Showing results for 
Search instead for 
Did you mean: 

X.509 login in SAC

0 Kudos

Hello all,

SAC has 2 options for Authentication:
1. SAP Cloud Identity (default)
2. SAML Single Sign-On (SSO)

The customer has a strict requirement to use X.509 login with digital signature cards.

Is there a way to do it using option 1. ?

If we use option 2. what product/service can we use as IP (identity provider)? Do we have to buy it seperateley?

Thanks a lot in advance!

View Entire Topic
Active Contributor
0 Kudos


Hi, the authentication process using X.509 client certificates against the SAP ID Service is not supported in option 1. Therefore, you need to switch to option 2 and enable SAC as a SaaS application for SAML to outsource authentication to an IDP of your choice. Typically, most customers already have an existing IDP.

We recommend using the SAP Identity Cloud Services (IAS) as the primary IDP for all your SAP applications. Although SAC is one of the few SaaS applications not bundled with SAP Identity Cloud Services, if your customer has the BTP, they can establish two tenants for free and attach SAC to it. Once SAC forwards authentication requests to your IAS tenant, you can enable X.509 authentication.

Please note that you will need to create an incident with SAP and provide your PKI chain for import into the IAS to support mTLS authentication. If you prefer to use IAS as a proxy, you can delegate authentication to another IDP such as Entra ID, ADFS, Okta, Ping, etc., and set up X.509-based authentication for your users using existing smart cards for strong authentication.

Cheers Colt

0 Kudos
@Colt - thank you for your detailed answer. I now can understand the situation. My users are not only from one company, or entity, and they have cards with at least 5 digital signature providers. This maybe creates a bit more complicated task. Perhaps IAS or SAP IdM can support that.