topic Re: Authenticate in a workspace with internal account? in Administration and Deployment

Authenticate in a workspace with internal account?

AsSASsin — Wed, 09 May 2018 20:45:56 GMT

Hello,

I know that internal accounts are only to manage and for administrative purposes, but in a test environment they are very useful to allow some users to open a workspace with only one account.

I have created a group that store the Unix account credentials.

is there any chance to inherit this credentials for an internal account with the default workspace with host authentication (DefaultAuth domain)?

it could be useful for enterprise guide developers.

Thanks.

Re: Authenticate in a workspace with internal account?

SASKiwi — Wed, 09 May 2018 21:46:27 GMT

SAS workspace sessions require an OS user account to authenticate and log onto the SAS App server and start a SAS session, so you can't use an account only defined in SAS metadata. Using an account like sasdemo which is defined as an OS account as well as in SAS metadata could be useful for a test environment.

Re: Authenticate in a workspace with internal account?

AsSASsin — Wed, 09 May 2018 22:05:00 GMT

Yes, OS account is stored inside a metadata group.

It is just to divide the metadata permissions to different levels.

The question is: with 4 metadata internal users how can I open a workspace with one OS user?

Assign the user to the group with credentials seems doesn’t take any effect.

Re: Authenticate in a workspace with internal account?

SASKiwi — Wed, 09 May 2018 22:10:30 GMT

Create an Auth domain for the one OS user, then add that Auth domain to the 4 metadata internal users.

Re: Authenticate in a workspace with internal account?

AsSASsin — Thu, 10 May 2018 05:25:20 GMT

Thanks for the reply.

Where do I have to add the new Auth domain to the 4 internal users?

Re: Authenticate in a workspace with internal account?

SASKiwi — Thu, 10 May 2018 20:03:49 GMT

In the Accounts tab of the internal users properties, select the New button to add the new Auth domain with associated OS account.

Re: Authenticate in a workspace with internal account?

AsSASsin — Thu, 10 May 2018 22:03:05 GMT

With this solution I will have 1 internal account with 1 OS account right?

In this case using an internal account is not useful.

But 4 internal account and 1 shared os account?

Re: Authenticate in a workspace with internal account?

SASKiwi — Fri, 11 May 2018 03:27:35 GMT

Sorry, if I understand your requirements correctly you need to create a User Group and then assign the new Authentication Domain linked to the single OS account under the Accounts tab for this group.

Then create your internal users and add them to the above User Group in the Groups and Roles tab. That should enable the OS account to be shared across the users.

Re: Authenticate in a workspace with internal account?

AsSASsin — Fri, 11 May 2018 05:14:23 GMT

Yes the user group with OS credentials is what I did but when I authenticate with internal user in EG it shows me the popup to put the credentials for the connection to SasApp.

This Is what I did in production environment with LDAP and works well, but with the internal users EG doesn’t assign automatically the OS group user.

What I’m forgetting?

When I create the profile in EG do I have to specify the AuthDomain of the OS user or leave it blank?

And could I use the DefaultAuth domain for the OS group user or I have to create another one?

Re: Authenticate in a workspace with internal account?

boemskats — Fri, 11 May 2018 10:12:15 GMT

It's been a while, but would configuring the Workspace server for token authentication not solve this?

(although, officially, use of internal accounts for this kind of thing still isn't recommended)

http://documentation.sas.com/?docsetId=bisecag&docsetVersion=9.4&docsetTarget=p06o3ymf2cuw16n1cmyi47t9icsn.htm&locale=en

Re: Authenticate in a workspace with internal account?

AsSASsin — Sat, 12 May 2018 08:16:44 GMT

Probably yes, but I will have to create another workspace to do this...

Re: Authenticate in a workspace with internal account?

boemskats — Wed, 23 May 2018 22:20:38 GMT

I think this is your only way. I did some testing, I don't think inherited (DefaultAuth) session credentials work for spawning sessions, they have to be owned by the authenticated user directly.

You could just, again in theory, define a second token-authenticated application server context in metadata only, the paths for which point to the same one you have defined at the moment. Haven't tested this but it's worth a try.

Nik

Re: Authenticate in a workspace with internal account?

AsSASsin — Thu, 24 May 2018 05:06:11 GMT

Thank you very much.

I noticed that I can authenticate an internal user (or ldap) with a bad workaround:

I stored credentials in a group with DefaultAuth and in the EG profile I go with my internal account but in the Authorization Domain text box in EG I have to put a virtual domain that doesn’t exist in SAS metadata. In this way I can open the workspace...why?

Is there an explanation?