SAP Single Sign-On

SAP Single Sign-On is an on-premises SAP add-on designed to deliver enterprise-grade authentication and SSO across SAP environments. It primarily relies on Kerberos/SPNEGO, X.509 certificates, SAP Logon Tickets, and Secure Network Communication (SNC). Its main components — Secure Login Client (SLC) and Secure Login Server (SLS) — issue and consume Kerberos or X.509 credentials, often integrating with upstream SAML 2.0 IdPs.

Highlights

  • Kerberos / SPNEGO for SSO: Provides native Windows/Active Directory–integrated SSO for SAP systems and web interfaces through SPNEGO negotiation, enabling passwordless user authentication within enterprise domains.

  • X.509 certificate–based SSO: The Secure Login Server (SLS) issues short-lived X.509v3 certificates, while the Secure Login Client (SLC) consumes them for SAP GUI SNC and HTTPS/browser-based SSO, ensuring secure mutual authentication.

  • SAML-assisted certificate issuance: The SLS Web Client can authenticate users via an external SAML 2.0 Identity Provider, then issue temporary X.509 certificates for SAP access — bridging modern federation with legacy SSO.

  • Edge enforcement with SAP Web Dispatcher (NEA): Acts as a reverse proxy, delegating authentication to SAP SSO and reusing existing credentials (X.509/logon tickets) for secure backend access.

Limitations

  • Not a general-purpose IdP: SAP SSO focuses on Kerberos/X.509/SNC authentication for SAP systems. Federation (SAML/OIDC) for third-party or cloud apps is managed by SAP IAS or the ABAP/Java stack, not by SAP SSO itself.

  • No SCIM/IAM capabilities: It lacks native SCIM 2.0 provisioning, IGA, or identity lifecycle automation — typically requiring integration with SAP Identity Management or an external IdP/IGA.

  • MFA posture: SAP SSO itself doesn’t enforce MFA. Multi-factor authentication must occur upstream, for example at a SAML/OIDC IdP before certificate issuance.

  • On-premises operations: Running SLS/SLC, managing PKI/certificates, and maintaining Web Dispatcher policies introduces operational overhead compared to SaaS IdPs.

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales