BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
SASExplorer
Obsidian | Level 7

Hi @PaulHomes,

 

We've users stored in the database and VA is embeded inside our Portal.

Could you suggest me the best approach to implement SSO wherein when the user logs in to my Portal should get access to my SAS VA Reports without any login screen.

 

Environment:

OS: Linux

SAS Ver.: 9.4

SAS VA Ver.: 7.3

 

Regards,

SASExplorer

 

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12

I really only have some vague ideas about your scenario. I still don't understand how the users in MySQL fit into your SAS platform and do not know the reasons or constaints behind not using common enterprise directories, authentication, and SSO mechanisms provided through the likes of Active Directory, LDAP etc. SAS Web Authentation in SAS 9.4 having Apache Web Server in the mix means that you are open to many forms of authentication and SSO as long as you can find something that will run in Apache. As you mentioned there is Shibboleth. There is also possibilities for CAS, OAuth, OpenID. There are the well documented options for things like WebSEAL, SiteMinder, Integrated Windows Authentication, TLS Client Certificate Authentication. Further examples of SSO can be seen in Michael Dixon's SAS Global Forum Paper 993-2017: Please Come In: Social Login for SAS® Web Applications

 

It's hard to provide more concrete advice without more information and an understanding of how this should fit into your organizations existing identity and SSO platforms. I think it is too broad of a topic, with important security, integration, complexity, time and cost consequences, to be answered in a community thread. Instead I would recommend contacting SAS Professional Services or a local SAS Partner to review your existing environment (SAS and beyond) to provide more tailored advice about how best to integrate SAS platform authentication and SSO into your wider IT environment.

View solution in original post

9 REPLIES 9
PaulHomes
Rhodochrosite | Level 12

Hi,

 

I'm not sure what you mean by "users stored in the database". Do you mean SAS metadata, Active Directory, LDAP,  or another identity provider? How is authentication currently configured for your SAS platform(s)? Do you have a combined EBI and VA platform (with a single metadata server) or, as is more common, independant EBI and VA platforms each with their own metadata servers?

 

In that absence of more information, and assuming a commonly seen setup, I would suggest one way to achive the desired outcome would be to:

 

1) Configure Linux for Active Directory / Kerberos authentication similar to the example outlined in the blog post Active Directory Authentication for SAS on Linux (with realmd), possibly also with Auto Creation of Linux Home Directories for SAS Users if required.

 

2) Configure the SAS 9.4 EBI platform for Integrated Windows Authentication on the mid-tier so that Windows clients automatically log into the SAS Portal without having to explicitely provide a user id and password, optionally with fallback authentication, if required/appropriate. You will find some information on this in the blog post IWA with SAS 9.4 M2 on Linux as well as the linked posts, docs and papers.

 

3) Configure the SAS VA 7.3 platform for Integrated Windows Authentication on the mid-tier too so that Windows clients automatically log into VA without having to explicitely provide a user id and password, optionally with guest and fallback authentication, if required/appropriate. You can read about an example in the blog post SAS Visual Analytics Guest Access with IWA Fallback. Again I would encourage you to read the linked post, docs, and papers.

 

With a setup like this, users should be able to seamlessly open the SAS Portal and following links into VA with automatic login via SSO without seeing a login form. If you configure fallback authentication then in situations where IWA is not supported a login form will be provided.

 

Several of the blog posts I referenced above are getting a little bit dated now so it would also be worth looking for more recent papers on the topic. I would search Google and support.sas.com for keywords like SAS, IWA, Kerberos, mid-tier, & fallback and keep an eye our for papers by Stuart Rogers, Zhiyong Li & Mike Roda from SAS. A recent article that comes to mind is SAS 9.4 Middle-Tier Fallback Authentication with an Easy URL by Stuart Rogers.

Finally, I should point out that, if you haven't done before, it is well worth getting help from SAS Professional Services or a local SAS Partner. There are lots of components that have to be precisely configured to work together in a setup like this and you can save a ton of time and frustration by getting help from someone who has done it before.

 

Cheers

Paul

SASExplorer
Obsidian | Level 7

Hi @PaulHomes,

 

"Users are stored in Database" means My Portal User Details are stored in the External Database(MySQL) and now these same users need to access SAS VA which we've to embed inside the portal.

 

I'm looking for an approach which enables Users to access SAS VA Reports inside the Portal without re-entering Credentials again.

 

Regards,

SASExplorer

PaulHomes
Rhodochrosite | Level 12

OK, that's not a configuration you see very often 🙂

 

How do you currently have that SAS 9.4 platform authentication implemented?

 

  1. User synchronization MySQL to SAS metadata via custom code using SAS %MDU macros?
  2. Trusted web authentication using something like Apache mod_auth_mysql or mod_authn_dbd?

... and how about the previous question "Do you have a combined EBI and VA platform (with a single metadata server) or, as is more common, independant EBI and VA platforms each with their own metadata servers?"

PaulHomes
Rhodochrosite | Level 12

I'm guessing this is related to this previous thread? SAS VA User Authentication from Database 

SASExplorer
Obsidian | Level 7

1. As of now, users are created at OS level and in SAS Metadata using SMC 🙂
2. Not implemented
We've have a single metadata server.

 

Regarding thread, Last comment is from me, I've understood the concept of importing users to SAS Metadata, but this will not avoid SAS Login Screen in the Portal

 

Regards,

SASExplorer

PaulHomes
Rhodochrosite | Level 12

If you have SAS EBI and VA sharing the same metadata environment (and the same SAS Logon Manager), then if they are already logged into the SAS Portal, I would expect a link that takes them into SAS VA (in the same environment) should not be presenting a logon form (as they are already logged into that environment). I don't have a combined SAS EBI+VA environment to test this on myself, as mine are independant environments, so perhaps someone from SAS or someone else who has this type of setup can confirm this.

 

If you are manually configuring users at the OS level and in SAS metadata, and you don't have mid-tier authentication configured for MySQL based trusted web authentication, then how do the users contained in the MySQL DB fit into this? Where is that MySQL database based authentication happening?

SASExplorer
Obsidian | Level 7

I'm pleased with your constant support and your valuable time 🙂

 

So, do I have to follow SAS Web Authentication for this Scenario.

I've read about

1. Web Authentication

2. SAML with Shubboleth(as this requires ADFS which is proprietary, this approach is ruled out)

 

As you've an idea about my scenario, Can you provide me a gist of steps to be followed to make SSO working or suggest any other approach?

 

PaulHomes
Rhodochrosite | Level 12

I really only have some vague ideas about your scenario. I still don't understand how the users in MySQL fit into your SAS platform and do not know the reasons or constaints behind not using common enterprise directories, authentication, and SSO mechanisms provided through the likes of Active Directory, LDAP etc. SAS Web Authentation in SAS 9.4 having Apache Web Server in the mix means that you are open to many forms of authentication and SSO as long as you can find something that will run in Apache. As you mentioned there is Shibboleth. There is also possibilities for CAS, OAuth, OpenID. There are the well documented options for things like WebSEAL, SiteMinder, Integrated Windows Authentication, TLS Client Certificate Authentication. Further examples of SSO can be seen in Michael Dixon's SAS Global Forum Paper 993-2017: Please Come In: Social Login for SAS® Web Applications

 

It's hard to provide more concrete advice without more information and an understanding of how this should fit into your organizations existing identity and SSO platforms. I think it is too broad of a topic, with important security, integration, complexity, time and cost consequences, to be answered in a community thread. Instead I would recommend contacting SAS Professional Services or a local SAS Partner to review your existing environment (SAS and beyond) to provide more tailored advice about how best to integrate SAS platform authentication and SSO into your wider IT environment.

SASExplorer
Obsidian | Level 7

Yeah as you said it's better to take SAS Support on this.

 

Thank you so much @PaulHomes for sharing info. on this.

Have a wonderful day 🙂

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 9 replies
  • 2446 views
  • 1 like
  • 2 in conversation