Architecting, installing and maintaining your SAS environment

Authenticate in a workspace with internal account?

Reply
Contributor
Posts: 36

Authenticate in a workspace with internal account?

Hello,

I know that internal accounts are only to manage and for administrative purposes, but in a test environment they are very useful to allow some users to open a workspace with only one account.

 I have created a group that store the Unix account credentials.

is there any chance to inherit this credentials for an internal account with the default workspace with host authentication (DefaultAuth domain)?

it could be useful for enterprise guide developers.

 

Thanks.

Super User
Posts: 3,853

Re: Authenticate in a workspace with internal account?

SAS workspace sessions require an OS user account to authenticate and log onto the SAS App server and start a SAS session, so you can't use an account only defined in SAS metadata. Using an account like sasdemo which is defined as an OS account as well as in SAS metadata could be useful for a test environment.

Contributor
Posts: 36

Re: Authenticate in a workspace with internal account?

Yes, OS account is stored inside a metadata group.

It is just to divide the metadata permissions to different levels.

The question is: with 4 metadata internal users how can I open a workspace with one OS user?

Assign the user to the group with credentials seems doesn’t take any effect.

Super User
Posts: 3,853

Re: Authenticate in a workspace with internal account?

Create an Auth domain for the one OS user, then add that Auth domain to the 4 metadata internal users.

Contributor
Posts: 36

Re: Authenticate in a workspace with internal account?

Thanks for the reply.

Where do I have to add the new Auth domain to the 4 internal users?

Super User
Posts: 3,853

Re: Authenticate in a workspace with internal account?

In the Accounts tab of the internal users properties, select the New button to add the new Auth domain with associated OS account.

Contributor
Posts: 36

Re: Authenticate in a workspace with internal account?

With this solution I will have 1 internal account with 1 OS account right?

In this case using an internal account is not useful.

But 4 internal account and 1 shared os account?

Super User
Posts: 3,853

Re: Authenticate in a workspace with internal account?

Sorry, if I understand your requirements correctly you need to create a User Group and then assign the new Authentication Domain linked to the single OS account under the Accounts tab for this group.

 

Then create your internal users and add them to the above User Group in the Groups and Roles tab. That should enable the OS account to be shared across the users.

Contributor
Posts: 36

Re: Authenticate in a workspace with internal account?

Yes the user group with OS credentials is what I did but when I authenticate with internal user in EG it shows me the popup to put the credentials for the connection to SasApp.

This Is what I did in production environment with LDAP and works well, but with the internal users EG doesn’t assign automatically the OS group user.

What I’m forgetting?

When I create the profile in EG do I have to specify the AuthDomain of the OS user or leave it blank?

And could I use the DefaultAuth domain for the OS group user or I have to create another one?

Frequent Contributor
Posts: 133

Re: Authenticate in a workspace with internal account?

It's been a while, but would configuring the Workspace server for token authentication not solve this?

 

(although, officially, use of internal accounts for this kind of thing still isn't recommended)

 

http://documentation.sas.com/?docsetId=bisecag&docsetVersion=9.4&docsetTarget=p06o3ymf2cuw16n1cmyi47...

Contributor
Posts: 36

Re: Authenticate in a workspace with internal account?

Posted in reply to boemskats

Probably yes, but I will have to create another workspace to do this...

Frequent Contributor
Posts: 133

Re: Authenticate in a workspace with internal account?

I think this is your only way. I did some testing, I don't think inherited (DefaultAuth) session credentials work for spawning sessions, they have to be owned by the authenticated user directly. 

 

You could just, again in theory, define a second token-authenticated application server context in metadata only, the paths for which point to the same one you have defined at the moment. Haven't tested this but it's worth a try. 

 

Nik

Contributor
Posts: 36

Re: Authenticate in a workspace with internal account?

Posted in reply to boemskats

Thank you very much.

I noticed that I can authenticate an internal user (or ldap) with a bad workaround:

I stored credentials in a group with DefaultAuth and in the EG profile I go with my internal account but in the Authorization Domain text box in EG I have to put a virtual domain that doesn’t exist in SAS metadata. In this way I can open the workspace...why?

Is there an explanation?

Ask a Question
Discussion stats
  • 12 replies
  • 318 views
  • 4 likes
  • 3 in conversation