Re: How to achieve SSO on EG?

Slash · Posted 02-27-2017 04:20 AM

Hi, guys

As we know EG client can use Windows User login to the SAS Server on Windows Server OS. Now, the customer hope that the login operation accomplished on their own system. So SSO is needed.

Is there a way can do that on EG?

ChrisHemedinger · Posted 02-27-2017 08:34 AM

You're talking about "Integrated Windows Authentication" -- yes, it's possible. This requires some admin work on the SAS environment to configure the permissions and (perhaps) an authentication provider. See the SAS Enterprise Guide instructions here, and follow the links within to the admin guide for more details.

Learn from the Experts! Check out the huge catalog of free sessions in the Ask the Expert webinar series.

Slash · Posted 02-28-2017 02:53 AM

Thanks, Chris! Let me try it.

Slash · Posted 03-03-2017 12:35 AM

Hi, Chris

I have tried using IWA to login on the SAS Server. But If the SAS Server is deployed on machine A, and the EG Client is installed on the Machine B. The EG Client can't login on the SAS Server with IWA. Because the system account of Machine B is not related to Machine A. So, If EG Client and SAS Server are installed on different Machine, is there a way to do it? (SSO)

MichelleHomes · Posted 03-03-2017 12:52 AM

Hi @Slash,

Check out this blog posts on SAS and IWA that might help - https://platformadmin.com/blogs/paul/2012/01/sas-and-iwa-two-hops/

Kind Regards,

Michelle

//Contact me to learn how Metacoda software can help keep your SAS platform secure - https://www.metacoda.com

Slash · Posted 03-03-2017 02:26 AM

Thankyou!

PaulHomes · Posted 03-03-2017 01:20 AM

As long as Machine A and Machine B are either in the same Windows domain or are in domains that have a trust relationship, then you should be able to configure IWA. For more info on potential limitations have a look at the Integrated Windows Authentication section of the SAS 9.4 Intelligence Platform: Security Administration Guide.

If the Windows side of things has been configured ok then some of the other common things that can prevent IWA logins working as expected include:

Not configuring the SAS Workspace Server in metadata (using SAS Management Console) to support IWA (via Negotiate or Kerberos).
Not restarting (or refreshing) the SAS Object Spawner after changing the SAS Workspace Server config in metadata.
No registering appropriate SPNs if the SAS servers are accessed using machine aliases rather than their primary host names.

When implementing IWA, it is well worth considering getting help from SAS Professional Services or a local SAS Partner. When IWA is operational it works very well, but making sure all the various platform components are configured correctly for IWA can tricky, time consuming and involve lots of troubleshooting. Getting help from someone that already has this experience can save you a lot of time.

Slash · Posted 03-03-2017 02:27 AM

Thanks a lot. Let me try it.

SASKiwi · Posted 02-27-2017 03:14 PM

One complication you need to watch out for is if you have any EG data sources pointing to databases also using IWA. If you do then additional server security configuration will be required to enable delegation of EG IWA to the data sources.

Slash · Posted 02-28-2017 05:21 AM

Thanks, Kiwi!