Skip to Content
Technical Articles

SAP Single Sign-On: Protect Your SAP Landscape with X.509 Certificates


SAP Single Sign-On offers support for X.509 certificates. X.509 certificates are highly interoperable, supporting both SAP and 3rd party web applications and clients, including many legacy systems. You can set up your own dedicated public-key infrastructure (PKI) to issue X.509 certificates, or have the Secure Login Server software, a component of SAP Single Sign-On, issue short-lived certificates. With the Secure Login Server software, you do not need to set up a full-blown PKI with its inherent administrative processes, such as certificate revocation lists, but you can still benefit from the same level of security. Enabling this kind of scenario means that users can sign on once to gain access not only to their SAP business applications but also to many of their non-SAP applications.

Implementing Single Sign-On with X.509 Certificates and Secure Login Server

In the following video series, you will learn how you can use X.509 certificates issued by the Secure Login Server component to provide single sign-on functionality as well as secure communication for SAP GUI/browser applications and SAP NetWeaver Application Server ABAP. The videos will describe the necessary configuration step-by-step.


Part 1: Overview / Initialization (8:03 min)

Part 2: SNC Configuration (5:12 min)

Part 3: Enrollment of User Certificate (4:53 min)

Part 4: Single Sign-On via SNC (2:00 min)

Part 5: Single Sign-On via SSL (6:29 min)

Related Blogs

Reusing Kerberos Token for Issuing X.509 Client Certificates with Secure Login Server

Configuring SAML 2.0 Authentication for your Secure Login Server

SAP Single Sign-On: Authenticate with Kerberos/SPNEGO

More Information

For more information about SAP Single Sign-On, visit our community here:


You must be Logged on to comment or reply to a post.
  • Hello Martina,

    thank you very much for this Blog. It is really easy to follow. I have configured our landscape in the way you presented, but with SPNEGO Authentication to SLS and SPNEGO-Credentials in SNC of the users. The SSO with SAP Gui works fine, but WebGui does not work. Can you give me an advice what could be wrong?

    It would be fine if you could provide us with a Blog configuring AS Java this way, too.

    Best Regards

  • Hi Martina,

    Your blogs are very helpful. In your blog, you mentioned "X.509 certificates are highly interoperable, supporting both SAP and 3rd party web applications and clients," but I could not find information on how to support 3rd party or non-SAP application. Could you elaborate that a little bit?


    • Hello Lignag,

      digital certificates that comply with the X.509 public key infrastructure (PKI) standard are supported by many business software products available today. Users can sign on once to gain access not only to their SAP software but also to many of their non-SAP applications (as long as the latter support X.509 certificates, of course). The configuration steps required to enable certificate-based authentication in these non-SAP applications are specific for the respective third-party application used.

      For a good overview about how SAP Single Sign-On implements X.509-based authentication, I recommend reading the SAP Insider article Secure Single Sign-On Across SAP Landscapes.

      We have also just updated our SAP Single Sign-On product overview presentation, which includes detailed information about our support for X.509 certificates.



  • Dear Martina, does this require that the users in ABAP exist in Java UME ..or the Secure Login Server only just issue x509 certificate and ABAP user does not have to be in Java UME..

    Is there any license restriction on how many system/users can be setup for SSO using this Secured Login server/client. 

    Does this setup work in Citrix environment. ie secure login client is installed in Citrix and it connects to Secure Login Server to get certificate when users login to Citrix to SSO to SAP using SAPGUI..



  • Hello Martina,

    thank you much for Information. I am planning SSO our System Landscape, we have BI AS ABAP on HANA, AS JAVA (new installed), BO (new installed), SAP-BI/BO Tools (BEx, Lumira etc.). we dont have any non-sap application. Could you please advice me, which SSO-Solution i need? x.509 or Kerberos? Should i  install for all Clients  “Sap Secure login Client Tool” for SSO ? can i also use without Secure Login Client tools to SSO?

    Thanks for you answer.



    • Hello Sascha,

      SAP Single Sign-On supports Kerberos, X.509 certificates and SAML authentication technologies. Depending on what your backend systems support you can uses either technology.

      The Secure Login Client is responsible for the certificate-based and Kerberos-based authentication to the SAP application server when Windows-based SAP clients are used (such as SAP GUI).

      The Secure Login Client is also always necessary when the Secure Login Server is in use as a light-weight PKI (issuing X.509 certificates). When X.509 certificates are used for web scenarios, it is also possible to use the Secure Login Web Client instead of the Secure Login Client.

      SPNEGO does not require a client (no Secure Login Client needed).



  • Hello,
    Nice and detailed article. Thank you for sharing it.
    We have successfully setup SSO 3.0 with x.509 certs and working fine with abap system.
    Please let us know the procedure if we have multiple client in abap system and how to achieve it using x.509 certs

    • Hello Subir,

      multiple clients are supported. When logging on to SAP GUI, in the dialog the user must select the respective client he wants to log on to.



      • Hello Martina,

        Thank you for the update and clarification.

        Do we need to perform any specific configuration to get the SSO working for multiple clients with GUI. Because, though we have maintained the user mapping in SU01 for all clients. it is not working for all the other clients except the default login client.(for default login client SSO works fine)

        we are not getting the screen to make the selection to choose the desired login client with SSO.But instead it gets logged in automatically to default client.

        Next topic, we are also looking to configure SSL for the same ABAP system and get the SSO working for webgui. Issue is while we test the url for webgui or ping as per your 5th video, we are presented with the client certificate but the system still again requests for user id and password. icm/verify_client is set to 1.SSL certificates have been signed by SLS3.0 server and the Root certficates from it have been imported in browser as well.

        Not able to figure out what exactly is going wrong.

        Please suggest.

        Thanks & Regards




  • Hello Martina,


    We are bale to achieve SSO with GUI for ABAP system with multiple clients.

    Now as we proceed and follow the video 5, for setting up SSO for https access for the same abap system, we are not able to.

    We have followed steps like,

    1.SSL certficate CSR creation in ABAP system

    2.Signing the CSR from SSO3.0 .

    3.Installing the certficate response in the ABAP system and adding the certs to certficate list.

    4.Mapping the UID's in VUSREXTID table.

    5 Setup if icm/https/verify_client =1

    6.installed the ssl certs in the browser trusted store as well

    The webgui or ping url presents the certficate prompt  but still SSO not working and asking for password.


    Thanks for your time & suggestions

    Thanks & Regards


    Did i miss any steps here. Please suggest.


  • Hi Martina,
    We currently have PKI infrastructure and X.509 in our landscape. We want to configure SSO for fiori using X.509 certificates. In your video series which parts are more appropriate for us?
    Or do you have any other blog or sap documentation which can point me to. Please share any inputs you have for me. I truly appreciate any help from your side.


  • Dear Martina,

    Very nice detailed info..but i didnt find any info for configuring Java/Eportal SSO with windows AD credetials using SecureLoginServer 3.0?

    Please help.



      • Dear Martina,


        Thanks for the reply...the blog which you referred, i have already checked.

        I am trying to perform with x.509 certificate and the blog says about Kerbos..... also in my case the windows userid & the portal userid are different. So looking for a blog or step by step document which can help me.

        Please advice.


        • Hi Abhijit,

          client authentication via X.509 certificates to Application Server Java is described in the SAP NetWeaver manuals. You can find the documentation here:

          The customer can decide how to issue the X.509 certificates for the users. You can use the Secure Login Server of the SAP Single Sign-On product or your own existing PKI system.

          Best regards,


        • Hi Martina/Abhijit,

          Have you configured SSO for JAVA system with X.509 certificate ?

          We are looking for JAVA part.


          We have configured following -

          1. Deploy SSO sca into NW JAVA stack - COMPLETED and WORKING
          2. Configure SSO for pure ABAP stack - COMPLETED and WORKING
          3. Configure SSO for pure JAVA stack (EP) - It is picking up certificate from Secure login client. However prompting for username/password ?

          It would be helpful if you provide your inputs here.



          Kundan Gandhi

  • Dear Martina,

    This is a very helpful document and we configured it all according to this and works fine. Is there any way, can we use LDAP as the user master data and authentication from AD directly from Secure login Server. Currently, it authenticates users from the Secure login Server which is JAVA and works fine. We would like to use the user master data as Active Directory. Is this possible?

  • Dear Martina,

    Thanks, we have Secure login client with server for SAP GUI and SNC.

    Do we have similar document for SAP BO 4.2 ?

    Thanks & Regards,