Skip to Content

How to configure SAP NetWeaver Single Sign-On with certificates out-of-the box!

Matthias comment on 15.04.2013

SAP released (RTC) the a new version of SAP NetWeaver Single Sign-On (version: 2.0). The screenshots in this blog are from version SAP NetWeaver Single Sign-On 1.0. So if you install the new version, some screens will be look different, since SAP improved the UI. Overall the concept of SAP NW SSO in combination with certificates (this use case) is still the same. There is a complete new option available for Kerberos (SPNego for ABAP).


SAP NetWeaver Single Sign-On provides various possibilities to implement a single sign-on scenario. At the moment (there are coming more), there are the following scenarios available.


The components of SAP NetWeaver Single Sign-On can be combined depending on the business case. This how to guide describes the second option in the pictures above. The solution generates out-of-the-box certificates. There is no need for an external PKI. It includes also the encryption of the communication between SAP GUI for Windows and the SAP system.

If you are only interested to configure the first option in the picture above, please use this guide:

The option with certificates is supporting the following clients for Single Sign-On (SSO)


SAP Portal

SAP NetWeaver Business Client (NWBC)

SAP Web based applications (SAP NetWeaver ABAP and Java)

non-SAP WEb application server supporting certificates for authentication


Main components

Secure Login Client

  • SNC Client Library for SAP GUI application
  • Support for digital signatures in SAP applications (SSF Interface)
  • Security Token Management (Smartcard, OTP Token, Kerberos, Microsoft Certificate Store, PKCS#11, short term certificates provided by Secure Login Server, integration to existing PKI)

Secure Login Server

  • Out-of-the-box PKI
  • Several authentication server connectors (LDAP server, MS-ADS system, SAP server, RADIUS server)

In this demo session the SAPCRYPTOLIB will be used on the SAP system.

Prerequisites and information

  • SAP NetWeaver Java system for the deployment of the secure login server
  • Please download SAP NetWeaver SIngle Sign-On
  • This how to guide is based on SAP NetWeaver Single Sign-On 1.0
  • You need an SAP NetWeaver ABAP based system. This is your target system which you want to connect to
  • SAPCRYPTOLIB is installed
  • Root certificates are available (you can generate them also with secure login server but this steps are not described in this document)

Goal of this how-to-guide:

Configuration of secure login server, installation of secure login client and configuration of a SAP NetWeaver ABAP application server.

End user will be able to use SSO to access the SAP NetWeaver ABAP application server via automatically provided certificates.

This guide do not explain how to access applications based on SAP NetWeaver Java (UME needs to be configured to accept certificates).

Demo overview




FIrst of all you need to deploy the secure login server component on a SAP NetWeaver Java system. This document will not describe how you install a SAP NetWeaver Java system. Please deploy secure login server on a SAP NetWeaver Java application server: deploy You can of course use an existing application server. Please check PAM of SAP NetWeaver Single Sign-On to find out which versions of SAP NetWeaver are supported.

Start Microsoft Internet Explorer and enter the URL  http://localhost:50000/securelogin.

On the Welcome screen press the button Continue .

Define the value D:\usr\sap\TDI\ServerKeyFile\KeyFile.txt  for the parameter Server File.


Define the Administrator account


Choose the option: Import an Existing Key Store File and define the password.

Important: if you don’t have existing root CA you can also use secure login server to generate them.


Choose the option “Skip all SSL certificates” if you have already SSL certificates. Otherwise you can generate them for SSL.


Choose the option “Import an Existing Key Store File”. If you don’t have already a root CA for the user certificates you can generate them.


On the server configuration page press the button: Next

On the Setup Review page press the button: Finish


Start the SAP Management Console and restart the component


Verify that the logon to the Secure Login Administration Console is successful.
Start Microsoft Internet Explorer and enter the URL http://localhost:50000/securelogin or use the Reload button from the initial configuration wizard
Logon with user Admin and password.

In Microsoft Internet Explorer enter the URL http://localhost:50000/nwa and logon with Admin.

Choose Configuration tab Security -> Authentication and Single Sign-On
Choose the option Login Modules
Choose the Login Module


Choose the button Edit


For the parameter LdapBaseDN
define the value:

For the parameter LdapHostdefine the value:

–> Please use here your enviroment specific values


STEP 2: Install Secure Login Client


Please use the wizard to install secure login client on the end user PC.

After the installation: In taskbar click on the blue icon.


The Secure Login Client Console should be displayed

Double-click on the default profile

Press the OK button

Enter username and password.Then press the OK button

REMARK: If the user is authenticated via a Microsoft Active Directory domain user, you can configure also the product that there is no additional authentication necessary for the end user.


As a result, the X.509 user certificate (CN=SCI266, O=SAP, L=Walldorf, C=DE) will be provided.


STEP 3: Configure SNC for SAP ABAP Server

Start transaction RZ10
Import the profiles of the active servers

Select the Instance profile

Choose the option Extended maintenance and press the Change button


Change the following SNC parameters:


snc/identity/asand verify the other SNC parameters

Configuration details are described in the following table

HINT 1: Values are case sensitive!
HINT 2: SNC will be enabled later!




























p:CN=TDI, OU=TechEd 2011, O=SAP AG

After the configuration, save the profile configuration and activate the profile.


Restart the SAP NetWeaver Application Server.

Please logon again to the SAP NetWeaver ABAP server with your admin user.

Start transaction STRUST

Choose in menu PSE–>Import

–> here we import the server certificates 


Choose the option SNC SAPCryptolib and confirm the message box .


On the bottom of the screen, the message “data saved successfully” should be displayed and an entry for SNC SAPCryptolib should be available.

Start the transaction /nRZ10

Select the Instance profile

Choose the option “Extended maintenance” and press the Change button

Define the value 1 for the parameter snc/enable (activate SNC)

After the configuration, save the profile configuration and activate the profile


Restart the SAP NetWeaver Application Server.

STEP 4: Enable SNC in SAP GUI Application –> on the client

Define a new system in SAP GUI and maintain the SNC information.


STEP 5: Configure SNC User Mapping in SAP User Management

Please logon to the SAP NetWeaver ABAP based sysetm (your target system the end user want to connect with SSO) with admin and password (not with the SNC entry of SAP GUI -> this is not working yet).

Start transaction SU01 and choose the user you want to enable for SSO (end user SAP GUI).

Maintain the SNC entries.


Log off.

Now you should be able to logon with SAP GUI to SAP NetWeaver Application Server with the configured user and the newly created entry at SAP GUI (SNC entries are maintained).

Additional information

Web access is not working yet (BSP applications …) -> so you need to do some additional configuration

In addition the user mapping (External User ID) needs to be configured.

Start the transaction SM30

Enter the value VUSREXTID and press the button Maintain

Define DN for the work area


Please ensure that your SSL(https) is configured.

You must be Logged on to comment or reply to a post.
  • Hello Matthias, Thanks for the steps. Helps as lot with screenshots. However one thing is not clear for me and also not enough information in the guides. When we configure the SecureLoginServerLDAP login module, what is $USERID ? I mean who will the securelogin server determine this environment variable?

    We have traditional LDAP UME based java systems in our landscape and there we use only a LDAP branch path where a user is expected to exist (without $USERID) and a user to connect the ldap .


    • Hi Chandrakanth,

      $USERID is used by Secure Login Server itself. If e.g. a user is providing his user credentials in Secure Login Client or Secure Login Web Client, Secure Login Server will receive the username information. This username information can be used in the Login module for futher configurations.

      In your case if SAP AS JAVA UME is configured for LDAP Server, this Login Module is not required. I would recommend to use BasicPasswordLoginModule (UME Integration).

      Best regards,


      • Hello Frane,

        Thank you for the reply. So , if i understand correctly, $USERID gets filled when the user enters his user and password in the Secure Logon Client window.

        How does this work for reauthentication/SSF scenarios? In this case also the variable is filled in a similar manner when user enters the userid?

        Actually i would like to take this oppurtunity to put forth our current problem. We were able to configure X509 based SSO (we are using our own PKI provided certificates and not using SLS to generate them). This works fine and we are happy. But when it comes to reauthentication, we are stuck.  We were suggested by SAP that for reauthentication, only option is to use SLS together with SSF. This is a big setback for us because we are currently not using SSF in our abap programs (we are using simple abap classes for the digital signatures). Configuring SLS and changing our code to use SSF is a lot of effort and cost. We were wondering if we could just change our code (use the same class) but use LDAP connectors (transaction LDAP) to make our code authenticate against LDAP. What is your opinion on this?

        • Hi Chandrakanth,

          Yes if the user will enter his username in Secure Login Client (e.g. Secure login Client profile is configured for LDAP Authentication), the variable $USERID represents the username, which will be used in Login Module SecureLoginModuleLDAP (used in parameter LdapBaseDN).

          If this Secure Login Client profile will be used for the SSF scenario, the authentication process is the same.

          My answer to your second question is:

          From my point of view, if you have an X.509 user certificate available (own PKI) and you are using Secure Login Client (SAP NW SSO License) this should be possible.

          Did you check/test this? Did you read the HowTo (Chapter 4.5 Digital Signatures (SSF)) in Secure Login client Administration manual (

          I don’t know the details of your environment/project, but in general this should be possible.

          Good luck and best regards,


          • Hello Frane,

            Thanks for te clarification. Ok the LDAP and $USERID part is now clear. However for the reauthentication part is still hazy for me.

            We have our own pki and hence our own user frontend certificates. We were able to use these to do SSO into sapgui (making use of secure login client ofcourse). So we did not need SLS so far.

            Now there are many SAP transactions where a user is required to enter his user/pwd again. This is implemented in our system using the abap class cl_ds_runtime documented by Dr Uwe Dittes from SAP. This is a very popularly used digital signature implementation within SAP.

            the class cl_ds_runtime provides for an option called “User signatuer with External security product” . So far we have been using the option “System signatuer with SAP user /pwd”. So how do i integrate this implementation with SAP NW SSO?

            Also, we would like to avoid the usage of SLS wherever possible. The reason is SLS requires integration with our existing pki and with our current volume of digital signatures , we can put a heavy load on our pki  infrastructure coming from the short lived certificates. I know SLS can be used with its own pki , but with reasons based on compliance we cannot use this approach.

            Also the SSF documentation says, that to setup SSF on frontend and server, you need to follow the external security product documentation. I could find the with secure login client installation, ssf_library_path is taking the library from this path. But there is no mention of SSF parameters in teh SLL guides. There is only something about SNC. Do we need to change our sever parameters like ssf/ssfapi_lib and ssf/name etc?



          • Hi Chandrakanth,

            please give me a feedback what is missing in the documenation Installation, Configuration and Administration Guide SAP NetWeaver Single Sign-On SP4 – Secure Login Client in chapter 4.5 page 45 (sub title is SSF User Configuration).

            Because you are mention SLL (which sounds to me as Secure Logn Library).

            There are 3 manuals vailable (Secure Login Client, Secure Login Server and Secure Login Library).

            Another option i want to suggest is to create a support ticket and provide detailed configuration description you made, about your test environment and add screenshots?



  • Hello Matthias

    We have the follwoing scenario:

    Windows Domain “A” contains:

    MS Active Directory (just to manage SAP Servers)

    SAP ABAP Servers

    SAP Java Servers

    NO Secure Login Clients

    Windows Domain “B” contains:

    MS Active Directory (managing users and computers / servers etc)

    SAP Java Secure Login Server

    SAP ABAP Servers

    SAP Java Servers

    Secure Login Clients

    Secure Login Clients need to single sign on to SAP systems in both Windows Domain “A” and “B”

    We are following the Best Practice X.509 based solution guide and so far have Secure Login Clients being able to single sign-on to SAP Servers in Domain “B” – this is working fine.

    For the Secure Login Clients to be able to single sign-on to the SAP systems in Domain “A” can you clarify what extra steps need to be performed?

    Thanks very much in advance.


      • Hi Matthias

        I wonder if you could help with an urgent query please.

        I have followed the Best Practice Secure Login X.509-Based Solution guide and everything is installed.

        However we now find that unless we have our users in the UME of the Java engine of the Secure Login Server the Secure Login Client states “You are not logged in” ?

        The guide does not mention this and neither does the Secure Login Server guide?

        Can you clarify please?

        Thanks very much

        • Hi Mark,

          I just talked with our development guys on your questions. There can be different problems and it is difficult to provide now a solution.

          Perhaps SLS is configured to use first the login module for the UME and then the Kerberos ticket. This could be one option. So the development team asked, if you could open a customer ticket on BC-IAM-SL. I know this takes a little bit longer then SCN but it is very diffiult to find the issue.

          Best Regards


          • Hi Matthias

            Thank you for your prompt reply.

            In SLS the Instance Configuration is set to SPNegoLoginModule.

            In NWA I have only configured the SPNEGO Kerberos Realm by setting the User Mapping to Mapping Mode: Principal Only and Source: Login ID

            In NWA I have not changed anything in the section “Authentication and Single Sign-On” where the Components, Logon Modules and Properties are held.

            Do I need to change the Policy Configuration / Authentication Stack ? – I have not done anything here and cannot find anything in the guide that states I need to.

            If you can advise on the above…or let me know if I need still to open a ticket then that would be great.

            Thanks again


          • Hi

            I’ve just checked the video. So the NWA section needs configuring even though no user will be logging into the Java stack that the SLS is running on?

            So what I mean is…our SLS is running on a Java stack, but no “end users” will ever logon to this server….but you are saying we still need to configure the “Authentication and Single Sign-On” section here on this Java stack that the SLS is running on?

            Thanks again in advance.


          • Hi Mark,

            it is necessary that the user will be authenticated in SLS (AS JAVA), before receiving an X.509 certificate.

            In your requirement the Microsoft user in Domain B forward a kerberos token to SLS (via SLC). SLS verifies this kerberos token using the SPNEGO Login Module.

            Therefore a keyTab configuration is required (–> use SPNEGO wizard in AS JAVA).

            For the keyTab a Microsoft Service Account is required (in your example required in Domain B).

            Please use the Security Troubleshooting Wizard in AS JAVA (NWA) to analyze the problem.

            If the Kerberos token authentication is valid, another issue could be that the user cannot be found in UME. Maybe UME configuration against MS ADS (Domain B), or the attribute using in SPNEGO wizard is not the correct one?

            HINT: Another option is to use the Virtual User Option (in SPNEGO Wizard). This means after the kerberos token is verified, no user mapping check in UME will be performed. This feature is available since 7.20/SP7, 7.30/SP7 and 7.31/SP3

            The authentication workflow is also described in Video 3 at round about 6:30 min.  (

            If you cannot find the error, please create a support ticket and provide the log/trace (Security Troubleshooting Wizard) and some screenshots or description about your configuration (Instance Configuration in SLS, SPNEGO Configuration, MS ADS Configuration for the Service User (SPN), etc…).

            I hope this helps,


          • Hi Frane

            Thank you for your reply.

            I have now configured the UME on the Java stack that the Secure Login Server runs on so that its UME is now using the Data Source: Microsoft ADS Read-Only (Deep Hierarchy) + Database.

            This now means that SPNego is searching through the UME to find the users…which it finds in our ADS.

            The above configuration is not very well detailed in the documentation? I wonder if it is because the Virtual User option was expected to be used? This requires the install of the 7.31 SP3 that you have mentioned which we have not yet installed.

            Can you confirm if the above configuration for the UME is correct please?

            Thanks again


  • Hello Matthias,

    thanks for the great blog.

    Is there a way to change/reset the Admin password? We got stuck during the installation  a while ago and we cannot access it anymore since the password was lost.



  • Matthias:

    This is a great guideline/tutorial  It is very much appreciated.

    A question in general is – what can be an anticipated timeline for implementing NW SSO w/Secure Login.  I know this is a very generic question but if you or your contributors have any reasonable SWAG as to a timeline for this, I’d appreciate it.  I’m not expecting miracles.   From preparing a system to downloading the necessary software for the NW server  all other necessary downloads, a best guesstimate would be good.  I’m presuming 1 week to provide a reasonable sound system.  What do you or your readers think?  One doesn’t have to give an answer based on  Superman or Spiderman (or other super hero) skills.



    • Hi David,

      the first time I set this up, it took me 2 days (including SAP NW Java setup, SAP NW ABAP test system but without OS setup and any service pack installations). But you cannot take this number as a reference.

      Did you see already the videos we created for the community? So I think, that is a big help and you should watch them.

      So I would guess that if I would ask SAP Consulting to implement a standard scenario (SLS on an existing SAP NW Java stack, configuration, Kerberos integration, configuration of 1 client and 1 server, without the analysis of the customer requirements), that they will not need a complete week.

      So I think that 1 week for a setup in a small customer enviroment is realistic for a standard scenario for a consultant with good SAP basis knowledge. But you know, if you have not the right permissions in the system landscape, it can take a long time to get the right permission.

      If you have not an existing SAP NW Java stack you need to add some extra time. So the installation is really easy (my opinion) but I think the patching take some time. Of course you do not need to patch the system to run secure login server but from a security perspective you should of course patch your system.

      But you need to calculate extra time if you have a large landscape:

      – client deployment (via SMS, ….)

      – configuration of all systems

      – any special configuration (2-factor authentication, special user mapping ….)

      – HA requirements



  • Matthias – Thank you for providing this information. It is very helpful! At the end of the information you mentioned that “Web access is not working yet (BSP applications…)”. Has this issue been resolved yet? I think this solution is what we need, but I want it to work for web-based applications in addition to SAPGui.

    Thanks again!

    Blair Towe

    • Hi Towe,

      this is a missunderstanding.

      “Web access is not working yet (BSP applications…)” -> because you have to do the configuration which is following below the text in my blog.

      So of course this solution is working for BSP, MVC, Web Dynpro, SAP HTML GUI, …..



  • Hi Matthias,

    Thanks for your wonderful post.

    I have few queries regarding SSO configuration in below landscape:

    — We have SAP Servers installed on AIX and our LDAP running on Windows 2008. We wanted to configure SSO with our ABAP and Java Stack. Do we need some third party integration tool for configuring SSO for SAPGUI?

    — If yes, then do we have any method where we can use SAP defined way to authenticate users instead of going for 3rd party tool.

    I am completely new to SAP Security Configuartion and need your help in understanding this as we are planning to implement SSO.


    Sharib Tasneem

  • Has anyone performed and upgrade from Secude to NW SSO?  We already have most of these steps in place and authenticate via an x.509 Secude cert.  We are looking for a ‘how to’ on moving from our existing setup to NW SSO without reinventing the wheel.



  • Hello Matthias,

    Could you provide me some details as how I can configure NW Single Sign On with existing PKI (Microsoft Certificate Services) without installing secure login server? Do I need to make some settings/changes in existing PKI for this?

    Thanks and Regards,


    • They improved the documentation related this issues in SAP NW SSO 2.0. Please checke this link

      –> Workflow with X.509 Certificate without Secure Login Server

      So you have to install secure login client, create a SAP GUI entry with the right certificate information, configure the root certificate in the system, install secure login library and user mapping. So it is nearly all the same expcept there is no secure login server and the secure login client does not trigger seucre login server. Instead getting the certificate out of the certificate store.

      It is important that your PKI (or other tool) delivers the certificate direct into the Microsoft Certificate Store on the client.



  • Hello Matthias

    Thanks for the descriptive steps. I have followed this procedure for configuring SSO in our environment. Now my secure login client is able to receive user certificate from single sign on server. With this i am able to login to a SAP ABAP system using SAPGUI. But webgui and enterprise login does not work.

    When checked,  user certificate is not available in windows certificate store or in the internet explorer personal certificates. I am able to see this certificate in secure login client console though. I am using secure login client 1.0 SP4 PL02

    I have imported root certificate to the root security store and i am able to see that.

    Could you please help me to understand where the problem could be



      • Hi Frane

        Thanks for the update. I have done the user mapping configuration both in SU01 and EXTID_DN. Problem here is the certificate is not even getting updated to the windows certificate store in the first place.

        I have also installed “crypto and certificate store providers” component in secure login client installation



        • Hi Prasanna,

          please check the installed options in Secure Login Client.

          Check the option Secure Login Client Components –> Crypto & Certificate Store Providers

          Best regards,


          • Hi

            Below is the solution provided by SAP and it works

            If it happens only on one (or few PCs) you may try to manually repair

            it by calling (from an elevated/run as administrator) commandline:

            regsvr32 “C:\Program Files\SAP\FrontEnd\SecureLogin\lib\sbussto.dll”



  • Hello Matthias,

    Could you please elaborate this step:

    Choose the option: Import an Existing Key Store File and define the password.

    Important: if you don’t have existing root CA you can also use secure login server to generate them.”

    It is not really clear to me. More specifially: suppose I have an ABAP AS where I have already run STRUST to generate my certificates, signed by my CA; for example, to configure stack trust with a Java system.

    What am I supposed to do with my already existing pse? Shall I supply this one in the dialog I quoted?

    And what if I don’t have it, but I do have my own CA able to sign certificates?



    • Hi Marco,

      this example is for companies who have already a root CA and would like to use it. This is the case for many especially large companies.

      Of course you can also generate the root CA certificate with Secure Login Server. In this case the step are excactly the same. You have to configure the trust relationship in strust. So for encryption it is important that the trust for the server certificate is available, for SSO the trust of the user certificates which are generated by SLS, delivered to the client PC and has to be trusted by the SAP System (strust).

      If you check the docu and the following picture:

      You can create the CA in your 3rd party PKI or in Secure Login Server (SLS) and you have to maintain the strust accordingly.Capture.PNG



      • Hi Matthias,

        Thank you for your reply. Yes, I understood that the original example was for a company that already has its CA, and of course if you use the SLS to generate your root CA certificate you have to made it trusted in STRUST transaction.

        What confuses me most is the fact that in the example, right after the sentence I quoted there’s a picture where you import a .pse file, while I expect CA certificates to be in .DER format.

        That’s why I was wondering. Suppose I have an ABAP system and a Company CA (whose certificates are of course in ABAP pse). This should be the case of your example. Are you saying I can use the ABAP pse file to import CA certificates?

        • You can only import files with the file extensions pse or p12 in Secure Login Server for the User CA.

          suppose I have an ABAP AS where I have already run STRUST to generate my certificates, signed by my CA

          About which CA are you talking? SAP CA oder User CA?



  • Hi there, i’m trying to install Secure login server 2.0(SLSERVER00_0.SCA) on our ABAP application server. Tried to perform telnet localhost 500008 on command prompt and encounter “could not open connection to the host on port 50008. Please advice. Thanks.

  • Hi,

    we are trying to implement SSO for SAP via Novell edirectory

    I would like to know if anyone have solved this problem and how it was resolved?

    Any suggestion on how to implement this would be appreciated.


  • Hi All,

    We are in the process to implement the SAP NW Single Sign-On 2.0 SP05 for our SAP and non-sap systems

    But we have some queries :

    1. How to implement the SSO for Java portal ( SAP NW 7.0 EHP 1 ) with AD authentication and using IDP?( FYI already Java portal UME data source is ABAP system and user ID of Java portal and AD are not same)
    2. How Sales force SSO can be added in same AD authentication NW SSO using SAML ?
    3. Is it possible to activate the AD password reset capability through SAP NW SSO 2.0?
    • Could you please guide and provide me any step wise procedure documents other than SAP hep link on all above points  ?

    Thank you !



  • Gooday Mathias,

    Do we have to follow the entire process of creating PSE in case we have multiple application Servers.  I my scenario I have 1 ci and 3 additional  App server one on the  local host and 1 on the DB host, what should be my approach.