Skip to Content
Author's profile photo Torben Ehret

What you always wanted to know about SAP ID Service but never dared to ask…

Question: Why is SAP ID Service so slow and shows this boring screen? Don’t you care about the performance?


Management Summary: Do you really think we develop such a slow authentication service? That’s a pity! Obviously not! When you see this screen the authentication is done and we wait for the SP to take over.

Nerd Summary: In SAP ID Service (or with it’s new product name SAP Cloud Identity) we make use of SAML 2.0 specification with the Web Browser SSO profile for single sign-on for user authentication.

Basically, the Identity Provider (IDP, e.g. SAP ID Service) and the Service Provider (SP, e.g. SAP HANA Cloud Platform) exchange SAML protocol messages through the users’ browser. The SP sends an SAML authentication request message to the IDP, asking to authenticate the user. The IDP typically asks the user for a username and password (any other method of authentication – like certificates). After username and password verification the IDP sends back a SAML authentication response stating that the user has just logged in successful at the IDP, with some proof that the message was indeed sent by the IDP.

So, lets have a closer look at the request flow.

You can visualize the requests in the different browsers with either the integrated developer tools (e.g. Internet Explorer 10 or Chrome) or in Firefox with the Firebug add-on. Other tools work as well, like HTTPwatch or Charles Proxy.

  1. Open the developer tool and start the capture of the network traffic (for Chrome users: check the “preserver log on navigation” box).
  2. Navigate to or event better (That is just a workaround to use the “normal” SAML login and not the auto-login process)
  3. Enter your SAP ID Service/SCN username and password.
  4. With a successful authentication the overlay disappear and the main page is shown
  5. Stop the capture of the network traffic.

As a next step, we analyze the requests. There are two requests where SAP ID Service is involved.

The first request is a GET request to Here the SP ( sends the authentication request to the IDP (strongly abbreviated):…8Rf

Looking at the timeline for the duration: 311ms. Not bad but also not good. In Firefox/Firebug you can hover over the request in the timeline and some more details show up:


There are 132ms listed as “Blocking”.  What does it mean? While I clicked too fast on the „Log on“ link (I was using the entry point) and some JavaScript was still loading. Since several versions all browsers have a limit of concurrent requests to a host. But that limit can be configured manually.

So, without the blocking time the request took 179ms to complete – which isn’t that bad.

The 2nd request – the POST request – is the more interesting one.

POST Parameters:

SAMLRequest: fVLL…8Rf

j_password: MySecureP@ssw0rd

j_username: MyUserName

With that request username and password is verified by the IDP for that SP and as response the verification about the successful authentication combined with additional attributes is sent back to the SP. All this information has been signed, so the SP can check whether the message has not been tampered along the way.

Looking again at the response times in the timeline:


The sum of the Waiting and Receiving time form about 345ms, which sounds ok.

Where does the screen “You are being logged on” come from, which causes anger?


This screen is the response from the above POST request that is shown as long as the SP is generating its page and sending it to the browser. The page is regenerated when the SP has sent enough page content for the browser to start rendering the page.


So you can see that by the time this message appears, SAP ID Service has already completely finished its side of things and you are now in fact waiting for the SP to process the SSO response. Maybe there is a better way we could communicate this? Please let us know in the comments below.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Bjoern Goerke
      Bjoern Goerke

      How about the text "You have been successfully authenticated by the SAP Identity Service. Your request has now been forwarded to the target system for processing..."?

      Author's profile photo Torben Ehret
      Torben Ehret
      Blog Post Author

      Thanks for the input Bjoern Goerke. I forwarded it to your Product Owner.

      Author's profile photo Chris Paine
      Chris Paine

      I do love that the text changed almost next day and has stayed with Bjoern's text ever since.

      Author's profile photo Corneliu Mitu
      Corneliu Mitu

      Thank you for the insight Torben. Looking for the second part, covering the HANA Cloud Platform interaction, as it was referenced here. And, why not, one or the other applications running on top of it. That may answer the question why we, sometimes, really need to see these messages at all.

      Author's profile photo Torben Ehret
      Torben Ehret
      Blog Post Author

      The flow doesn't change if you replace the initial URL by one of your HANA Cloud Platform applications. You should check the source of the "You are being logged on" screen: there is a hidden form which is submitted automatically to the configured SP with some POST parameters. These POST parameters contains all the configured attributes for your SP.

      As already said: SAP Cloud Identity / SAP ID Service has implemented the SAML Web profile. The complete communication has to go through the users browser.

      How long you see this screen, depends on how long your app requires to send enough data to the browser to trigger the start render event.

      In some cases we have seen several redirect on SP side before the final page was loaded.

      Author's profile photo Dennis Howlett
      Dennis Howlett

      All of this is fine and dandy...when it works. Just reset my password and BOOM! Error message appears. Change browser and all is OK. Cache anyone? Or should that read 'catch?' 🙂

      Author's profile photo Oliver Jung
      Oliver Jung


      is it possible to use the SAP Identity Service as an Authentication provider for Microsoft Dot Net applications, e.g. ASP .NET Web Applications?

      Author's profile photo Pranjal Chugh
      Pranjal Chugh

      Hi ,

      How can we create our own login.jspa just like scn guys have ?