Welcome to WordPress. This is your first post. Edit or delete it, then start writing!
The SAP Single Sign-On (SAP SSO) product enables users to log in to SAP without entering any password. If you have SAP in your inventory, I recommend enabling SAP Single Sign-On from the day one of SAP Go-Live. If you didn’t enable yet, no worries, don’t wait to set up and continue reading.
Audience: People who are willing to implement SAP Single Sign-On efficiently.
Authenticate with Kerberos/SPNEGO
If you have experts in your team, it will take 2 weeks from starting implementation to releasing it to end-users.
- Your Company is using Microsoft Active Directory
- End users are using company computers
- SAP Secure Client Login software installation for the end-user computer
- SAP Single Sign-On License
How It Works:
- Upon connection start, the Secure Login Client retrieves the SNC name (User Principal Name of the service user) of the respective SAP server system.
- The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.
- The Secure Login Client receives the Kerberos Service token
- The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure
communication between the SAP Client and SAP server.
- The user is authenticated, and the communication is secured.
Let’s keep hands dirty, are you ready?
Step 1: Create an Active Directory Service Account
Step 2: Configure SAP for SAP Single Sign-On
Step 3: Installing SAP Secure Login Client software to client PC
Step 4: Configure an SAP User Account for SAP Single Sign-On – User Mapping
Step 5: Change SAP System Login Settings for SAP GUI
If you also have SAP Business Objects, don’t forget to check this out. Ultimate Guide for SAP Business Objects Single Sign-On (coming-soon).
If you directly started reading from page, please consider starting from here. Ultimate Guide for SAP Single Sign-On: Simplest Method to Enable SAP Single Sign-On
The best practice is to create an active directory account per SAP system id (SID).
- Create a normal user account in Active Directory. Best practice format for account svc_sap_sso_. Replace with your SAP system ID
- Select password never expires
- Select a strong password
- Make sure that user is in the “Domain Users” group
- After the account creation, go to attribute editor and insert below lines for attribute “servicePrincipleName”
- Insert one line for HTTP protocol. HTTP/yoursapapplicationserver.com
- Te Insert one line for SAP protocol. SAP/ (Replace SID with your SAP System Id)
- Log in to the SAP system
- Run t-code SNCWIZARD, SAP Single Sign-On Wizard will start. Click continue
- On Default Profile Parameters screen, the transaction will assign changed values by default. In this screen, click Continue.
- Next screen is X.509 Credentials, we will need to configure this in the next steps. For now, click Skip.
- Since we changed the configuration, the application server needs to be restarted. Request your basis team to schedule a restart for SAP application server.
- After the restart, run the t-code SPNego. Click edit, and click Add icon
- New screen will pop-up. Enter SAP Service Account information which is created step 1
- Click Continue (Enter) button and click the Save button at the top
That’s it. SAP Configuration is finished. Now, we need to install SAP Secure Login Client 3.0 to client PC.
Installing SAP Secure Login Client on the client laptop
- Login to SAP Support Portal, https://launchpad.support.sap.com/#/softwarecenter
- Select “By Alphabetical Index (A-Z)” and then select “S”
- Select and download SAP SINGLE SIGN-ON 3.0
- Extract the file and install SAP Secure Login Client 3.0 from folder SECURE_LOGIN_CLIENT_30
- The installation will be just about clicking next and finish. There is no need to do any customization in this software.
When you install SAP Secure Login Client, you will see a similar screen as below. The program will list your token and certificates. For configuring SAP Single Sign-On, we will use Kerberos Token.
SAP Secure Login Client
Right-click your Kerberos Token, and select “Copy SNC name to clipboard”. It will be similar as below. Store it, we will use this at next step.
- Run the t-code SU01 (Maintain Users)
- Click SNC tab and paste Kerberos token to SNC name field. Format for SNC Name is p:CN=ADUSERNAME@YOURDOMAIN.COM (If you need help, refer to Step 2: Configure SAP for SAP Single Sign-On). Click Save.
Activate Single Sign-On within SAP Logon (Activate Secure Network Communication)
- On SAP Logon app, right-click single sign-on enabled SAP system and select properties
- On Network Tab check Activate Secure Network Communication box and enter SNC Name of the related SAP system. Format: p:CN=<SID> (replace <SID> with your SAP System Id)
- Click Ok
That’s it! Now you can try SAP Single Sign double clicking the SAP system!
Please let me know your thoughts in the comments below.