Single Sign-On with SAP Passports

Single Sign-On with SAP Passports

Access a multitude of SAP websites without having to enter your S-user ID and password, while ensuring your data is still transferred securely.

SAP Passports are digital client certificates:

  • Once you have authenticated on the SAP ONE Support Launchpad and applied for an SAP Passport, SAP Trust Center issues your SAP Passport. This is your digital passport and represents a connection between your access data for your local computer and your access data for the launchpad.
  • From now on, whenever you access SAP Support Portal, launchpad or select SAP websites, there is no need to enter your user ID and password.

SAP Trust Center

The SAP Trust Center is located centrally in a highly-secure data center at SAP Headquarters in Walldorf, Germany. The SAP ONE Support Launchpad includes a Registration Authority, which can check the user's identity using the launchpad user data.

This single sign-on technology is essentially based on a public key infrastructure: Users generate a key pair consisting of a public and a private key using functions native to their Internet browser. The public part of the key is transferred to the SAP Trust Center. Once the public key has been verified, the SAP Trust Center returns a signed certificate to the requester. This certificate is imported directly into the browser.

Policy Information

The SAP Passport is your digital ID on the Internet and identifies you as a member of the SAP Trust Community. The SAP Passport is saved on the computer you requested the passport with. It enables single sign-on for a multitude of SAP websites.

We recommend to use SAP Passports only if the operating system on your local computer supports a strict separation of user data.

The security of your system depends heavily on the procedures you adopt when working with it. Always avoid having other persons acting in your name.

Therefore, please take careful note of the following security rules and be sure to apply them. They help you protect your SAP Passport from unauthorized access by others:

  • Always lock your computer before leaving your workplace unattended, even if you will only be absent for a brief period of time.
  • Set the password protection on your screen saver so that the computer is automatically locked after a relatively short idle time.
  • If someone else needs to use your computer, first log off, then the other person can log on.

Frequently Asked Questions

The SAP Passport is a X.509 Client-certifcate.

A certificate is an alternative means of authentication to User-ID and password.

Example:

  • If you call up an Internet page that uses the SSL protocol, many webservers request a certificate from the browser.
  • The certificate has to have been issued by the certification authorities [CA], which are accepted by the Internet page.
  • If the browser contains such a certificate, then it transfers the certificate to the webserver.
  • The webserver checks the certificate to see if it is recognized by the Internet page.
  • If this is the case, the Internet page accepts the certificate as authentication because it trusts the CA.

The list of SAP website that you can access without entering your user ID and passport is constantly growing. It currently comprises

The new SAP ONE Support Launchpad and updated applications require you to use one of the following browser versions:

  • Internet Explorer 10 or 11; or the most recent versions of the following:
  • Chrome
  • Firefox
  • Safari

Note: You only need the ActiveX settings for Internet Explorer.

In the menu bar of the Internet Explorer choose the following path: Tools > Internet Options > Security tab > Custom Level...

Set the following entries to Enable or Prompt:

  • Download signed ActiveX controls
  • Initialize and script ActiveX controls not marked as safe for scripting
  • Run ActiveX controls and plug-ins
  • Script ActiveX controls marked safe for script

There are two options to install the SAP Passport:

Automatically via browser (only available in Internet Explorer):

  1. Open the SAP Passport application using Internet Explorer browser.
  2. Provide your user's password and click the Apply for SAP Passport button.
  3. Provide a password to secure your SAP Passport Certificate.
  4. Click the Install the SAP Passport button.
  5. Two confirmation pop-ups may appear depending on your ActiveX configuration.
  6. Wait for the successful confirmation pop-up.

Manually via download:

  1. Open the SAP Passport application using a supported browser.
  2. Provide your user's password and click the Apply for SAP Passport button.
  3. Provide a password to secure your SAP Passport Certificate (needed during the installation).
  4. Click the Download the SAP Passport button.
  5. Download the pfx/p12 file.
  6. Manually install it.

Note: After installing a new SAP Passport certificate, we strongly recommend you to delete the old SAP Passport everywhere it is used.

The automatically installation of the SAP Passport via browser is done using ActiveXObject, which is an API limited to Internet Explorer. In summary, the following procedure takes place in the background when you install your SAP Passport via browser on the Install the SAP Passport button:

  1. Your browser generates a key pair via ActiveXObject
  2. Your browser sends the public key to the SAP Trust Center Service
  3. The SAP Trust Center Service checks your application and password
  4. The SAP Trust Center Service answers with a signed certificate, the SAP Passport
  5. The SAP Passport is installed in your browser via ActiveXObject

Where you find your SAP Passport depends on the browser you use:

Find the SAP Passport in Internet Explorer

  1. Choose Tools > Internet options ...
    The Internet options window appears.
  2. Click Contents.
    The Contents tab appears.
  3. Click Certificates ...
    The Certificates window appears.
  4. Your SAP Passport has the following entries:
    Issued to: "Your S-user ID", Issued by: SAP Passport CA.

Find the SAP Passport in Chrome

  1. Choose Tools > Settings (or enter chrome://settings in the address bar).
    The Settings window appears.
  2. Click Show advanced settings...
    The advanced settings appear.
  3. In the HTTPS/SSL section click the Manage certificates… button.
    The Certificates window appears.
  4. Your SAP Passport has the following entries
    Issued to: "Your S-user ID", Issued by: SAP Passport CA.

Find the SAP Passport in Firefox:

  1. Choose Tools > Options (or enter about:preferences).
    The Options window appears.
  2. Click the Advanced tab (about:preferences#advanced).
    The Advanced tab appears.
  3. Click the Certificates tab and then the View certificates button.
    The Certificates window appears.
  4. Your SAP Passport has the following entries:
    Certificate Name: SAP Trust Community, "Your S-user ID".

Find the SAP Passport in Mac (Safari):

  1. Choose Applications > Utilities > Keychain Access.
    The Keychain Access window appears.
  2. In the Keychains tab click Login.
    The Login window appears.
  3. In the Category tab click My Certificates.
    The Certificates window appears.
  4. Your SAP Passport has the following entries:
    Name: "Your S-user ID", SAP Passport.

If you have installed a new SAP Passport, there are now two SAP Passports in your browser. This means that the next time you log in to the SAP ONE Support Launchpad (or any SAP website that supports SAP Passports), your browser will ask you which of the two you wish to use.

To exclusively use the new SAP Passport, SAP recommends that you delete your old SAP Passport. Since the new SAP Passport is valid already, there is no reason to retain the old one.

Where you remove your old SAP Passport depends on the browser you use.

  1. Locate the SAP Passport in your browser (see FAQ "Where do I find the SAP Passport in my browser?").
  2. Highlight your old SAP Passport and click Remove (in Internet Explorer or Chrome) or Delete (in Firefox or Safari), respectively.

The value Days to expire displayed on the SAP Passport tile in the launchpad means the number of remaining days until your SAP Passport expires based on the last SAP Passport installed or downloaded for your user.

Therefore, after installing a new SAP Passport certificate, we strongly recommend you delete the old SAP Passport everywhere it is used. Otherwise, this value might be imprecise depending on the SAP Passport being used.

Until your SAP Passport is created using the new SAP Passport application, the No Certificate Found message will be displayed on the SAP Passport tile on the launchpad homepage.

Once you have created the SAP Passport using the new SAP Passport application, the number of days remaining to the certificate expiration is displayed.

You can still use browser certificates with multiple user IDs, but you have to request one for each user ID.

Once you have installed a browser certificate for your first user ID, your browser might log you on to the SAP ONE Support Launchpad automatically. To apply for a second certificate:

Internet Explorer

  1. Click Tools > Internet Options > Security tab.
  2. Make sure that the correct zone is selected: This is usually Internet; however, if you have added the SAP ONE Support Launchpad to your trusted sites, Trusted Sites has to be selected.
  3. Click Custom Level...
  4. Choose Disable for Don't prompt for client certificate selection when no certificates or only one certificate exists.
  5. Confirm with OK.

Firefox

  1. Click Tools > Options > Advanced > Encryption tab.
  2. Check Ask me every time for When a server requests my personal certificate.
  3. Click OK.

You will now be able to request further certificates by cancelling the browser certificate's selection prompt and logging in with your second S-user ID instead.​