Secure Login Client installation
This blog is part of the SAP Gui SSO series: https://blogs.sap.com/2022/08/15/single-sign-on-for-sap-gui/
This blog describes the download and installation of the Secure Login Client for different scenarios.
The Secure Login Client is the part that does all the cryptographic heavy lifting for the SAP Gui. It must be installed on the user devices (i.e. where the SAP Gui is running).
Download the newest version of Secure Login Client. At the time of writing, the current version of SAP Single Sign-On is 3.0.
Go to https://launchpad.support.sap.com/#/softwarecenter
=> Support Packages and Patches
=> By Alphabetical Index
=> SAP Single Sign-On
=> SAP Single Sign-On 3.0
=> Comprised Software Component Versions
=> Secure Login Client 3.0
=> Select your OS
=> Download latest version
Usually, the Secure Login Client is distributed automatically via a software distribution tool. It is recommended to keep it as a seperate component from SAP Gui (to be able to patch it individually), but as a dependt component, that is always installed with the SAP Gui.
The screenshots here are from an interactive installation and can be used in Proof of Concept scenarios or as a guide for the creation of the installation package.
Run the downloaded installer
Apart from one options menu, this is a next-finish installation.
There are three options:
Start during Windows login
This is only relevant in two cases:
- If you install many many Secure Login Clients on the same machine that boots up many different sessions at the same time. Then the bootup of all the Secure Login Client processes might slow your bootup down. However, this is a very rare edge case and it has to be tested if it really is the case in your environment with the current version.
- If you want to use the Secure Login Client to fetch a client certificate from a Secure Login Server and use it in other scenarios than the SAP Gui one. In that case, the fetching should be triggered right after Login and not during the first start of the SAP Gui
In all other cases you can freely choose if you want to start the SLC during Windows login or not.
Secure Login Server Support
If you have a scenario with a Secure Login Server (where you get a certificate from the Secure Login Server) you have to check this box.
If your scenario does not rely on a Secure Login Server, you can disable the box or keep it in. This is absolutely your choice. Some customers like it active to have the option later on to use a Secure Login Server, others fear that their users might accidentally configure something that is not available and screw up their local configuration. But for your configuration it makes no difference if it is active or not.
Kerberos Single Sign-On
If you have a Kerberos scenario, then you have to keep this box active.
If you don’t use Kerberos, you can disable the box or keep it. The situation here is similar to before. In the end, it doesn’t really matter.
After that, finish up the installation.
Besides several registry keys and the libraries/executables the installation comes with two important environment variables: SNC_LIB and SNC_LIB_64. These are used by the SAP Gui to actually find the library for any crpytographic needs.
If you are already using a security product, these variables were probably referencing the old library. In that case, you need to make sure to reset them to the original variables and introduce two new variables: SNC_LIB_2 and SNC_LIB_64_2. These should be set to the Secure Login Client libraries (that were the content of the variables after installation).
If you set the target SNC name to p/sapsso:CN=… the SAP Gui will select the Secure Login Client for cryptographic operations. This way, you can smoothly migrate from one security product to the other (keep in mind that there might be side effects to encrypted RFC connections).
After these steps the Secure Login Client is installed and ready to be used.
I plan to implement SSO for SAPGUI using X.509 certificate with my own PKI provider.
What is next needed ? .In SLC I see Windows Kerbros Token on Profiles section but no X.509 certificate. I launch the SAPGUI and open a system. The SLC application lists the CN of the selected system in application section. But it only prompts to enter user name and password but no SSO.
https://help.sap.com/doc/7d3f26c449524c54b5d8232e11f0a771/3.0/en-US/SecureLoginForSAPSSO3.0_UACP.pdf --> Section 4.10 on this document mentions , but I 'm not using Active Directory as I use Azure AD.
Thanks & Regards,
the SLC shows the certificates from the Windows Certificate Store. So you basically have two options here:
This is usually done via some group policy. Then the SLC uses this certificate from the Windows Certificate Store
In this case, the SLC authenticates at the SLS and gets back a short lived certificate. In this scenario, the CA resides in the SLS, on a HSM or is addressed via a Remote CA interface (usually NDES).
These are the options you have for implementing the authentication. In the end, you need to get a certificate into the Windows Certificate Store.
Thanks for your reply. I do not have Secure Login Server in our setup. So I suppose the option 1 is more relevant in my case.
Thanks & Regards,