Single Sign-On (SSO) for ERP
Single Sign-On (SSO) allows users to authenticate once with a central identity provider and access multiple connected applications without re-entering credentials. For ERP environments — where users typically access ERP, CRM, BI tools, document management and email throughout the day — SSO reduces password fatigue, improves security (one strong authentication point, often with MFA) and simplifies user lifecycle management (provisioning, deprovisioning).
Common SSO protocols
- SAML 2.0 — the established enterprise standard, XML-based, dominant in B2B SaaS
- OpenID Connect (OIDC) — the modern standard built on OAuth 2.0, JSON-based, dominant in cloud-native and mobile
- OAuth 2.0 — technically an authorisation protocol but commonly used for SSO with bearer tokens
- Kerberos — legacy Windows-domain SSO, still common in on-premises Active Directory environments
Common identity providers in DACH
The dominant identity providers for the DACH mid-market: Microsoft Entra ID (formerly Azure AD, default for Microsoft 365 customers), Okta, Auth0 (now part of Okta), Keycloak (open source, often self-hosted), OneLogin. SAP customers may use SAP Identity Authentication Service; companies with on-premises priorities often run ADFS or Keycloak. All modern mid-market ERP systems support SAML 2.0; OIDC support is growing.
Implementation in mid-market ERP
Typical setup effort: 2-5 days to configure SAML 2.0 between an ERP and an identity provider, including testing with realistic user accounts and edge cases (account locked, MFA fallback, browser session timeouts). SCIM (System for Cross-domain Identity Management) for automated user provisioning adds another 3-10 days depending on ERP support. Total project cost for a mid-market SSO rollout: 15,000-50,000 EUR including external consulting.
Related Topics
Frequently Asked Questions
Does every ERP support SSO out of the box?
Most modern mid-market ERPs do: SAP S/4HANA, Microsoft Dynamics 365, Oracle NetSuite, abas ERP, proALPHA, weclapp, Sage X3, Odoo Enterprise. Older versions or budget tier-3 products may not. Always verify SAML 2.0 or OIDC support is included in your edition before contract signature — some vendors gate SSO behind premium tiers.
Is SSO a security improvement or a risk?
Both, with the security improvement typically dominant. SSO concentrates authentication at the identity provider, allowing strong MFA, conditional access policies and central deprovisioning. The risk: a compromised identity provider gives an attacker access to all connected systems. Mitigation: hardware-backed MFA, phishing-resistant authenticators (passkeys), regular security review of the identity provider.
Can I deploy SSO without changing my ERP?
Sometimes via SSO-gateway products that intercept the ERP login screen and inject authentication tokens. This is rarely a clean solution and often breaks with ERP upgrades. The robust path is native SSO integration in the ERP, which is increasingly standard.