SAP Single Sign-On (SSO) eliminates password chaos and the associated security and productivity losses – but how? In this guide, you’ll learn what SSO is, how it works, and how to integrate it into your SAP system.
SAP Single Sign-On is SAP’s authentication solution that allows users to access multiple SAP systems with a single login. Single Sign-On simplifies the user experience and reduces complexity in daily operations, because employees no longer need to authenticate separately for each individual system – allowing them to stay in their workflow without interruptions.
SSO can be deployed on-premise, in hybrid scenarios, or in the cloud.
Modern implementations use protocols such as:
• Kerberos / SPNEGO (Windows integration)
• SAML 2.0 (primarily for web applications)
• OpenID Connect (OIDC) (modern cloud and mobile applications)
• X.509 certificates & mTLS (certificate-based authentication)
SAP Single Sign-On 2.0 was the first successor to the original SAP Single Sign-On, developed in 2011. It brought the base model to a new level with enhanced security and improved user convenience.
This version supports Kerberos-based authentication and integration with Microsoft Active Directory.
The latest SSO version – SAP Single Sign-On 3.0 – offers a modern user interface, better cloud service integration, and broad support for mobile applications and web portals. You can upgrade seamlessly from version 2.0 to 3.0, as the core functionality remains largely the same aside from the new capabilities.
With the “SAP Secure Login Service for SAP GUI” (SLS), SAP offers the future-proof successor to SAP Single Sign-On 3.0, whose maintenance expires in 2027.
The benefits of the new Secure Login Service include:
This makes SLS the strategic SSO platform for hybrid and cloud landscapes in SAP going forward.
With the anticipated implementation of the NIS-2 Directive into national law, stricter reporting deadlines will apply starting in 2025. Organizations will be required to report significant security incidents within 24 hours of discovery.
A current and well-documented SAP compliance framework helps you meet these requirements in time.
The Single Sign-On process is based on the principle of one-time authentication:
1. The user logs in once through a central system – for example, your company portal.
2. After successful authentication, the system issues an authentication ticket.
3. The connected SAP systems verify the ticket.
4. Once the ticket is validated, the user can access all connected SAP systems without further authentication.
Token issuance works through protocols such as Kerberos. Here, the Key Distribution Center issues an encrypted ticket from a secure, central server. To minimize security risks, tickets have a limited validity period. Once a ticket expires, the holder must request a new one.
| Verfahren | Function | Use Case |
|---|---|---|
| Kerberos / SPNEGO | Seamless Windows integration through trust relationship with Active Directory | Ideal for classic intranet scenarios |
| SAML 2.0 | Web-based authentication protocol | For browser access to SAP systems such as Fiori Launchpad, SAP BTP, or SAP Analytics Cloud |
| OpenID Connect (OIDC) | Token-based authentication (OAuth 2.0) with modern security standards | Increasingly preferred for cloud-native applications |
| X.509 / mTLS | Certificate-based authentication with the highest level of security | Used in particularly sensitive system landscapes |
Regardless of the specific method, SAP Single Sign-On brings several advantages to your organization. They all share the common theme of “more convenience and efficiency – less password chaos“:
Fiori Launchpad is the central entry point for many SAP Fiori applications. When SSO is enabled in the Fiori Launchpad, users can access all their tiles directly without having to log in again – a significant time saver that simplifies your employees’ daily work.
Especially in today’s “New Work” environment with a high share of remote work and mobile devices, the combination of SAP SSO and the Fiori Launchpad truly shines. With Fiori and SAP Single Sign-On 3.0, SAP has addressed the demands of modern work and greatly improved the user experience for mobile users.
The SAP Single Sign-On setup can vary slightly depending on the intended technology (Kerberos, SAML 2.0, X.509).
Generally, however, the implementation process follows 4 steps:
Before starting the actual implementation, you should answer a few questions:
• Do you have the necessary licenses for SAP SSO?
• Does your current SAP landscape support the intended authentication methods?
• Do you have a centralized user management system (e.g., SAP Identity Management)?
Install the components required for your chosen authentication method. You can obtain the Single Sign-On components through the SAP Marketplace.
• The SAP Secure Login Client on end devices
• SAP NetWeaver SSO configuration on your respective ABAP or Java stacks
• Specific components such as SAP Secure Login Server if you are using X.509 certificates
Once preparation is complete, you can begin configuration.
• Kerberos: Configure your SAP system so that the desired applications accept Kerberos tickets from an Active Directory server.
• SAML 2.0: Configure your SAP system as a Service Provider and connect an external Identity Provider.
• X.509: Set up certificate-based authentication on the downloaded Secure Login Server. This server can issue certificates for users.
Next, adapt your SAP system (e.g., SAP ERP, SAP S/4HANA) for SSO operation:
• Adjust login methods (e.g., SPNEGO for Kerberos or SAML2 for SAML 2.0)
• Import certificates and metadata (for SAML 2.0)
• Enable Secure Network Communication (for ABAP systems)
• Configure ICF services (for web access)
→ The SAP Single Sign-On implementation requires the utmost care and attention to ensure SSO functions smoothly and no serious security vulnerabilities are introduced. And this is where Xiting comes in!
Xiting supports you with years of experience as an SAP service provider in the design and implementation of SAP Single Sign-On.
• Migration consulting (SAP SSO 2.0 / 3.0 → SLS)
• Implementation of Kerberos, SAML, OIDC, or X.509
• Integration with Azure AD, Ping Identity, Okta, and more
But that’s not all: We see ourselves as comprehensive SAP consultants at your side. We provide professional workshops and have developed our own products like the Xiting Authorizations Management Suite (XAMS) to make your SAP system as simple and accessible as possible.
Contact us today – free and without obligation – to enjoy a secure and well-organized SAP landscape!
With traditional login methods, users must log in separately to each SAP system – often with different passwords for security reasons. This is user-unfriendly and increases security risks across your organization. With Single Sign-On, you can avoid these issues – the method allows users to access all systems with a single, secure, centralized login.
With SAP HCM SSO, your employees can carry out HR processes directly and without additional login – for example, leave requests or time entries. This increases efficiency and user-friendliness, as they can complete all steps without frustrating interruptions.
A typical example of SSO outside of SAP is accessing all Google services (e.g., Google Drive, Gmail, YouTube) with just one Google account. You log in to the first service you open, and can use the other services without logging in again.
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from Turnstile to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information