Skip to Content

SAP Cloud Platform Single Sign-On: SAP Assertion SSO

Single Sign-On to backend service using SAP assertion SSO

This blueprint provides common information, guidance, and direction for implementing SAP assertion SSO from SAP Cloud Platform to the backend system that is running on-premise to achieve Single Sign-On. It will allow you to use this method for any endpoint service that accept SAP assertion tickets.


SAP Cloud Platform is an essential part of SAP’s digital strategy. It is the platform for our customers’ and partners’ transformation journey toward digital business models. This open platform as a service (PaaS) provides unique in-memory database and application services. It is the proven cloud platform that enables you to rapidly develop new applications or extend existing ones, all in the cloud.

While the authentication and authorization on the SAP Cloud Platform is part of the security implementation, the challenge comes in how to integrate with the on-premise system so that the users have a good experience without having them performing the authentication process again.

SAP Cloud Platform offers many methods of user principal propagation, so it is important to understand how and when to use in the destination configuration.

Authentication Type Description When to use…
Application-to-Application SSO

Enables services to propagate user identities to other applications which are consumed (deployed or subscribed) in the SAP Cloud Platform account. A user identity is propagated to the application that is specified in the URL.

Full identity is propagated

If the service endpoint is running on an account in the SAP Cloud Platform

Configure the back-end system to accept SAP assertion tickets that are signed by a trusted X.509 DSA key pair. By default, all SAP systems accept SAP assertion tickets for principal propagation.

Only User ID is propagated

If the backend service endpoint is a SAP NetWeaver AS system that can reside on the cloud or on-premise.
Principal Propagation

Allows destinations to forward the identity of an on-demand user to SAP cloud connector, which then forwards it to the back-end system of the relevant on-premise system. An on-demand user need not provide his or her identity for each connection to an on-premise system when using SAP Cloud Connector.

Full identity is propagated

If the backend service endpoint accepts client certificate authentication for both SAP and non-SAP system.

This can be used with HTTPS protocol or RFC protocol with SNC.

Note: Cloud Connector is needed.


Enables applications to use SAML assertions to access OAuth-protected resources.

Full identity is propagated

If the backend service endpoint is a OAuth-protected resources that can reside on the cloud or on-premise (SAP and 3rd party backend system)

OAuth authorization server is needed.

This blueprint will focus on the SAP assertion SSO method. If the backend service endpoint is an SAP NetWeaver AS system that resides on the corporate network, a Cloud Connector will be needed to serve as the link between on-demand applications in SAP Cloud Platform and the backend system. The Cloud Connector is an on premise agent that runs in the customer network and takes care of securely connecting cloud applications running on SAP Cloud Platform to services and systems in the customer network.The Cloud Connector serves as the link between on-demand applications in SAP Cloud Platform and existing on-premise systems. It combines an easy setup with a clear configuration of the systems that are exposed to SAP Cloud Platform. In addition, you can control the resources available for the cloud applications in those systems. Thus, you can benefit from your existing assets without exposing the whole internal landscape.

Technical Scenario

For almost all applications a business runs, the application will consume some sort of service that may reside on-premise or cloud and the identity of the user should be verified against the backend system as well. On the SAP Cloud Platform, one of the ways to do that is to use SAP assertion SSO. Once the user have been verified against an identity provider (IdP), the destination on the SAP Cloud Platform will generate the SAP assertion ticket and pass it along with the request to the Cloud Connector. The identity of the user between the SAP Cloud Platform and backend system should be the same when access the system to achieve SSO.


In the setup for SAP assertion SSO, the solution can be used for endpoint service that resides on the cloud or on-premise. For the cloud scenario, the Cloud Connector is not needed. For the on-premise scenario, there will be a trust setup between the SAP Cloud Platform & Cloud Connector and between Cloud Connector and the backend system. The Cloud Connector by default does not trust anything so the administrator must configure it to trust the SAP Cloud Platform services. With this trust, cloud connector will accepted incoming service requests coming from SAP Cloud Platform. Aside from the trust setup between systems, there is configuration that must be done for the Cloud Connector and backend system.

The Cloud Connector needs to be configured before SAP assertion SSO can be used. One part of the configuration is to perform host mapping and with the correct “Principal Type” of “None”. Since the protocol between the Cloud Connector and the backend system could be secure (HTTPS), the administrator should add the backend public certificate to the trust store of the Cloud Connector.

The backend system setup is straight forward by enabling a system parameter and trusting the SAP assertion ticket from SAP Cloud Platform the configuration in the backend is completed.

Solution Benefits

Having SAP Assertion SSO enabled for the destination on SAP Cloud Platform allows end users to access backend resources seamlessly without the need to provide his/her identity every time he/she makes a connection to an on-premise system. By default, all SAP systems accept SAP assertion tickets (provided that this has been enabled) and most basis admininstrators understand these security settings. This is an one time setup per backend system so the time and effort for this should be short and any new business scenario that uses the same backend system is ready to go.

Many on premise SAP system may already be configured to accept SAP assertion tickets because this was a common method of doing SSO with SAP web based components like the NetWeaver Portal. 

Authentication assertion tickets are a form of bearer token used by SAP NetWeaver Application Server (SAP NetWeaver AS) to identify a user to another SAP NetWeaver AS. An authentication assertion ticket contains information such as the logon ID, Issuing system ID, validity period etc.

Reference Solution Diagram

SAP Cloud Platform supports application scenarios for consumers (B2C), for partners (B2B), and for employees (B2E). The solution provided in this blueprint is available for all three scenarios. In all these scenarios users will be prompted for authentication by the SAP Cloud Platform and the platform application configuration will propagate the user identity down to the backend system.

The following diagram of the solution illustrates a basic architectural pattern implementing Single sign-on using SAP assertion SSO.

  1. The user has already been authenticated against an IdP & authorized for SAP Cloud Platform.
  2. The destination in SAP Cloud Platform is configured to use “SAPAssertionSSO”. The destination will generate a SAP assertion ticket when an application use it.
  3. The Cloud Connector is also configured to use “None” for the “Principal Type”. The Cloud Connector will pass the SAP assertion ticket to the backend with the request with coming from SAP Cloud Platform.

Note: In the landscape diagram, the SAP Cloud Platform Identity Authentication Service is the IdP (this can be any 3rd party IdP) being used to authenticate the user. The authentication IdP should already configured and trusted by the SAP Cloud Platform and authorization should be already configured.

Reference Solution Components

The following list describes the main components needed to implement this scenario and the role they play in the overall solution

User Network

Application – Organizations can choose to develop according to their needs, resources, and skills. Applications can be developed using SAP Mobile Platform SDK. The SAP Mobile Platform SDK provides developer tools to streamline the development, delivery, security and management of mobile applications.

SAP Cloud Platform

SAP Cloud Platform Identity Authentication Service – A cloud solution for identity lifecycle management for SAP Cloud Platform applications, and for on premise applications. It provides services for authentication, single sign-on, and on premise integration...

Connectivity Service - The connectivity service allows SAP Cloud Platform applications to access securely remote services that run on the Internet or on premise.

Generic Cloud Platform Service – To keep the blueprint simplified a generic icon is used since any SAP Cloud Platform Services requiring authentication will act the same way.


On-Premise System – this is a generic depiction of any SAP system that can use the SAP assertion SSO.

Cloud Connector – Serves as the link between on-demand applications in SAP Cloud Platform and existing on-premise systems.

High Level Implementation Process

Overview of the steps needed to implement this blueprint:

  1. Create certificate to be configured with the destination configuration on SAP Cloud Platform
  2. Get backend SSL system certificate
  3. Add backend SSL system certificate Cloud Connector trust store
  4. Map backend system in Cloud Connector
  5. Enable backend system parameter
  6. Ensure that the “SAPAssertionSSO” certificate is trusted on the backend system (the issuing server is added to the corresponding access control list).

Learn More

This blueprint highlights important considerations companies need to analyze when implementing authentication for SAP Cloud Platform applications. It only provides a high level overview of the process. It is recommended that you review further information to help you implement your SSO on the SAP Cloud Platform.The following resources are a starting point:

Back to top