Ultimate Guide for SAP Single Sign-On: Simplest Method to Enable SAP Single Sign-On

The SAP Single Sign-On (SAP SSO) product enables users to log in to SAP without entering any password. If you have SAP in your inventory, I recommend enabling SAP Single Sign-On from the day one of SAP Go-Live. If you didn’t enable yet, no worries, don’t wait to set up and continue reading.

Audience:  People who are willing to implement SAP Single Sign-On efficiently.

Authenticate with Kerberos/SPNEGO

If you have experts in your team, it will take 2 weeks from starting implementation to releasing it to end-users.

Requirements:

  • Your Company is using Microsoft Active Directory
  • End users are using company computers
  • SAP Secure Client Login software installation for the end-user computer
  • SAP Single Sign-On License

How It Works:

  1. Upon connection start, the Secure Login Client retrieves the SNC name (User Principal Name of the service user) of the respective SAP server system.
  2. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.
  3. The Secure Login Client receives the Kerberos Service token
  4. The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure
    communication between the SAP Client and SAP server.
  5. The user is authenticated, and the communication is secured.

Step 2: Configure SAP for SAP Single Sign-On

If you directly started reading from the page, please consider starting from here. Ultimate Guide for SAP Single Sign-On: Simplest Method to Enable SAP Single Sign-On.

  • Log in to the SAP system
  • Run t-code SNCWIZARD, SAP Single Sign-On Wizard will start. Click continue
  • On Default Profile Parameters screen, the transaction will assign changed values by default. In this screen, click Continue.
  • Next screen is X.509 Credentials, we will need to configure this in the next steps. For now, click Skip.

Click Complete.

  • Since we changed the configuration, the application server needs to be restarted. Request your basis team to schedule a restart for SAP application server.
  • After the restart, run the t-code SPNego. Click edit, and click Add icon
  • New screen will pop-up. Enter SAP Service Account information which is created step 1
  • Click Continue (Enter) button and click the Save button at the top

That’s it. SAP Configuration is finished. Now, we need to install SAP Secure Login Client 3.0 to client PC.

Step 3: Installing SAP Secure Login Client software to client PC

If you directly started reading from the page, please consider starting from here. Ultimate Guide for SAP Single Sign-On: Simplest Method to Enable SAP Single Sign-On.

Installing SAP Secure Login Client on the client laptop

  • Login to SAP Support Portal, https://launchpad.support.sap.com/#/softwarecenter
  • Select “By Alphabetical Index (A-Z)” and then select “S”
  • Select and download SAP SINGLE SIGN-ON 3.0
  • Extract the file and install SAP Secure Login Client 3.0 from folder SECURE_LOGIN_CLIENT_30
  • The installation will be just about clicking next and finish. There is no need to do any customization in this software.

When you install SAP Secure Login Client, you will see a similar screen as below. The program will list your token and certificates. For configuring SAP Single Sign-On, we will use Kerberos Token.

SAP Secure Login Client

Right-click your Kerberos Token, and select “Copy SNC name to clipboard”. It will be similar as below. Store it, we will use this at next step.
p:CN=RARMAGAN@YOURDOMAIN.COM

Continue with Step 4: Configure an SAP User Account for SAP Single Sign-On – User Mapping.

Step 4: Configure an SAP User Account for SAP Single Sign-On – User SNC Mapping

If you directly started reading from the page, please consider starting from here. Ultimate Guide for SAP Single Sign-On: Simplest Method to Enable SAP Single Sign-On.

  • Run the t-code SU01 (Maintain Users)
  • Click SNC tab and paste Kerberos token to SNC name field. Format for SNC Name is p:CN=ADUSERNAME@YOURDOMAIN.COM (If you need help, refer to Step 2: Configure SAP for SAP Single Sign-On). Click Save.

Step 5: Change SAP System Logon Settings for SAP GUI

If you directly started reading from the page, please consider starting from here. Ultimate Guide for SAP Single Sign-On: Simplest Method to Enable SAP Single Sign-On.

Activate Single Sign-On within SAP Logon (Activate Secure Network Communication)

  • On SAP Logon app, right-click single sign-on enabled SAP system and select properties
  • On Network Tab check Activate Secure Network Communication box and enter SNC Name of the related SAP system. Format: p:CN=<SID> (replace <SID> with your SAP System Id)
  • Click Ok

That’s it! Now you can try SAP Single Sign double clicking the SAP system!

Please let me know your thoughts in the comments below.

Thanks,
Ruhi Armagan