Single Sign-On – SAPGUI Front-End

SAPGUI is a graphical user interface client in the SAP ERP’s three-tier architecture of database, application servers and clients. It requires installation in a local desktop that run on Windows or macOS or Linux.

In order to achieve Single-Sign-On for SAPGUI in RISE with SAP, we must use either Kerberos or X.509 method. Kerberos is not recommended by AWS, because it requires user to always be connected to the corporate network and authenticated against a Microsoft Active Directory which reduce their mobility. Due to this, X509 is recommended.

SAPGUI Single-Sign-On with X509 can be achieved with SAP Secure Login Service on BTP, the image below describes how the integration works.

Authentication flow

User accesses SAP Fiori via an Internet browser.
SAP S/4HANA will redirect authentication request to SAP Secure Login Service
SAP Secure Login Service will delegate the authentication to SAP Cloud Identity Service.
When SAP Cloud Identity Service is integrated to IdP (i.e. Azure AD, Okta, Ping, etc.), then IdP will authenticate the user.
User is authenticated by IdP and X509 is provided by SAP Secure Login Service to the SAPGUI.
User can access to SAP S/4HANA in RISE with SAP VPC.

For more information on how to do this, you can refer to Securing SAP GUI with SAP Secure Login Service.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Single Sign-On – SAP Cloud Identity Services and Microsoft Entra (previously Azure AD)

Advanced security using AWS Services for RISE with SAP