SAP Secure Login Service for SAP GUI Now Available
On May 4, 2023, SAP released the SAP Secure Login Service for SAP GUI. This new solution builds on top of the tried and proven SAP Single Sign-On product and offers single sign-on in a cloud-oriented way. It allows you to rely on a lean cloud service that integrates with your existing corporate identity provider to benefit from its authentication capabilities.
Why do we offer a new solution for single sign-on with SAP GUI?
SAP Secure Login Service for SAP GUI supports both digital certificates and Kerberos for secure authentication and single sign-on to your SAP systems. So, you can provide your SAP GUI users with simple and secure access to their ABAP-based business applications, just like with the existing SAP Single Sign-On product. In addition, the new solution comes with a set of new capabilities bringing enhanced user experience, better integration with your existing authentication infrastructure, and lower TCO.
For issuing short-lived X.509 certificates, the SAP Secure Login Service for SAP GUI no longer relies on an on-premise server running on an SAP NetWeaver Application Server Java. Instead, the server functionality for enrolling X.509 certificates is now provided by a cloud service. As a result, you no longer need to operate an AS Java.
But there is more! You can easily reuse your existing identity provider solution, such as SAP Cloud Identity Services – Identity Authentication or a corporate identity provider, for example Microsoft Azure Active Directory or Okta. This way you benefit from their authentication capabilities, such as multi-factor authentication, for example.
The necessary functionality on the AS ABAP server side already comes with the AS ABAP kernel (SAP Cryptographic Library), same as before.
Now let’s take a closer look at the enhanced capabilities that SAP Secure Login Service for SAP GUI is offering.
Use X.509 certificates based on a lean cloud service
As already mentioned above, the SAP Single Sign-On product relies on an on-premise server running on an AS Java for the advanced scenarios using X.509 certificates, such as multi-factor authentication. Customers need to operate an AS Java with a dedicated configuration of the authentication stack.
With SAP Secure Login Service for SAP GUI, the authentication process and certificate enrollment are performed by cloud services. Furthermore, the existing authentication configuration of the identity provider can be reused. Simply take the authentication options that have already been implemented for browser-based UIs on your identity provider and use them for SAP GUI as well!
Easily integrate with your existing identity provider
The SAP Single Sign-On solution already offered some limited integration with identity providers. However, the component used on the client side, the so-called Secure Login Web Client, provided a sometimes confusing user experience that people had to get used to. And it did not work in multi-user environments.
SAP Secure Login Service for SAP GUI offers a better integration with identity providers. With the new solution, the Secure Login Client seamlessly integrates with the identity provider UIs. As a result, when users start an SAP GUI connection, they will get the exact same user experience as they would have in the browser. This will further increase user acceptance of the solution.
Authentication factors and policies depend on the identity provider configuration. This way you benefit from their authentication capabilities: for example, using strong multi-factor authentication, biometric authentication, or Web Authentication and FIDO.
Offer single sign-on based on Kerberos technology
Many of our existing customers are still using Kerberos technology for single sign-on with SAP GUI. This scenario is based on the corporate Windows domain and Microsoft Active Directory. Will this still be possible with the new solution? The simple answer is yes!
SAP Secure Login Service for SAP GUI does support single sign-on via Kerberos tokens. In that scenario, you only require the Secure Login Client on the client side, which is a component of SAP Secure Login Service for SAP GUI. There is no need to access the cloud.
A picture is worth a thousand words
Finally, let’s have a quick look at the architecture overview of the SAP Secure Login Service for SAP GUI solution:
For more information about the SAP Secure Login Service for SAP GUI, check the following resources:
- Solution brief
- Product overview presentation
- Documentation on the SAP Help Portal
- SAP Note 3318561 – Fixes for SAP Secure Login Client 3.0 SP 02 Patch 16
If you want to learn more about the new solution, actively engage with SAP subject matter experts and your peers, and stay up to date about the topic of single sign-on for SAP GUI, join our community here:
Can’t find an answer? Ask your question directly here in SAP Community!
Great! I am absolutely thrilled that the long-awaited feature is finally here 🙂
SAP Secure Login Service for SAP GUI configured and deployed without kerberos only with x.509.
What in case if cloud service isn't available due to network/SAP/AWS/AZ/GCP issues ?
The cloud service is only required during the provisioning of the certificate. As the certificate validity usually covers the working day, users need to access the cloud service once per day and can then work with their ABAP systems without any dependency to the cloud service.
I know that.
Working hours are for example 8:00 - 16:00
Certificate lifetime due to corporate policy is set to 10 hrs.
Network/Cloud service has failure at 7:45, and this is serious issue that can't be fixed immediately due to problem complexity, SAP service support delay, Cloud provider service delay.
And no one is able to logon (except admins and so one)
I'm asking because I saw situations that cloud services were not available more than few minutes.
The new service runs on SAP BTP, and it is covered by the availability commitments of the platform. Also, most of the initial (8am) authentication process is handled by the identity provider. This should support high availability in any case, as your browser-based applications need it all day.
If you really need to avoid any dependency on outside communication, you can still use smart cards or Kerberos, purely on-premise.
I'd be good to understand how customers with the current infrastructure with Secure Login Server can transition to the cloud and if there's a benefit from a commercial standpoint or if they can use both products in parallel.
As fallback for the scenario mentioned by Artur I'm thinking customers can leverage a on-prem SLS to generate certificates if that's included from a license perspective. As long as both solutions can generate the cert with i.e CN=<SAP user ID> and both CAs (SLS CA + cloud CA) are added to the SNC Sapcryptolib trust config both certificates can be used in parallel.
for customer's using Secure Login Server (from SAP Single Sign-On), the main benefits of switching to SAP Secure Login Service are at this point in time:
Technically, you could also run both solutions in parallel. However, as these are separate products, it would makes sense commercially to fully migrate once you feel confident.
If we are talking about switching from Secure Login Server to SAP Secure Login Service we have to mention about other SAP SLS features.
SSL certificate lifecycle management – great functionality allows you to centrally manage SSL certificates Server/Client/Trusted (not only for ABAP systems, for Java, Hana, WebDispatchers, Diag Agents, Host agents)
Integration with corporate CA
NEA - I suppose customer should plan migration to SAML where possible.
Short live x.509 certificates for SAP Cloud Connector principal propagation.
In other words, it isn't just simple migration in some cases a quite big project. And not always we will achieve significant TCO reduction.
Hi Martina Kirschenmann / Christian Cohrs
is it intended, that the "SAP Secure Login Service for SAP GUI" is not subscribable from CPEA Global Accounts for some quick evaluation?
I'm afraid CPEA is currently not supported. Your SAP contact can help you get a minimal subscription for getting started, though.
Hi Christian Cohrs
is it planned to make this available for CPEA also?
Would be great to do a quick prototyping before contacting our Sales person at SAP for a longterm subscription...
we'll keep this in mind and see what we can do mid-term.
Is SAP Secure Login Service for SAP GUI the official successor for SAP Single Sign-On 3.0 after end of maintenance end of 2027?
Are there any benefits compared to SAP Single Sign-On 3.0 if you are running a complex on-premise SAP landscape with using SAP Single Sign-On 3.0 via Kerberos with SAP Secure Login Client for SAP GUI? Why should i migrate to SAP Secure Login Service for SAP GUI?
When it comes to single sign-on with Kerberos, there is no difference between the products as they both rely on the same Secure Login Client. So while SAP Single Sign-On is still in maintenance and you don't need any other functionality, there is no need to move to SAP Secure Login Service.
is SAP Secure Login Service for SAP GUI the official successor for SAP Single Sign-On 3.0 after end of maintenance end of 2027?
Are we forced to subscribe SAP Secure Login Service for SAP GUI to use SSO with SPNego/Kerberos in on-premise ABAP-Systemlandscape (S/4HANA) starting 01.01.28? Or can we use SNCCONFIG, SPNEGO (as part of SAPCRYPTOLIB) and SAP Secure Login Client without?
yes, SAP Secure Login Service for SAP GUI will succeed SAP Single Sign-On.
With respect to licensing, some S/4HANA licenses include the usage of the Secure Login Client for Kerberos-based single sign-on. If you do not have such a license, then you will indeed have to switch to the SAP Secure Login Service subscription.
For many years now we have been using the SAML-based SSO provided by SAP Business Client, and moving away from "pure" SAPgui completely. Isn't the implementation of all this complex infrastructure to achieve SAPgui SSO a somewhat backwards step?
if you are able to run all of your business applications in the browser, then a SAML/OIDC identity provider like SAP's Identity Authentication Service is the way to go.
However, there are still cases where users want to / have to use the desktop clients to perform their work. One thing we achieve with the new product is that the identity provider authentication factors can now easily be reused for SAP GUI. For SAP GUI users that's a big step forward.
Hi Mark, if you like to get some more background about SAML vs. Kerberos/X.509 or in general using SAP GUI vs. browser-based apps, feel free to check out this blog