Hi Nicolai,

disabling all passwords in all involved SAP systems is possible if you can ensure, that every user is SSO enabled and able to access the full set of SAP applications via various frontends e.g. via browser, SAP GUI, via RFC clients, via mobile devices using standardized SSO token formats such as Kerberos, X.509 or SAML.

That is the best case recommendation for almost any SSO scenario As a user you only need to remember your primary password e. g. AD logon, but for this you must ensure proper security, policies and if required MFA or further usage of a second factor based on various conditions (policy based SSO).

Pro:

• No longer having n passwords for n systems and n SAP clients.
• No more storage of password hashes on any single SAP system.
• No more usage of passwords sent over the network.
• More security due to the usage of crypto-tokens.
• No password policies in place anymore, which is the case even if you have SSO in use but don't disable the password. In such cases you may want to set the profile parameter login/password_change_for_SSO correspondingly.
• If you use multiple sign-on which is also a possible mode of operation, you have SSO but with the need to enter your central credential multiple times while accessing a system (which mitigates your device lock argument)

Con:

• Trouble with SSO is very unlikely if proper implemented and managed (but one valid point in some circumstances e.g. AD admin reset SPN user password; certificate expires; etc.)
• Cant think of any further cons...

Cheers,

Carsten