Show TOC

Single Sign-On with Client CertificatesLocate this document in the navigation structure


The AS ABAP enables you to configure the use of client certificates for SSO when users access the system from an SAP GUI.

For SAP GUI authentication with client certificates, the security context for authentication is made available from the GSS API of the AS ABAP system. Therefore, to enable the use of client certificates for SSO, the AS ABAP system must be configured to use SNC.


The use of client certificates for logon with the SAP GUI makes use of public-key cryptography and the AS ABAP Personal Security Environment (PSE) for establishing the user identity. The client certificate information, however, is used only for authenticating SAP GUI users. Transport layer security, the integrity and confidentiality of the authentication credentials is enabled by the SNC used on the AS ABAP.

  • To enable SAP GUI SSO with client certificates, users must possess valid client certificates. SAP GUI users can receive client certificates from an established Public-Key Infrastructure.

  • The SAP GUI client computers and the AS ABAP systems must use SAP NetWeaver Single Sign-On or an external security product that enables the creation of a Personal Security Environment (PSE). The use of an external security product is enabled by Secure Network Communications (SNC).


    You can use external security products for client certificate authentication that are certified by the SAP Partner Program. For more information about the SAP certified security products, see published on SAP site.


To enable users and AS ABAP systems to use SSO with client certificates, you must:

  1. Prepare the central instance.

  2. Activating SSO on the SAP Logon.

  3. Import the user's public-key certificates to the AS ABAP.