Actually, Kerberos SSO isn't integrated directly with Azure AD, you need to deploy Azure AD Domain Services which give Active Directory DC type of behavior (domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication).

Overview of Azure Active Directory Domain Services | Microsoft Docs

After deploying Azure AD DS, you can use it similar to local Active Directory DC. So you can use the same steps for integration SAPGUI with AD DC using Kerberos.

Azure AD with SAML 2.0 is only for HTTP like application (such as Fiori Launchpad).

2564192 - Is that possible to use SAML2.0 with SAP GUI connections? - SAP ONE Support Launchpad

Hello Jean-Luc,

you need to provide more details about this, impossible to answer 😉 Are you talking about browser-based applications or SAP GUI?

In which way the Client PCs are domain-joined to Azure, guess those are Azure joined devices. In case you need to work with Kerberos (KDC) there must be a hybrid approach. For more information check here

Cheers Colt

Thank you very much David for directing us to the right conversation.

Best regards,

Jean-Luc

Hello Carsten,

The customer is mainly interested in SAP SSO for SAP GUI access and applications such as SAP ECC.

Do you have a document which explains how SAP SSO can support Kerberos with Azure AD?

Cheers,

Jean-Luc