Single Sign-On with SAP Passports

Access many SAP websites without having to enter your ID and password, while ensuring your data is still transferred securely.

SAP Passports are digital client certificates:

  • Once you have authenticated on SAP for Me and applied for an SAP Passport, SAP Trust Center issues your SAP Passport. This is your digital passport and represents a connection between your access data for your local computer and your access data for SAP for Me.
  • Now, when you access the SAP Support Portal, SAP for Me or select SAP websites, there is no need to enter your user ID and password.

Apply for an SAP Passport

SAP Trust Center

The SAP Trust Center is located in a highly-secure data center at SAP Headquarters in Walldorf, Germany. SAP for Me includes a Registration Authority, which check's the user's identity using the SAP for Me user data..

How it works: Users generate a key pair consisting of a public and a private key using functions native to their Internet browser. The public part of the key is transferred to the SAP Trust Center. Once the public key has been verified, the SAP Trust Center returns a signed certificate to the requester. This certificate is imported directly into the browser.

Policy Information

The SAP Passport is your digital ID on the Internet and identifies you as a member of the SAP Trust Community. The SAP Passport is saved on the computer with which you requested the passport. It enables single sign-on for many SAP websites.

We recommend to use SAP Passports only if the operating system on your local computer supports a strict separation of user data.

The security of your system depends heavily on the procedures you adopt when working with it. Always avoid having other persons acting in your name.

Therefore, please take careful note of the following security rules and be sure to apply them. They help you protect your SAP Passport from unauthorized access by others:

  • Always lock your computer before leaving your workplace unattended, even if you will only be absent for a brief period of time.
  • Set the password protection on your screen saver so that the computer is automatically locked after a relatively short idle time.
  • If someone else needs to use your computer, first log off, then the other person can log on.

Frequently Asked Questions

The SAP Passport is a X.509 Client-certificate.

A certificate is an alternative means of authentication to User-ID and password.

Example:

  • If you call up an Internet page that uses the SSL protocol, many  web servers request a certificate from the browser.
  • The certificate has to have been issued by the certification authorities [CA], which are accepted by the Internet page.
  • If the browser contains such a certificate, then it transfers the certificate to the web server.
  • The web server checks the certificate to see if it is recognized by the Internet page.
  • If this is the case, the Internet page accepts the certificate as authentication because it trusts the CA.

The list of SAP website that you can access without entering your user ID and passport is constantly growing. It currently comprises

SAP for Me and updated applications require you to use one of the following browser versions:

  • Microsoft Edge, or the most recent versions of the following:
  • Chrome
  • Firefox
  • Safari

  1. Open the SAP Passport application using a supported browser.
  2. Provide your user's password and click the Apply for SAP Passport button.
  3. Provide a password to secure your SAP Passport Certificate (needed during the installation).
  4. Click the Download the SAP Passport button.
  5. Download the pfx/p12 file.
  6. Manually install it.

Note: After installing a new SAP Passport certificate, we strongly recommend you to delete the old SAP Passport everywhere it is used.

Where you find your SAP Passport depends on the browser you use:

Find the SAP Passport in Chrome

  1. Choose Tools > Settings (or enter chrome://settings in the address bar).
    The Settings window appears.
  2. Click Show advanced settings...
    The advanced settings appear.
  3. In the HTTPS/SSL section click the Manage certificates… button.
    The Certificates window appears.
  4. Your SAP Passport has the following entries
    Issued to: "Your S-user ID", Issued by: SAP Passport CA.

Find the SAP Passport in Firefox:

  1. Choose Tools > Options (or enter about:preferences).
    The Options window appears.
  2. Click the Advanced tab (about:preferences#advanced).
    The Advanced tab appears.
  3. Click the Certificates tab and then the View certificates button.
    The Certificates window appears.
  4. Your SAP Passport has the following entries:
    Certificate Name: SAP Trust Community, "Your S-user ID".

Find the SAP Passport in Mac (Safari):

  1. Choose Applications > Utilities > Keychain Access.
    The Keychain Access window appears.
  2. In the Keychains tab click Login.
    The Login window appears.
  3. In the Category tab click My Certificates.
    The Certificates window appears.
  4. Your SAP Passport has the following entries:
    Name: "Your S-user ID", SAP Passport.

If you have installed a new SAP Passport, there are now two SAP Passports in your browser. This means that the next time you log in to an SAP website that supports SAP Passports, your browser will ask you which of the two you wish to use.

To exclusively use the new SAP Passport, SAP recommends that you delete your old SAP Passport. Since the new SAP Passport is valid already, there is no reason to retain the old one.

Where you remove your old SAP Passport depends on the browser you use.

  1. Locate the SAP Passport in your browser (see FAQ "Where do I find the SAP Passport in my browser?").
  2. Highlight your old SAP Passport and click Remove (in Internet Explorer or Chrome) or Delete (in Firefox or Safari), respectively.

Until your SAP Passport is created using the SAP Passport application, the No Certificate Found message will be displayed.

Once you have created the SAP Passport using the new SAP Passport application, the number of days remaining to the certificate expiration is displayed.

You can still use browser certificates with multiple user IDs, but you have to request one for each user ID.

Once you have installed a browser certificate for your first user ID, your browser might log you into the SAP for Me automatically. To apply for a second certificate:

Firefox

  1. Access Firefox's advanced preferences by opening a new tab and typing about:config into the address bar.
    Note that your company's browser policy may prevent you from accessing these settings. In this case, reach out to your IT department.
  2. Firefox will display a "Proceed with caution" warning. Click on Accept the risk and continue.
  3. On the Search preference name bar, type security.default_personal_cert
  4. Set the value of that property to Ask Every Time.
  5. Close the tab (make sure that you do not change anything else)

You will now be able to request further certificates by cancelling the browser certificate's selection prompt and logging in with your second S-user ID instead.​