SSO for SAP ECC

Overview

Why SAP ECC Needs Modern SSO

SAP ECC (ERP Central Component) powers critical business processes — from financials and materials management to production planning and human capital management — for tens of thousands of organizations globally. Despite its importance, SAP ECC's authentication model relies on local SAP user IDs and passwords managed within SU01, separate from your corporate identity infrastructure. This creates credential sprawl, password fatigue, and compliance blind spots. OnePAM bridges this gap by placing an identity-aware reverse proxy in front of SAP Web Dispatcher or SAP ICM. Users authenticate once through your corporate IdP, and OnePAM establishes a trusted SAP session using SSO ticket injection or header-based authentication. SAP GUI for HTML, WebDynpro, SAP Fiori (on ECC), and SAP Enterprise Portal all gain SSO transparently — no BASIS customization, no SAP SSO 3.0 licenses, and no ABAP development required.

The Problem

Authentication Challenges with SAP ECC

These are the security and operational challenges organizations face when SAP ECC relies on its native authentication model.

Isolated User Store

SAP ECC maintains its own user master records (SU01) disconnected from your corporate directory, forcing dual credential management.

Complex SSO Options

SAP's native SSO options (SAP SSO 3.0, SPNego, X.509 certificates) require significant SAP Basis expertise and additional SAP licensing.

SAP GUI Challenge

Bringing SSO to SAP GUI for Windows or SAP GUI for HTML requires Kerberos or SAP Logon Tickets, which are difficult to configure with modern IdPs.

Multi-Client Complexity

SAP ECC systems often have multiple clients (000, 100, 200, etc.), each requiring separate authentication configuration.

Compliance Pressure

SOX, GDPR, and industry regulations demand unified access controls and audit trails that span SAP and non-SAP systems.

High Password Reset Cost

SAP password resets require SU01 access by a SAP administrator, making them more expensive than typical Active Directory resets.

The OnePAM Solution

How OnePAM Adds SSO to SAP ECC

A step-by-step guide to deploying modern SSO for SAP ECC using OnePAM's identity-aware reverse proxy.

1

Deploy OnePAM Gateway

Place OnePAM in front of SAP Web Dispatcher or SAP ICM to intercept web-based SAP traffic.

OnePAM installs as a container or VM and acts as the TLS termination point for all SAP web traffic. SAP GUI for HTML, Fiori, WebDynpro, and Enterprise Portal are all covered.

2

Configure IdP Federation

Connect OnePAM to your IdP (Okta, Azure AD, Google Workspace, ADFS, or any SAML/OIDC provider).

OnePAM handles SAML assertion validation, OIDC token verification, and IdP metadata exchange. SP-initiated and IdP-initiated flows are both supported.

3

Map IdP Users to SAP Users

Define the mapping between IdP user attributes (email, employee ID, UPN) and SAP user IDs in SU01.

OnePAM supports multiple mapping strategies: direct email-to-SAP-user, employee ID matching, regex-based transformations, and LDAP lookup for complex environments.

4

Enable SAP Session Injection

OnePAM creates trusted SAP sessions via logon ticket injection or HTTP header authentication.

Upon successful IdP authentication, OnePAM injects a SAP SSO ticket (MYSAPSSO2 cookie) or trusted HTTP header that SAP ICM accepts as a valid authentication. The user lands in SAP without a second login.

5

Activate Policies & Monitoring

Define access policies per SAP client, transaction, and user group. Enable audit logging and session recording.

OnePAM logs every SAP login with full IdP context: user, IdP, MFA method, device, and location. Session recording captures the full SAP web session for compliance playback.

Business Impact

Benefits of SSO for SAP ECC

Measurable business outcomes from deploying OnePAM SSO in front of SAP ECC.

End SAP Password Resets

Users log in with their corporate credentials — no separate SAP password to remember, expire, or reset via SU01.

92% fewer SAP password tickets

Enforce MFA for SAP

Apply your IdP's MFA policies to SAP access — push notifications, FIDO2 keys, or biometrics — without SAP-side MFA configuration.

100% MFA-protected SAP access

Instant Deprovisioning

Disable a user in your IdP and their SAP ECC access stops immediately. No waiting for SU01 locks or manual SAP admin intervention.

Real-time access revocation

No SAP SSO Licensing

OnePAM replaces SAP Single Sign-On 3.0, SAP Identity Management, and related SAP licensing. Significant cost savings.

Save on SAP SSO licenses

Unified Compliance

SAP access events appear alongside all other application access in a single audit trail with IdP context and device information.

Audit-ready in minutes

No ABAP Changes

No ABAP development, no BASIS configuration changes, no transport requests. OnePAM works entirely at the HTTP layer.

Zero transports

SSO Features

SAP ECC SSO Capabilities

Every feature needed to provide enterprise-grade SSO for SAP ECC.

SAML 2.0 & OIDC SSO for SAP ECC web interfaces

SAP Logon Ticket (MYSAPSSO2) injection

SAP Web Dispatcher and ICM integration

Multi-client support (000, 100, 200, etc.)

SAP GUI for HTML SSO support

SAP Fiori Launchpad SSO (on-premise ECC)

WebDynpro and BSP application SSO

SAP Enterprise Portal SSO pass-through

Group-to-SAP-role mapping from IdP

Transaction-level access policies

Security

Security Features

Enterprise-grade security controls protecting the SSO integration layer.

End-to-end TLS between user, OnePAM, and SAP

Signed SAML assertions with certificate pinning

SAP client-specific access policies

IP allow-listing and geo-restriction per SAP system

Device compliance verification before SAP access

Automatic session invalidation on IdP sign-out

Real-World Scenarios

SAP ECC SSO Use Cases

Common scenarios where organizations deploy OnePAM SSO for SAP ECC.

1

Finance teams accessing SAP FI/CO modules via corporate SSO with MFA

2

Supply chain operators using SAP MM/PP with role-based access from IdP groups

3

HR personnel accessing SAP HCM with time-limited, audited sessions

4

External auditors given read-only, recorded access to SAP transactions

5

Remote workers accessing SAP from personal devices with device trust checks

6

Multi-entity organizations unifying SAP access across IdPs during mergers

Frequently Asked Questions

SAP ECC SSO FAQ

Common questions about deploying OnePAM SSO for SAP ECC.

Does OnePAM support SAP GUI for Windows (thick client)?

OnePAM directly supports SAP GUI for HTML and all web-based SAP interfaces. For SAP GUI for Windows (thick client), OnePAM can provide SSO via SAP Logon Ticket injection when the thick client connects through SAP Web Dispatcher.

Which SAP ECC versions are supported?

OnePAM supports SAP ECC 5.0, 6.0 (all enhancement packs), and S/4HANA on-premise. Any SAP system using SAP Web Dispatcher or ICM for web access is compatible.

Do we need to change SAP Basis configuration?

No SAP Basis changes are required. OnePAM operates as a reverse proxy in front of SAP Web Dispatcher. If you want to use SAP Logon Ticket injection, a one-time trust certificate import in STRUST is needed — but no ongoing configuration.

How does OnePAM handle SAP multi-client environments?

OnePAM supports client-specific policies. You can map IdP groups to specific SAP clients and apply different MFA requirements, access windows, and session policies per client.

Can we use OnePAM alongside SAP Identity Management (IdM)?

Yes. OnePAM handles authentication (SSO/MFA) while SAP IdM can continue to manage SAP authorization roles. The two systems complement each other — OnePAM for how users authenticate, SAP IdM for what they can do inside SAP.