Single Sign-On in SAP – now in the cloud

SAP already offered the option to add an Identity Provider in the form of an enterprise or social platform, but this only applied to applications that could be connected to Cloud Identity Services, which is primarily SAP’s cloud solutions.

Users of ABAP-based on-premise systems using SAP GUI were forced to use separate software running on one of their servers to process authentication requests for users each time. SAP Secure Login Service avoids the need to install such software and takes on all the work of managing logins through SSO.

The service itself as an application is not heavily developed, as it does most of the work as an intermediary processing login requests. The application in the administration console gives us its address data and allows us to set how long a user can work on a single login (1-24 hours).

Armed with this data, we can configure the client on the user’s workstation, just like a traditional SSO. Communication between the various components of this puzzle is done using X.509 certificates, but there is also the possibility of using a Kerberos token.

The SLS application is added to Cloud Identity Services (CIS), which allows us to define an identity provider for it in the same way as for any other, even the latest SAP cloud application, such as S/4HANA Cloud.

Authenticating to the Secure Login Service means authenticating to the SAP GUI.

Integration with CIS opens up new possibilities. The default login provider is CIS itself, however, this would require it to be the central base for user identities. To avoid creating accounts for everyone in CIS, we can change the identity provider to a third-party enterprise platform, such as Microsoft Entra ID, which is a popular choice in customer environments, since it is often the Microsoft domain that already has a long-standing base of all enterprise users.

However, if this is not a suitable solution, there is also the option of authentication through social media such as Facebook, X or Linkedin.

SAP GUI users will no longer have to use separate passwords for each system, which will certainly have a positive impact on their work comfort. Administrators, who too often had to respond to numerous requests for locked accounts and expired passwords, will also thank the implementation. Now support will be able to focus more on development and maintenance requests.

Increased security also relies on the use of modern identity delivery platforms already in place in organizations for logins, which use MFA technologies often combined with biometrics or U2F keys.