Skip to Content


SAP Single Sign-On offers support for X.509 certificates. X.509 certificates are highly interoperable, supporting both SAP and 3rd party web applications and clients, including many legacy systems. You can set up your own dedicated public-key infrastructure (PKI) to issue X.509 certificates, or have the Secure Login Server software, a component of SAP Single Sign-On, issue short-lived certificates. With the Secure Login Server software, you do not need to set up a full-blown PKI with its inherent administrative processes, such as certificate revocation lists, but you can still benefit from the same level of security. Enabling this kind of scenario means that users can sign on once to gain access not only to their SAP business applications but also to many of their non-SAP applications.

Implementing Single Sign-On with X.509 Certificates and Secure Login Server

In the following video series, you will learn how you can use X.509 certificates issued by the Secure Login Server component to provide single sign-on functionality as well as secure communication for SAP GUI/browser applications and SAP NetWeaver Application Server ABAP. The videos will describe the necessary configuration step-by-step.


Part 1: Overview / Initialization (8:03 min)

Part 2: SNC Configuration (5:12 min)

Part 3: Enrollment of User Certificate (4:53 min)

Part 4: Single Sign-On via SNC (2:00 min)

Part 5: Single Sign-On via SSL (6:29 min)

Related Blogs

Reusing Kerberos Token for Issuing X.509 Client Certificates with Secure Login Server

Configuring SAML 2.0 Authentication for your Secure Login Server

SAP Single Sign-On: Authenticate with Kerberos/SPNEGO

More Information

For more information about SAP Single Sign-On, visit our community here:


To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Andreas Zigann

    Hello Martina,

    thank you very much for this Blog. It is really easy to follow. I have configured our landscape in the way you presented, but with SPNEGO Authentication to SLS and SPNEGO-Credentials in SNC of the users. The SSO with SAP Gui works fine, but WebGui does not work. Can you give me an advice what could be wrong?

    It would be fine if you could provide us with a Blog configuring AS Java this way, too.

    Best Regards

    1. Martina Kirschenmann Post author

      Hello Andreas,

      thank you. I am not sure I understand your scenario completely. In case you would like to reuse Kerberos tokens for issuing X.509 certificates through Secure Login Server, please refer to the step-by-step guide here: Reusing Kerberos Token for Issuing X.509 Client Certificates with Secure Login Server.

      In case you don’t want to use short-lived certificates issued by Secure Login Server for single sign-on at all, but Kerberos/SPNEGO instead, please have a look at our implementation videos here: SAP Single Sign-On: Authenticate with Kerberos/SPNEGO.

      Hope this helps. If you still run into problems, please open a customer ticket.



  2. Lignag Zhang

    Hi Martina,

    Your blogs are very helpful. In your blog, you mentioned “X.509 certificates are highly interoperable, supporting both SAP and 3rd party web applications and clients,” but I could not find information on how to support 3rd party or non-SAP application. Could you elaborate that a little bit?


    1. Martina Kirschenmann Post author

      Hello Lignag,

      digital certificates that comply with the X.509 public key infrastructure (PKI) standard are supported by many business software products available today. Users can sign on once to gain access not only to their SAP software but also to many of their non-SAP applications (as long as the latter support X.509 certificates, of course). The configuration steps required to enable certificate-based authentication in these non-SAP applications are specific for the respective third-party application used.

      For a good overview about how SAP Single Sign-On implements X.509-based authentication, I recommend reading the SAP Insider article Secure Single Sign-On Across SAP Landscapes.

      We have also just updated our SAP Single Sign-On product overview presentation, which includes detailed information about our support for X.509 certificates.



  3. Gabriel Bertrand

    Dear Martina, does this require that the users in ABAP exist in Java UME ..or the Secure Login Server only just issue x509 certificate and ABAP user does not have to be in Java UME..

    Is there any license restriction on how many system/users can be setup for SSO using this Secured Login server/client. 

    Does this setup work in Citrix environment. ie secure login client is installed in Citrix and it connects to Secure Login Server to get certificate when users login to Citrix to SSO to SAP using SAPGUI..



    1. Martina Kirschenmann Post author

      Hello Gabriel,

      in the demo videos above we are using the Java UME as login module for authentication of end-users. This is just an example. For an overview of other login modules supported by SAP Single Sign-On, please see the documentation here:

      For specific licensing information, please contact your SAP Account Executive.

      Secure Login Client with Secure Login Server profile is compatible with Citrix. Please see the Product Availability Matrix (PAM) for supported versions:

      However, Local Security Hub is not supported. Please see SAP Note 2338174 for details: (section Secure Login Client, Note).



  4. Sascha Skgisasy

    Hello Martina,

    thank you much for Information. I am planning SSO our System Landscape, we have BI AS ABAP on HANA, AS JAVA (new installed), BO (new installed), SAP-BI/BO Tools (BEx, Lumira etc.). we dont have any non-sap application. Could you please advice me, which SSO-Solution i need? x.509 or Kerberos? Should i  install for all Clients  “Sap Secure login Client Tool” for SSO ? can i also use without Secure Login Client tools to SSO?

    Thanks for you answer.




Leave a Reply