SAP Single Sign-On (SSO) supports single sign-on based on below three technologies:
- X.509 certificates
Kerberos is a network security protocol that authenticates service requests between a client (SAPGUI) and a server (S4HC, EX) across an untrusted network. SPNEGO extends Kerberos to Web applications through the standard HTTP protocol.
X.509 is a standard defining the format of public/private key certificates within a Public Key Infrastructure (PKI). The implementation of X.509 requires the SAP Secure Login Server.
SAML (Security Assertion Mark-up Language) is an open XML standard for supporting SSO across web-based applications.
In this Q&A, we focus on Kerberos based SAP SSO for SAPGUI. Kerberos authentication involves the SAPGUI authenticating against a Kerberos Key Distribution Center (KDC). Kerberos authentication can be implemented with Microsoft Windows Active Directory as the KDC.
The SSO was removed from S4HC, EX’s Service Use Description (SUD) list in early 2020, as it is included in EX’s service offer without any additional hardware. We don’t sell an SSO license in this context, nor provide additional hardware for SSO.
Here is what we mean for S4HC, EX’s SSO service:
- EX customers can use SSO service when a customer already has an Identity Server (such as Microsoft Active Directory) which issues tokens/tickets based on Kerberos protocol.
- SAP SSO libraries are installed along with SAP Kernel when S4HC, EX system is provisioned.
- The Kerberos configuration is part of consulting responsibility. A consultant can configure SSO based on Kerberos tokens (AD credentials, setting up SPN, SAP profile parameter settings, etc.). Any work that has to be performed on the OS level, like installing certificates, would be performed by the ECS delivery team.
- There is no SSO server needed and provided.
- The SSO Service for EX does not include a full SSO capabilities, such as SAP NetWeaver SSO 3.0.
In other words, the SAPGUI SSO offered with S4HC, EX is only used for the simple Kerberos based SSO scenario: SSO with Kerberos tokens issued by an Identity Server that can issue Kerberos tokens/tickets (such as Microsoft Active Directory).
For a full and more complicated SSO, such as issuing tokens from a Secure Login Server, it requires SAP NetWeaver SSO, in particular, a Java Application Server (AS). S4HC, EX deployment does not include a Java AS, only the ABAP AS. It will be the license team’s decision whether we will offer SAP NetWeaver SSO as an additional service with an OSS Server in the future.
For complex SSO scenarios, SAP Cloud Identity on SAP Cloud Platform could be another option. It is a separate service.
Secure Login Client
Secure Login Client is part of the S4HC EX SKU. If customers have subscribed to SKU 8007179, they can directly download it now. For the current SKU 8008287, there was a replication issue with PPMS, but customers with this SKU will be able to download it as well.