StuartRogers Tracker

SAS Viya 2025.11 Custom Application Authenticate with Client Assertion

StuartRogers — Thu, 08 Jan 2026 17:10:53 GMT

With the SAS Viya STABLE 2025.11 release SAS Logon Manager has been updated to enable authenticating a custom application using a Microsoft Entra ID Access Token. Using the client assertion replaces using the client credentials for authenticating the custom application with SAS Logon Manager. In this post we’ll examine how and why this can be configured.

SAS Viya Connect Troubleshooting Kerberos Authentication

StuartRogers — Tue, 06 Jan 2026 10:42:07 GMT

Recently I ran into some issues configuring direct Kerberos authentication with the SAS/CONNECT Spawner on SAS Viya. As such, I wanted to use this post to explain some of the different logging you can enable with SAS/CONNECT to help understand what is happening with Kerberos authentication.

SAS Viya LTS 2025.09 Kerberos for SAS Logon Manager

StuartRogers — Wed, 03 Dec 2025 10:23:38 GMT

The details for how you configure Kerberos authentication for SAS Logon Manager are changing with the SAS Viya LTS 2025.09 release. This originally changed in the SAS Viya Stable 2025.08 release. The change is minor and does not impact anyone upgrading to these releases or later versions. The change only impacts people configuring Kerberos with SAS Logon Manager on these releases or later versions.

SAS/CONNECT on SAS Viya with Kerberos

StuartRogers — Wed, 30 Jul 2025 08:45:44 GMT

We all know that SAS Viya supports the Kerberos authentication protocol with SAS Logon Manager, SAS Cloud Analytic Services and SAS/CONNECT Spawner. In this post I want to explore in more detail SAS/CONNECT Spawner with Kerberos authentication. We’ll examine the different ways Kerberos can be used with SAS/CONNECT and what needs to be configured.

Re: SAS Viya OIDC SCIM Service Account Authentication

StuartRogers — Thu, 01 May 2025 10:18:14 GMT

Hi @CailiZhang,

The ID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 is the global Application ID for the Microsoft Azure CLI. You can find a list of the commonly used Microsoft applications here: https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications.

Thank you for your time.

Stuart

Re: SAS Viya OIDC SCIM Service Account Authentication

StuartRogers — Tue, 01 Apr 2025 13:47:08 GMT

Minor update to the option 1 custom application registration to include the auto approval of the scopes, as per feedback from Jan Stienstra.

SAS Viya OIDC SCIM Service Account Authentication

StuartRogers — Tue, 01 Apr 2025 13:45:49 GMT

In this post I want to examine the use case of needing to authenticate a service account into a SAS Viya environment. Specifically, we’ll examine how an external process like a CI/CD pipeline might authenticate a non-personal service account to the SAS Viya environment to be able to run code in that environment.

SAS Viya 2025.03 SAS/CONNECT Client Update

StuartRogers — Mon, 17 Mar 2025 10:11:56 GMT

The SAS Viya 2025.03 release introduces a change to the SAS/CONNECT client included in SAS Viya. This change allows the SAS/CONNECT client to leverage Authentication Domains maintained by the Credentials microservice in SAS Viya. When you are leveraging Spawner signons. In this post we will examine what the change is, why the change is important, and discuss some use cases where you might want to leverage Authentication Domains.

SAS Viya 2024.11 OIDC and SAML Simplify Group Search

StuartRogers — Thu, 12 Dec 2024 08:30:55 GMT

LDAP searches for group membership information can be resource intensive. This can be made worse when multiple users log in simultaneously. With the SAS Viya 2024.11 Stable Release an alternative has been introduced when you use either OpenID Connect or SAML along with LDAP for the Identities microservice. This alternative allows group membership information to be included in the authentication claims from the Identity Provider, such as Microsoft Entra ID, and processed by SAS Logon Manager during log in.

SAS Viya Using Keycloak as SCIM Provider

StuartRogers — Tue, 03 Dec 2024 07:42:45 GMT

Here we have shown how Keycloak can be used as a SCIM provider with your SAS Viya environment. While the functionality is not built-in to the standard Keycloak release it is possible to licence SCIM for Keycloak to add the SCIM functionality to Keycloak. SCIM for Keycloak then provides both a SCIM Server and SCIM Client implementation. The SCIM client implementation is what we use to provision users and groups from Keycloak into SAS Viya.

SAS Viya Multiple SCIM Providers

StuartRogers — Tue, 27 Aug 2024 06:14:09 GMT

As a reminder SAS Viya supports providing the identity information for end users through either LDAP or SCIM. Specifically, for SCIM (System for Cross-domain Identity Management) SAS Viya is a version 2.0 server. As such, identity information can be loaded by a SCIM version 2.0 client such as Microsoft Entra ID or OKTA. It is also worth noting that LDAP and SCIM in the same SAS Viya environment is not supported. In this post I want to discuss the idea of using multiple different SCIM version 2.0 clients to push identity information to a single SAS Viya environment.

SAS Viya CLI with Group-Managed Service Accounts

StuartRogers — Thu, 25 Jul 2024 16:17:11 GMT

The concept of group-managed service accounts was introduced with the release of SAS Viya 2023.07 and the changes to Run As authentication. We discussed the new model in a previous post. With the release of SAS Viya 2024.05 the credentials for the group-managed service accounts can now be managed with the SAS Viya CLI.

Re: SAS Viya 2021.2.5 Kerberos Hybrid Authentication Process Flows

StuartRogers — Fri, 12 Jul 2024 16:00:31 GMT

Hello @EyalGonen ,

Yes it would be a keytab for the HTTP Principal.

Thank you for your time.

Stuart

Re: SAS Viya 2020.1 (and later) Proxy Headers and OIDC

StuartRogers — Thu, 27 Jun 2024 12:37:07 GMT

Hello @EyalGonen,

This post from almost 3 years ago is focused on the requirement to ensure the correct headers are forwarded from the "front-door" through to SAS Logon Manager to ensure the correct operation of OpenID Connect authentication.

For more general information on using a reverse proxy with SAS Viya you should be referencing the current documentation available here: SAS Help Center: Virtual Infrastructure Requirements. Notice that this documentation also calls out the importance of the X-Forwarded-* headers.

Thank you for your time.

Stuart

Re: SAS Viya 2021.2.5 Kerberos Hybrid Authentication Process Flows

StuartRogers — Wed, 26 Jun 2024 09:01:06 GMT

Hello @EyalGonen

Yes, if the users authenticate with LDAP and the principal is correctly configured for Constrained Delegation, then the SAS Kerberos Proxy sidecar will attempt to obtain Kerberos credentials using the UPN constructed from the LDAP Distinguished Name. Once that has been obtained Kerberos can be used from the Compute Server to authenticate to the SQL Server using Kerberos.

Thank you for your time.

Stuart

SAS Viya 2024.03 Microsoft Entra ID OIDC Private Key JWT

StuartRogers — Sat, 13 Apr 2024 05:55:32 GMT

SAS Viya 2024.03 Microsoft Entra ID OIDC Private Key JWT

SAS Viya 2024.02 Azure Key Vault Backed Authentication Domain

StuartRogers — Wed, 10 Apr 2024 05:34:43 GMT

SAS Viya 2024.02 Azure Key Vault Backed Authentication Domain

SAS Viya 2024.01 OKTA OIDC Private Key JWT

StuartRogers — Sat, 13 Apr 2024 05:58:24 GMT

SAS Viya 2024.01 OKTA OIDC Private Key JWT

Re: SAS Viya 3.5 Single Sign-On with SAML or OpenID Connect

StuartRogers — Mon, 05 Feb 2024 14:01:49 GMT

@EyalGonen

Yes it would be up to the SAML or OIDC provider to implement Multi-Factor Authentication (MFA).

Importing or loading the Active Directory users into the Identity Provider will also be down to the chosen Identity Provider. Something like RedHat's Keycloak has an LDAP interface that would allow users to be loaded, similar interfaces exist for OneLogin's PingFederate. Something like Microsoft Entra ID would require sync'ing from on-premises AD to Microsoft Entra ID. So you can see it would be totally dependent on that third-party Identity Provider.

Thank you for your time.

Stuart

SAS Viya SAML Easy Azure Setup

StuartRogers — Fri, 26 Apr 2024 15:12:41 GMT

Recently in the SAS Community Library: SAS' @StuartRogers provides a close look at the new Microsoft Entra Gallery application and details how it can be used.