topic Re: How to get Client ID & Client Secret for setting up SCIM with SAS Viya in SAS Viya

How to get Client ID & Client Secret for setting up SCIM with SAS Viya

RaviSPR — Mon, 12 Dec 2022 23:19:23 GMT

Hi,

Can you please help me how to get Client ID & Client Secret?

FYI, SAS Viya was deployed a year back by old Admin. Now Azure Active Directory team telling Security Key/Token is expired.

So they are asking me to send the new Access token. But I am not sure where the old Client ID & Client secret are present in the environment.

Can anyone tell me how to get client ID & secret So that I can regenerate the Access token as per below doc?

https://documentation.sas.com/doc/en/calids/v_001/n1rl3gjjjqmxmfn1hw9ebjjz5778.htm#p129kkhyady4t2n1cfhrow9a1sjy

https://blogs.sas.com/content/sgf/2021/09/24/authentication-to-sas-viya/

Here 2nd doc shows I need not to do first 3 steps again now. But I dont have Client credentails -Client ID & Secret?

Or Are these ID & Secret should be provided by AAD (SCIM Provider)?

Thanks

RaviSPR

Re: How to get Client ID & Client Secret for setting up SCIM with SAS Viya

gwootton — Tue, 13 Dec 2022 14:07:55 GMT

When you create a client you provide the client ID and secret (step 5 in the documentation you've linked). You then use that to get a token. You could change the secret if you knew the ID, or you could create a new client and give them a new token. You could also call the SASLogon/oauth/clients endpoint to get a list of all clients.

Re: How to get Client ID & Client Secret for setting up SCIM with SAS Viya

joeFurbee — Tue, 13 Dec 2022 16:01:14 GMT

@gwootton covers most everything you need. A couple of follow up notes.

The easiest solution here is to create a new client id and generate the access token following the steps in the blog post.
In order to view current clients, you do have to hit the clients API endpoint. Note that you need an access token with admin privileges to access the endpoint. That is, include these scopes when registering the client: "scope": ["openid","*","clients.admin"].
I created a Python Notebook that registers a new client id and generates an access token. You only need to provide four pieces of info: consul token, SAS server URL, client id and client secret.

Re: How to get Client ID & Client Secret for setting up SCIM with SAS Viya

RaviSPR — Tue, 13 Dec 2022 22:20:12 GMT

Thanks a lot for the reply.

Main Issue- Old Secure tokens at Azure AD sites has expired. So I need to provide new Access token to reenable the SCIM for pushing users to SAS Viya.

I followed 5 steps in the manual Client registration. New issue raised now.

Viya Site- https://sasviyxxx.xxxxweb.xxxxx.com

This is the site which our Viya users & myself have access & do admin work.

When I used above site in the 3rd & 5th steps I am getting Bearer Token & Access token. I gave these 2 tokens to Azure AD team for Reauthorizing our SAS Viya through SCIM. But when he click on Test connection in Azure portal with these tokens it is showing invalid credentials.

Configure SCIM Provisioning in Azure AD

In the Admin Credentials section, complete the following steps:

In the Tenant URL field, specify the base URL to SAS Viya and append /identities/scim/v2/.
Note: HTTPS is required. In other words, the ingress controller for your SAS Viya environment is configured for TLS and is using a certificate that is issued by one of the public certificate authorities that are supported by Microsoft Authentication Services.
In the Secret Token field, paste the Bearer token that was created when you followed the process for Manual Client Registration.
Click Test Connection.
If you configured the system correctly, you will receive a successful response.

Here, AD team using -https://sasviyxxx.xxxxglobal.xxxx.com at Tenant URL field in Azure portal and doing Test connection.

[sas@zneuxx34 sas_viya_playbook]$ ACCESS_TOKEN=`curl -skX POST "https://sasviyxxx.xxxxweb.bp.com/SASLogon/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-u "idp-client-id:idp-client-secret"| awk -F: '{print $2}'|awk -F\" '{print $2}'`; echo "The client access-token is: " ${ACCESS_TOKEN};
The client access-token is: eyJhbGciOifgfgffd......

Here I am getting Access token successfully.

Note- I used idp-client-id & idp-client-secrent as it is & it worked fine. FYI I dont know old Client ID & secrets.

Viya SIte - https://sasviyxxx.xxxxglobal.xxxx.com

We don't have access to this site & as Azure AD team using above site at their end, I tried to register this site at my end.

But in the 3rd step only, I am not getting any access token as shown below.

[sas@zneuxxxx34 sas_viya_playbook]$ ACCESS_TOKEN=`curl -skX POST "https://sasviyxxx.xxxxglobal.xxxx.com/SASLogon/oauth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-u "idp-client-id:idp-client-secret"| awk -F: '{print $2}'|awk -F\" '{print $2}'`; echo "The client access-token is: " ${ACCESS_TOKEN};
The client access-token is:
[sas@zneuxx34 sas_viya_playbook]$

Here No access token generated.

Fyi - we don't have access to - https://sasviyxxx.xxxxglobal.xxxx.com

When I tried to access above site, it is throwing error- Site cannot be reached & ....server IP address could not be found.

Query:

How can I get the access token for ....global.xxx.com site which is used at Azure side for testing connectivity?

Is this ...global.xxx.com should be accessible from my Virtaul machine then only I can get access token?

I saw one email in which old Admin asked AD team to test the ..global.xxx.com site by providing access token in the email.And that's why I guess AD team is using Global website instead of ..xxxweb.xxx.com.

Could you please help me on this?

Thanks

RaviSPR

Re: How to get Client ID & Client Secret for setting up SCIM with SAS Viya

gwootton — Wed, 14 Dec 2022 13:45:57 GMT

"Note- I used idp-client-id & idp-client-secrent as it is & it worked fine. FYI I dont know old Client ID & secrets."

It sounds like the client ID was created as "idp-client-id" and the secret "idp-client-secret", and you were able to successfully get a token.

The question of which URL you should be using "web" versus "global" would be specific to your configuration and is not a function of SAS. I suspect if one isn't working you need to use the other one.

Re: How to get Client ID & Client Secret for setting up SCIM with SAS Viya

RaviSPR — Mon, 30 Jan 2023 03:00:33 GMT

Thank You all.

Yes. idp-client-id & idp-client-secret were used as it is while creating tokens.

Finally the issue is resolved by updating the Certificate in Azure portal which was used for updating SSL certificates on SAS Viya.