Authentication & Single Sign-On

In the service-provider-initiated SAML flow, how does the SAP Gateway server end up trusting a user it never authenticated directly?

Why can't Kerberos/SPNEGO SSO be used from outside the corporate network, and what is the workaround?

What makes Kerberos/SPNEGO attractive for intranet Fiori SSO, and what does it cost in setup effort?

What is SAML, and what does it communicate?

Trace an SAP logon ticket from the issuing system to the accepting system.

How does SAP logon ticket-based SSO work — where are tickets stored, and what must back-end systems do to support them?

Which SSO mechanisms work for which classic Fiori app types?

In which scenarios does SAML 2.0 shine for Fiori SSO?

Why do X.509 certificates work well in Internet-facing scenarios, and what do they presuppose?

A team plans SAML 2.0 as the single SSO mechanism for all Fiori app types, including analytical. What is the problem?

Why is SAML 2.0 often preferred over Kerberos for Internet-facing Fiori SSO?

What happens after the initial user authentication on the ABAP front-end server until the user has a working Fiori session?

What kind of protocol is Kerberos, and how does it keep passwords off the network?

Logon-ticket SSO fails between two systems sitting in different domains. Which constraint did the landscape break?

Why do logon tickets force your ABAP usernames and SAP HANA usernames to be identical?

What operational duties come with rolling out X.509 client certificates?