Skip to Content
Author's profile photo Former Member

Single Sign-On versus Password Synchronization solutions. How do you know which one is right for you ?

Single Sign-On versus Password Synchronization solutions.

How do you know which one is right for you?

This blog co-authored with Benjamin GOURDON is based on several customers’ experiences.

The purpose of this blog is to perform a quick comparison and to provide an overview of pros/cons between Single Sign-On and Password Synchronization solutions.  Both are designed to greatly reduce the number of calls to the support and improve the user’s comfort, and provides a ROI lower than 3 months, as proven by many customer implementations.

Single Sign-On: SAP NetWeaver Single Sign-On

SAP NetWeaver Single Sign On enables users to access all their applications through a single authentication event. From an end-user perspective, there is
no longer a need to provide credentials for connecting to each application.

The overall solution is subdivided into 3 sub solutions:

  • Secure Login which enable SSO to SAP systems using SAP GUI and other web applications in the same domain. Based
    on Kerberos tickets or X.509 certificates.
  • Identity Provider which enable SSO to any web application or web services with identity federation. Based on SAML2.0.
  • Password Manager which enable SSO to applications which are not supporting any standard protocol and requiring
    login/password information (previously locally recorded).

Depending on the system landscape, 3 different implementation scenarios are suitable and will determine the identification protocol: 

  • Homogeneous landscape: Only SAPapplications in the same domain
  • Heterogeneous landscape: SAP applications and non-SAP in the same domain
  • Heterogeneous landscape and inter-domain (« On cloud » applications)

Password synchronization:SAP NetWeaver Identity Management

SAP NetWeaver IdentityManagement allows to synchronize the password throughout your IT landscape so the user can access any application with the same password. Each password change in SAP IDM or in Microsoft Active Directory will automatically be replicated to all other integrated or supported systems as a productive password (optional). To secure this solution, the provisioned password must be encrypted via secure Channels (using SNC for SAP ABAP systems, or SSL for web applications including SAP Java systems or directories).

From an end-user perspective, this means using the same password for every application where you want to log on.

For additional information about this solution, I strongly recommend you to read this blog written by Jérémy Baars:

Determine the solution which would balance cost, security, user comfort, adaptability according to your criteria.

The table below intends to compare the Password Synchronization and Single Sign-On by analyzing their respective strengths and


So let’s consider several criteria to choose the most appropriate solution:

User Friendliness

As you can see above, SAP Netweaver Single Sign On offers a better end-user experience, as this solution reduces the number of times a user must type ID and password to access an application. This also contributes to raise user productivity.

Evolution perspectives

SAP Identity Management allows to optimize the user lifecycle and to simplify user management. It is replacing SAP Central User Administration (CUA) that will not be further developed by SAP., As such, it could be interesting to choose password synchronization method if you plan to implement an Identity & Access Management solution in the near future.


If Security is an important criteria for your choice, implementing SAP Netweaver Single Sign On will guarantee a strong authentication by blocking traditional access on each application concerned.


From a financial point of view, there is not much difference regarding the implementation costs. The choice should more be oriented on the policy and the strategy of the enterprise.

Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo Wolfgang Janzen
      Wolfgang Janzen

      Kindly notice that the password synchronization only works in one direction: from the Identity Management system to the backend systems - but not the other way.

      In particular, it is not prevented that the user is changing his password in the backend system, either deliberately or because the system requests him (to change the password in certain intervals). In that case the password will only be changed locally; other systems (including the Identity Management system) will not even be notified upon that event.

      This adds another point (advantage) to the Single Sign-On sheet.