topic Re: How to deploy web single sign-on for SAS EM in SAS 9.3? in Administration and Deployment

How to deploy web single sign-on for SAS EM in SAS 9.3?

Slash — Thu, 03 Apr 2014 00:31:34 GMT

Hi, guys

OS: Windows server 2008 R2

Third part: Jboss 4.2.3

SAS Version: 9.3

I have deployed the SAS EM, and I can use the the URL to use the SAS EM through a Web Browser.

Now I need to through our company's web single sign-on to Log On rather than the EM's log on screen? Is that possible? If does and how deploy that?

Re: How to deploy web single sign-on for SAS EM in SAS 9.3?

jakarman — Thu, 03 Apr 2014 09:36:43 GMT

Slash, As you are using a web-browser to start EM there are more issues to review.

Using Em through a webserver: The java code is downloaded to the desktop, The java virtual machine known as part of the browser is used.

This scenario is the implementation that is validated as possible unsecure by java vulnerabilities. I have seen requirements (US) to disable java in the browser

To remember a browser should not have uncontrolled access to the desktop, it should not know files or the user running it.

Using the java Desktop client of EM would be easier and more trustworthy to implement.

You are mentioning a corporate webbrowser being used. How is the authentication being done at that part. Connected to AD or not (standalone).

How Em is working is that:

- the Rmi-server is having in a config-file the unrestricted admin with password. At (re)start it will check and possible change the metadata

- Using EM you are connecting to the SAS midtier first, this is your login-point. Then it will go to the metadataserver and start a workspaceserver.

There is a trade off in needed security levels and ease of working.

To achieve SSO you could eliminate all Security in metadata an for the workspaceserver opening up running processes at high-priviledged accounts.

Do you need more strict security levels auditing tracing preventing possible unwanted user actions. You can end up not allowing any access at all. Very secure but not functional.

This is the first thing you need to get clear

Within Windows AD, that is the way for SSO. You could use IWA (Integrated Windows Authentication) . There are limitations with that.

Caching user credentials is something to help achieve seemless SSO but then evaluate the risks on that. Caching credentials of the server in a user-home profile location should be no big issue. People having that high level access seeing everyones private data should be monitored and classified trustworthy

Some links:

SAS(R) 9.3 Intelligence Platform: Security Administration Guide Summary for Single Sign-On
SAS(R) 9.3 Intelligence Platform: Security Administration Guide (web authentication) no intheritance to SAS-servers

SAS(R) 9.3 Intelligence Platform: Security Administration Guide How to Configure Integrated Windows Authentication

SAS(R) 9.3 Intelligence Platform: Security Administration Guide Integrated Windows Authentication

Re: How to deploy web single sign-on for SAS EM in SAS 9.3?

Slash — Sat, 05 Apr 2014 15:13:02 GMT

Thanks! I really need to read these documents! If I have problems, I ask you.

Re: How to deploy web single sign-on for SAS EM in SAS 9.3?

kkhelif — Thu, 02 Oct 2014 19:20:18 GMT

Make sure your Kerberos is working properly first in order to get the rest of the document working. First half of single sign on is the Kerberos and the keytab section. The rest is pretty straight forward.
Good luck.

Re: How to deploy web single sign-on for SAS EM in SAS 9.3?

Unkie_SAS — Fri, 03 Oct 2014 08:30:55 GMT

SSO for Enterprise Miner in SAS 9.3 is not supported, regardless of whether you are using Java WebStart (as described) or a locally installed Java client.

Basically this is because Enterprise Miner does not connect through SAS Logon Manager within the mid-tier which is the element that would normally be configured for Trusted Web Authentication such as Web Report Studio and Portal.

But is possible now with 9.4