What does it mean? What is it used for and how can it be done in SAP systems?

Are there only advantages or also disadvantages?

What does it mean?

This is not a solution or software but a technique to perform a main authentication and obtain afterwards (in case of successful authentication) access to additional resources without using credentials (e.g., Password).

For example?

Imagine you turn on your notebook, logging into Microsoft Windows (assuming it is your corporate operating system).

Once the authentication phase is completed to access Windows, then the corporate domain, all further applications accessed thereafter can be accessed without typing in any credentials. This mechanism, in addition to being more secure than having to remember different credentials on a system-by-system basis, allows users to simplify access to corporate resources.

This is possible because at the time of the first (successful) authentication, a "token" is issued that can be interpreted by satellite systems connected and enabled for this function as a "let pass".

Password logon or SSO single sign-on?

The alternative to using Single Sing On (SSO) is to use a password-based authentication method, for example.

There are clearly advantages and disadvantages to adopting or not adopting SSO toward the use of passwords, some of them mentioned here

• I have to remember a lot of passwords
• Statistically if I have to remember many passwords I will try to simplify their complexity
• In the case that the password of the first login made is somehow stolen an eventual attacker could gain access to all "sub" connected systems
  
  

Probably today the adoption of Single Sing On mechanisms, if properly implemented can be a good compromise between usability and security. Read more about passwords here.

Remember that Single Sing On activation can also be done considering Multiple Factor Authentication (MFA) logics or even potentially biometric controls.

So what to do in SAP? What are the possible scenarios?

This is an issue that can be very complex, especially depending on business realities. There can be many scenarios. As of today, there is no one way for everyone.

A study must be carried out to understand, for example:

• what systems are/will be involved (not all necessarily need to be included)
• are they all Onpremise systems or also Cloud?
• what will be the company's direction? More cloud or not?
  
  

In the specific case of SAP, additional aspects have to be taken into account, e.g.:

• do you need SSO only on GUI or also on something else (e.g., browser on SAP systems or also third-party systems)?
• in the future will you have Onpremise systems or only cloud or also cloud (so hybrid)?
• will you use SAP via FIORI or via GUI? For example by leveraging S/4HANA?
  
  

In the specific case of SAP systems one can move on a few main paths i.e.:

• Purchase tools on the market to perform Single Sign On
• Use the solution that SAP makes available called SAP Single Sing On (SAP SSO).
• Use the cloud solutions that SAP makes available namely SAP Cloud Indentity Services, in particular the IAS (Identity Authentication Management) solution
  
  

Each of these solutions clearly has advantages or disadvantages or limitations. However, these need to be evaluated when reviewing business realities and objectives.

Starting from May 2023, there is an additional solution for managing Single Sign On in SAP called "SAP Secure Login Service for SAP GUI" this is a service of the Business Technology Platform (BTP) that will replace the onpremise SAP Single Sign On product.