The SAP Single Sign-On (SAP SSO) product enables users to log in to SAP without entering any password. If you have SAP in your inventory, I recommend enabling SAP Single Sign-On from the day one of SAP Go-Live. If you didn’t enable yet, no worries, don’t wait to set up and continue reading.

Audience:  People who are willing to implement SAP Single Sign-On efficiently.

Authenticate with Kerberos/SPNEGO

If you have experts in your team, it will take 2 weeks from starting implementation to releasing it to end-users.


  • Your Company is using Microsoft Active Directory
  • End users are using company computers
  • SAP Secure Client Login software installation for the end-user computer
  • SAP Single Sign-On License

How It Works:

  1. Upon connection start, the Secure Login Client retrieves the SNC name (User Principal Name of the service user) of the respective SAP server system.
  2. The Secure Login Client starts at the Ticket Granting Service a request for a Kerberos Service token.
  3. The Secure Login Client receives the Kerberos Service token
  4. The Secure Login Client provides the Kerberos Service token for SAP single sign-on and secure
    communication between the SAP Client and SAP server.
  5. The user is authenticated, and the communication is secured.

2 Responses

  1. We have a setup where SAP GUI Logon Pad app is hosted on Citrix, can it be possible to have SAP SSO enabled?
    Here as well users access Citrix via a web interface and then view list of apps being provisioned to them.

Leave a Reply

Your email address will not be published. Required fields are marked *