The SAP Single Sign-On (SAP SSO) product enables users to log in to SAP without entering any password. If you have SAP in your inventory, I recommend enabling SAP Single Sign-On from the day one of SAP Go-Live. If you didn’t enable yet, no worries, don’t wait to set up and continue reading.
Audience: People who are willing to implement SAP Single Sign-On efficiently.
Authenticate with Kerberos/SPNEGO
If you have experts in your team, it will take 2 weeks from starting implementation to releasing it to end-users.
Requirements:
Your Company is using Microsoft Active Directory
End users are using company computers
SAP Secure Client Login software installation for the end-user computer
SAP Single Sign-On License
How It Works:
Upon connection start, the Secure Login Client retrieves the SNC name (User Principal Name of the service user) of the respective SAP server system.
The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.
The Secure Login Client receives the Kerberos Service token
The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure communication between the SAP Client and SAP server.
The user is authenticated, and the communication is secured.
Run t-code SNCWIZARD, SAP Single Sign-On Wizard will start. Click continue
On Default Profile Parameters screen, the transaction will assign changed values by default. In this screen, click Continue.
Next screen is X.509 Credentials, we will need to configure this in the next steps. For now, click Skip.
Click Complete.
Since we changed the configuration, the application server needs to be restarted. Request your basis team to schedule a restart for SAP application server.
After the restart, run the t-code SPNego. Click edit, and click Add icon
New screen will pop-up. Enter SAP Service Account information which is created step 1
Click Continue (Enter) button and click the Save button at the top
That’s it. SAP Configuration is finished. Now, we need to install SAP Secure Login Client 3.0 to client PC.
Select “By Alphabetical Index (A-Z)” and then select “S”
Select and download SAP SINGLE SIGN-ON 3.0
Extract the file and install SAP Secure Login Client 3.0 from folder SECURE_LOGIN_CLIENT_30
The installation will be just about clicking next and finish. There is no need to do any customization in this software.
When you install SAP Secure Login Client, you will see a similar screen as below. The program will list your token and certificates. For configuring SAP Single Sign-On, we will use Kerberos Token.
SAP Secure Login Client
Right-click your Kerberos Token, and select “Copy SNC name to clipboard”. It will be similar as below. Store it, we will use this at next step. p:CN=RARMAGAN@YOURDOMAIN.COM
Click SNC tab and paste Kerberos token to SNC name field. Format for SNC Name is p:CN=ADUSERNAME@YOURDOMAIN.COM (If you need help, refer to Step 2: Configure SAP for SAP Single Sign-On). Click Save.
Activate Single Sign-On within SAP Logon (Activate Secure Network Communication)
On SAP Logon app, right-click single sign-on enabled SAP system and select properties
On Network Tab check Activate Secure Network Communication box and enter SNC Name of the related SAP system. Format: p:CN=<SID> (replace <SID> with your SAP System Id)
Click Ok
That’s it! Now you can try SAP Single Sign double clicking the SAP system!
Please let me know your thoughts in the comments below.