would love to have a discussion with you about the best way to move from XYZ-SNC library (such as MIT kerberos) to SAP SSO 3.0. Lets assume a customer has a large environment and already SNC in use based on a 3rd Party Kerberos library. Now he wants to move to SSO 3.0 to make use of all the nice features, such as parallel operation of SNC with X.509 and Kerberos and many other benefits of using a officially supported and certified SNC library.
What could help?
The parallel operation of two SNC libraries on the client side (smells like a feature request)
I would love to have a “standard” way (at least on the SAP Logon/GUI) where a user (or the admins) are able to “control” which SNC library is used for which connection. Using SAPGUI.EXE allows to specify a parameter for SNC_LIB, that may help, haven't tried it yet. But just a small improvement on the SAP GUI client, an additional saplogon.ini parameter or whatever which overrules the SNC_LIB variable would help. A place where you would be able to define the full path and SNC lib used for a specific connection.
This could allow the use of two SNC solutions on one Windows client in parallel. That would provide customers with the possibility, to rollout the SAP Secure Login Client (SLC) in addition to an existing SNC client installation and migrate the ABAP backends one after another. Connections to migrated servers would use the new SAP CommonCryptoLib via SLC while the old SNC based connections would still work. This approach could be controlled by the IT organization using a phased approach for the migration. Do you have additional thoughts and ideas?