web Client needs to be integrated into the main web application or application shell of a supported SAP product (for example the Fiori Launchpad of a S/4HANA system).

Once authenticated, the business user can interact with the chatbot without providing their credentials on each log-on.

Workflow with SSO:

How to configure SAP Conversational AI Web Client with SSO?

You need to integrate the SAP Conversational AI Web Client in an On-Premise SAP Fiori Launchpad.


The SAP Conversational AI Web Client runs inside an Iframe. The page that is hosting the SAP Conversational AI Web Client must allow this in its Content Security Policy.


a. An SAP Cloud Foundry Subaccount

b. Infrastructure:

  1. Remote SAML 2.0 identity provider

  2. SAP Web Dispatcher 7.53 (latest patch level)

  3. Have trust enabled between the SAP Cloud Foundry Subaccount and the IDP server. See details here.

  4. For the full SSO experience, the ABAP front-end server also has to trust and use the same IDP for its user logon

c. Admin Permissions

  1. SAP Fiori Launchpad Designer: Configure the SAP Fiori launchpad target mappings, catalogs, and roles (Front-end server)

  2. SAP Cloud Foundry Security role

To configure user authentication or single sign-on, you need to do the following:

1/ You need to whitelist the hosting domain

Before you start:

  • You need basic knowledge of how to use a REST API client. You can use command-line clients like curl or applications like Postman (which you can download from the com).

  • You need to have access to the XSUAA configuration API, which relies on retrieving an OAuth token. For further information, refer to SAP Note 2760424 Information published on the SAP site.

  • You need to know the technical tenant ID (GUID) of your Cloud Foundry subaccount. You can find this in the Overview section of your subaccount:

You need to whitelist the hosting domain as the SAP Conversational AI Web Client runs inside an iFrame to offer complete isolation from the hosting page. For security reasons, the Cloud Foundry authentication service (XSUAA) prevents the logon page to be embedded in an iFrame unless the origin domains are whitelisted. This currently cannot be done from the SAP Cloud Foundry cockpit, but only via REST API calls.


2/ You need to subscribe to SAP Conversational AI

3/ You need to configure the ABAP Frontend Server

The SAP Conversation AI client is integrated into the SAP Fiori Launchpad using the Fiori Launchpad Shell plugin mechanism. You need to add this plugin to your SAP Fiori Launchpad for which you need admin rights for the Fiori Launchpad Designer. For more information see Running the Launchpad Designer 

4/ You need to connect the SAP Conversational AI Web Client to your bot

The above steps will integrate the SAP Conversational AI Web Client into the SAP Fiori Launchpad from a pure technical frontend perspective. In order to be able to use it, connect it to a bot built on the SAP Conversational AI platform. For this you need to:

  1. Build a bot

  2. Use this destination to configure the outbound call in the Actions tab of your bot in the SAP Conversation AI platform. For more information, see Connect to external service.

  3. Use the “Connect” tab of your bot to create an SAP Conversational AI Web Client channel

Awesome! Single sign-on is now enabled for your users!

Once the SSO is enabled, you can integrate the SAP Conversational AI Web Client into an on-premise SAP Fiori launchpad or with your web solution based on the SAP Business Technology Platform. For more details, follow the SAP Conversational AI Web Client Configuration Guide.

Note- For now, the SSO feature is only available for enterprise users of SAP products (like SAP S/4HANA, SAP SuccessFactors, and so on) to access the SAP Conversational AI Web Client.

How is it beneficial?  

  1. Seamless user experience

  2. Single Sign-On eliminates the need for multiple passwords and user IDs

  3. Lowers the risks of unsecured login information

  4. Reduces password fatigue from different username and password combinations.

  5. Reduces customer time spent re-entering passwords for the same identity.

Hope you enjoyed this tutorial. If you have any questions about it, feel free to ask us in the comments section below or go to SAP Answers.

Happy bot building!