On May 4, 2023, SAP released the SAP Secure Login Service for SAP GUI. This new solution builds on top of the tried and proven SAP Single Sign-On product and offers single sign-on in a cloud-oriented way. It allows you to rely on a lean cloud service that integrates with your existing corporate identity provider to benefit from its authentication capabilities.
SAP Secure Login Service for SAP GUI supports both digital certificates and Kerberos for secure authentication and single sign-on to your SAP systems. So, you can provide your SAP GUI users with simple and secure access to their ABAP-based business applications, just like with the existing SAP Single Sign-On product. In addition, the new solution comes with a set of new capabilities bringing enhanced user experience, better integration with your existing authentication infrastructure, and lower TCO.
For issuing short-lived X.509 certificates, the SAP Secure Login Service for SAP GUI no longer relies on an on-premise server running on an SAP NetWeaver Application Server Java. Instead, the server functionality for enrolling X.509 certificates is now provided by a cloud service. As a result, you no longer need to operate an AS Java.
But there is more! You can easily reuse your existing identity provider solution, such as SAP Cloud Identity Services – Identity Authentication or a corporate identity provider, for example Microsoft Azure Active Directory or Okta. This way you benefit from their authentication capabilities, such as multi-factor authentication, for example.
The necessary functionality on the AS ABAP server side already comes with the AS ABAP kernel (SAP Cryptographic Library), same as before.
Now let’s take a closer look at the enhanced capabilities that SAP Secure Login Service for SAP GUI is offering.
As already mentioned above, the SAP Single Sign-On product relies on an on-premise server running on an AS Java for the advanced scenarios using X.509 certificates, such as multi-factor authentication. Customers need to operate an AS Java with a dedicated configuration of the authentication stack.
With SAP Secure Login Service for SAP GUI, the authentication process and certificate enrollment are performed by cloud services. Furthermore, the existing authentication configuration of the identity provider can be reused. Simply take the authentication options that have already been implemented for browser-based UIs on your identity provider and use them for SAP GUI as well!
The SAP Single Sign-On solution already offered some limited integration with identity providers. However, the component used on the client side, the so-called Secure Login Web Client, provided a sometimes confusing user experience that people had to get used to. And it did not work in multi-user environments.
SAP Secure Login Service for SAP GUI offers a better integration with identity providers. With the new solution, the Secure Login Client seamlessly integrates with the identity provider UIs. As a result, when users start an SAP GUI connection, they will get the exact same user experience as they would have in the browser. This will further increase user acceptance of the solution.
Authentication factors and policies depend on the identity provider configuration. This way you benefit from their authentication capabilities: for example, using strong multi-factor authentication, biometric authentication, or Web Authentication and FIDO.
Many of our existing customers are still using Kerberos technology for single sign-on with SAP GUI. This scenario is based on the corporate Windows domain and Microsoft Active Directory. Will this still be possible with the new solution? The simple answer is yes!
SAP Secure Login Service for SAP GUI does support single sign-on via Kerberos tokens. In that scenario, you only require the Secure Login Client on the client side, which is a component of SAP Secure Login Service for SAP GUI. There is no need to access the cloud.
Finally, let’s have a quick look at the architecture overview of the SAP Secure Login Service for SAP GUI solution:
For more information about the SAP Secure Login Service for SAP GUI, check the following resources:
If you want to learn more about the new solution, actively engage with SAP subject matter experts and your peers, and stay up to date about the topic of single sign-on for SAP GUI, join our community here:
https://community.sap.com/topics/single-sign-on
Can't find an answer? Ask your question directly here in SAP Community!
Why do we offer a new solution for single sign-on with SAP GUI?
SAP Secure Login Service for SAP GUI supports both digital certificates and Kerberos for secure authentication and single sign-on to your SAP systems. So, you can provide your SAP GUI users with simple and secure access to their ABAP-based business applications, just like with the existing SAP Single Sign-On product. In addition, the new solution comes with a set of new capabilities bringing enhanced user experience, better integration with your existing authentication infrastructure, and lower TCO.
For issuing short-lived X.509 certificates, the SAP Secure Login Service for SAP GUI no longer relies on an on-premise server running on an SAP NetWeaver Application Server Java. Instead, the server functionality for enrolling X.509 certificates is now provided by a cloud service. As a result, you no longer need to operate an AS Java.
But there is more! You can easily reuse your existing identity provider solution, such as SAP Cloud Identity Services – Identity Authentication or a corporate identity provider, for example Microsoft Azure Active Directory or Okta. This way you benefit from their authentication capabilities, such as multi-factor authentication, for example.
The necessary functionality on the AS ABAP server side already comes with the AS ABAP kernel (SAP Cryptographic Library), same as before.
Now let’s take a closer look at the enhanced capabilities that SAP Secure Login Service for SAP GUI is offering.
Use X.509 certificates based on a lean cloud service
As already mentioned above, the SAP Single Sign-On product relies on an on-premise server running on an AS Java for the advanced scenarios using X.509 certificates, such as multi-factor authentication. Customers need to operate an AS Java with a dedicated configuration of the authentication stack.
With SAP Secure Login Service for SAP GUI, the authentication process and certificate enrollment are performed by cloud services. Furthermore, the existing authentication configuration of the identity provider can be reused. Simply take the authentication options that have already been implemented for browser-based UIs on your identity provider and use them for SAP GUI as well!
Easily integrate with your existing identity provider
The SAP Single Sign-On solution already offered some limited integration with identity providers. However, the component used on the client side, the so-called Secure Login Web Client, provided a sometimes confusing user experience that people had to get used to. And it did not work in multi-user environments.
SAP Secure Login Service for SAP GUI offers a better integration with identity providers. With the new solution, the Secure Login Client seamlessly integrates with the identity provider UIs. As a result, when users start an SAP GUI connection, they will get the exact same user experience as they would have in the browser. This will further increase user acceptance of the solution.
Authentication factors and policies depend on the identity provider configuration. This way you benefit from their authentication capabilities: for example, using strong multi-factor authentication, biometric authentication, or Web Authentication and FIDO.
Offer single sign-on based on Kerberos technology
Many of our existing customers are still using Kerberos technology for single sign-on with SAP GUI. This scenario is based on the corporate Windows domain and Microsoft Active Directory. Will this still be possible with the new solution? The simple answer is yes!
SAP Secure Login Service for SAP GUI does support single sign-on via Kerberos tokens. In that scenario, you only require the Secure Login Client on the client side, which is a component of SAP Secure Login Service for SAP GUI. There is no need to access the cloud.
A picture is worth a thousand words
Finally, let’s have a quick look at the architecture overview of the SAP Secure Login Service for SAP GUI solution:
SAP Secure Login Service for SAP GUI: Architecture overview
More information
For more information about the SAP Secure Login Service for SAP GUI, check the following resources:
- Solution brief
- Product overview presentation
- Documentation on the SAP Help Portal
- SAP Note 3318561 - Fixes for SAP Secure Login Client 3.0 SP 02 Patch 16
If you want to learn more about the new solution, actively engage with SAP subject matter experts and your peers, and stay up to date about the topic of single sign-on for SAP GUI, join our community here:
https://community.sap.com/topics/single-sign-on
Can't find an answer? Ask your question directly here in SAP Community!
- SAP Managed Tags:
57 Comments
