Expand +



An Inside Look at the New Features and Functionality in SAP NetWeaver Single Sign-On 2.0

by Regine Schimmer, Jens Koster, and Frane Milicevic | SAPinsider

April 1, 2013

SAP NetWeaver Single Sign-On has helped companies increase user productivity and cost savings by allowing users to log on just once and eliminate the need for multiple system login credentials and passwords. With the success of the first version of this product, SAP developers are working to enhance the tool with a variety of new features. This article takes a look at the types of scenarios SAP NetWeaver Single Sign-On enable and some of the enhanced functionality that users can look forward to in the 2.0 version of the solution.

When SAP launched its first single sign-on (SSO) solution, SAP NetWeaver Single Sign-On, it allowed SAP customers to take advantage of highly useful technology that eliminated the need for multiple system login credentials and passwords within the enterprise. This meant increased user productivity, more security, and significant cost savings due to a reduced number of helpdesk calls related to forgotten passwords.

With SAP NetWeaver Single Sign-On, users need to log on just once to a central system to gain access to multiple applications, including SAP systems, inboxes, or corporate intranets, without having to authenticate again.1 Based on software acquired from Secude GmbH, the 1.0 version of the solution was already highly mature.

Now, SAP developers are working to broaden the scope of the tool, enhancing it through a variety of new features, and making it the SSO tool of choice for virtually all enterprise scenarios. The new release, SAP NetWeaver Single Sign-On 2.0, reflects state-of-the-art technologies that are custom-tailored to fit SAP as well as non-SAP systems in your IT environment.

Here, we’ll take a look at the types of scenarios SAP NetWeaver Single Sign-On enables, then we’ll dive into some of the enhanced functionality that users can look forward to in the 2.0 version of the solution.

SAP NetWeaver Single Sign-On Scenarios

SAP NetWeaver Single Sign-On enables three key SSO scenarios: SSO for SAP Business Suite, SSO for heterogeneous environments, and SSO for cloud-based and cross-company scenarios (see Figure 1). Let’s explore each in more detail.

SAP NetWeaver Single Sign-On use cases and technologies

Figure 1 — SAP NetWeaver Single Sign-On use cases and technologies.

Scenario 1: Single Sign-On for SAP Business Suite

Setting up SSO for SAP Business Suite with Kerberos tokens requires little on the implementation side, but provides a considerable simplification to your employees’ authentication processes, as well as benefits for both security and operational costs in the enterprise. Using Kerberos technology, a trust relationship is established between the user’s front end (SAP GUI for Windows or a web browser, for instance) and the back-end SAP Business Suite applications.

Employees log in once when they start their computers in the morning by signing into, for example, their Windows domain. Any subsequent authentication processes are left to a Kerberos token mechanism provided by SAP NetWeaver Single Sign-On, and these happen entirely in the back end, leaving the user to experience only smooth, easy accessibility in the front end. 

Scenario 2: Single Sign-On in a Heterogeneous Environment

For companies that want to take SSO a step further and integrate non-SAP systems into their SSO landscape, SAP NetWeaver Single Sign-On offers support for X.509 certificates. A long-time internet standard, the majority of corporate software products available today support X.509 certificates. Administrators can set up the certificates to be issued by a dedicated public-key infrastructure (PKI) or by the Secure Login Server component of SAP NetWeaver Single Sign-On. The Secure Login Server issues short-lived certificates, which means administrators do not need to set up a full-blown PKI or administrative processes, such as certificate revocation lists. Enabling this kind of scenario means that users can sign on once to gain access not only to their SAP systems, but also to many of their non-SAP applications.

Scenario 3: Single Sign-On in Cloud-Based and Cross-Company Scenarios

While Kerberos and X.509 certificates cover many use cases for SSO in the corporate world, an increasing number of companies are now seeking to establish trust relationships across company domains or in the cloud. In those cases, SSO can be established using SAML 2.0 tokens, an internet-standard technology that enables web-based SSO and guarantees secure authentication even when identity data is leaving your company boundaries. This is especially useful if, for example, your company collaborates with a vendor to order office supplies. By using a SAML token to enable SSO, your employees can gain easier access to place an order directly in a vendor’s catalog application. The application then obtains your employees’ authentication data from a system that both companies have set up as trusted.

Main Features of SAP NetWeaver Single Sign-On 2.0
  • The new SAP NetWeaver Single Sign-On release offers a number of enhancements, including:
  • Enhanced platform support (SAP now supports Windows 8, for example)
  • Tighter integration of SAP NetWeaver Single Sign-On into the overall SAP NetWeaver environment, which leads to reduced operating costs
  • Integration with SAP NetWeaver Identity Management and the Identity Provider component
  • Additional language support

In addition, we’d like to focus on two particularly noteworthy characteristics of the release. One key update in this release is Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) support for the ABAP world, which will allow SSO through the web. Another important characteristic of the new release is the fact that it is being FIPS 140-2 certified to ensure tested security standards for the solution’s cryptographic module.

SPNEGO for ABAP: Closing a Gap

SPNEGO is a standard mechanism widely used in the IT world. It helps a client application authenticate to a remote server in cases when neither the client nor the server knows which authentication protocol the other end supports. SPNEGO also plays an important role in setting up SSO in SAP environments using the Kerberos mechanism.

As we mentioned earlier, SAP NetWeaver Single Sign-On offers a Kerberos-based solution for SSO. Setting up Kerberos in such a scenario requires only minimum implementation and maintenance effort. The SPNEGO authentication method ensures that the Kerberos tickets are granted and accepted in this environment.

In the 1.0 version of SAP NetWeaver Single Sign-On, however, the Kerberos method only worked when enabling SSO to the SAP GUI for Windows world; it did not cover SSO access over the web. To close this gap, SAP NetWeaver Single Sign-On 2.0 now includes native support for SPNEGO for ABAP. This means that the application server is now able to consume Kerberos tokens as proof of authentication rather than requiring passwords (see Figure 2).

Process flow using SPNEGO for ABAP.

Figure 2 — Process flow using SPNEGO for ABAP.

Setting Up SPNEGO for ABAP

All ABAP and kernel implementations necessary for setting up SPNEGO for ABAP will be included in the shipment of SAP NetWeaver release 7.40, as well as SAP NetWeaver 7.31, support package 7. They are also currently being down-ported to earlier release levels. Customers also need to license SAP NetWeaver Single Sign-On to obtain the Secure Login Library component.

Setting up SPNEGO for ABAP is a simple and straightforward process that involves only a few manual configuration steps:

  • Install the Secure Login Library on the SAP NetWeaver ABAP back end.
  • Set the system parameters spnego/enable and spnego/krbspnego in the SAP NetWeaver Application Server ABAP and configure the keyTab generated by the Active Directory Server in transaction SPNEGO.
  • Map the user’s Kerberos principal name to the ABAP user name using transaction SU01. 

Certified Security: FIPS 140-2

To meet the increasing security requirements of its customers, SAP is currently pursuing FIPS 140-2, security level 1 certification of the Secure Login Library component within SAP NetWeaver Single Sign-On. This certification covers basic security requirements for production-grade components.2

FIPS 140-2 certification ensures that the Secure Login Library’s cryptographic module (which enables the end-to-end encryption of communication channels between servers and between client and server) is designed, tested, and implemented correctly and indeed protects sensitive data from unauthorized access.

Take Single Sign-On to the Next Level

With SAP NetWeaver Single Sign-On 2.0, SAP has significantly enhanced its SSO solution, ensuring that users can take full advantage of the range of enterprise scenarios covered by the SSO infrastructure. To learn more about the solution, visit and And to determine what kind of ROI you might gain from implementing this solution, visit



Regine Schimmer ( is a Product Manager for SAP NetWeaver Identity Management and Single Sign-On at SAP AG in Walldorf. She has more than 10 years of experience with SAP security solutions.


Jens Koster ( is a Product Manager for SAP NetWeaver Identity Management and Single Sign-On at SAP AG in Walldorf. He joined SAP as a Technical Security Consultant in 2000. Since then, he has held various positions in both solution management and product management, focusing on the roll out of identity management and single sign-on solutions.


Frane Milicevic ( joined SAP in February 2011. As Product Owner, he is responsible for SAP’s Secure Login functionality. Previously, Frane worked for Secude as Senior Security Consultant and Product Manager.


For more about SAP NetWeaver Single Sign-On, see “Eliminate Password Chaos While Ensuring System Security” by Jonathan Cooper and Frane Milicevic in the July-September 2011 issue of SAPinsider. [back]

For more information about this certification, see “Is Your Data Properly Protected?” by Annette Fuchs in the January-March 2013 issue of SAPinsider. [back]


An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!