Explore: Securing SAP GUI with SAP Secure Login Service
If you are using SAP GUI for accessing SAP S/4HANA and are tired of entering the user credentials every day, then this blog is for you. SAP BTP provides a service named SAP Secure Login Service for SAP GUI that enables multifactor authentication (MFA) and single sign-on if you use the SAP GUI interface.
This blog is your go-to resource for unlocking a smoother and more secure SAP GUI experience in the cloud.
Embarking on my SAP GUI journey nearly a year ago, I immersed myself in understanding different business processes across various SAP modules. Navigating the power of S/4 has been an enlightening experience. However, the daily ritual of entering credentials into SAP GUI, while crucial, became a small but persistent annoyance. Coming from a cloud-centric background, the idea of a unified authentication system for all applications sparked my curiosity. Could there be a cloud service that aligns with this vision?
An exploration into service on the SAP Business Technology Platform (BTP) promises the very functionality I yearned for. That moment marked the inception of our journey to set up the SAP Secure Login Service for SAP GUI within our S/4 2022 On-premise system.
Join me in this blog as I unravel the experience, from inception to implementation, offering insights into the world of SAP Secure Login Service on the cloud.
Like any journey into the unknown, I began with the comprehensive help guide provided. Understanding the service and its prerequisites laid a solid foundation for what lay ahead.
The SAP Secure Login Service for SAP GUI revealed a treasure trove of features during my initial exploration. Some standout functionalities that caught my attention included – Multi-factor Authentication, Integrated Web Browser Authentication, Multitenancy Support, and many more.
As a prerequisite for my exploration, I had to install a few applications on my MacBook Pro M1. The installation process proved to be a breeze—simply head to the SAP Software Download Center, search for the application, and download the installable package.
Package Name: Secure Login Client 3.0
Tip: For Windows users, the application might not be easily found in the applications list. Fear not — it conveniently resides in the taskbar, as depicted in the screenshot below.
The next step involved was installing the Root CA certificate on my machine. This certificate, downloadable from http://www.pki.co.sap.com/, serves as the foundation for secure communication.
**The screenshot below shows for MAC & Windows users both.
Subscribe to SAP Secure Login Service for SAP GUI:
With the groundwork laid, the next step was to subscribe to the SAP Secure Login Service for SAP GUI within my BTP subaccount (You need to have the entitlement of this service where you are planning to subscribe).
Configure Custom IAS Tenant for Authentication:
Given the custom IAS tenant configured for authentication in my subaccount, I ventured into role assignments. There were no role collections in BTP for this service. Instead, on the IAS side, I created two user groups: SecureLoginServiceAdministrator and SecureLoginServiceViewer. These groups were then assigned to my user for the necessary privileges.
Upon subscribing to the Secure Login Service for SAP GUI, a corresponding application was automatically generated in my custom IAS tenant. However, a critical adjustment was needed at this juncture. I had to modify the subject name identifier to ensure synchronization between the selected user attributes on the S/4HANA side and those associated with the IAS account.
Tip – The login Name in IAS and S/4HANA should be the same.
Obtain Secure Login Service Tenant URL:
The next crucial step involved logging into the Secure Login Service for SAP GUI from BTP to procure the base URL of the Secure Login Service tenant. This URL would play a pivotal role in fetching the necessary policy groups.
Configure Secure Login Client Preferences:
It was time to configure the Secure Login Client application on my machine. Navigating to the preferences section, I entered the obtained URL, ensuring a seamless connection between the client and the service.
Tip: In some instances, profiles might not be fetched by the application, potentially due to an outdated version. A quick workaround is to update the application to a newer version.
Enable SNC And Install Certificates:
The journey now led me to the familiar territory of SAP GUI. Initiating transaction STRUST, I configured Secure Network Communications (SNC). Here, I imported the ROOT CA certificate, establishing a secure foundation for communication.
After this, I downloaded the SNC own certificate on my machine and installed it locally to finish the process.
Enable SNC On SAP Logon:
Create a new connection and enable secure network communication with the proper CN name (CN=S4H) which you can refer in the previous step.
Configure SCN User Names:
This step will define how the user in the S/4HANA will be authenticated and configured. We have to use SU01 transaction and enter the employee ID. Select the SNC tab, and enter the details as shown in the screenshot.
p:CN= SAPUSER, L=abcde.accounts.ondemand.com, OU=cf-eu10-secure-login-service, OU=SAP BTP Clients, O=SAP SE, C=DE
Demo: Seamless Authentication in Action
Let’s check SAP GUI with SAP Secure Login Service in action –