Hello @darwinwalters ,
this is an interesting question. I would personally lay the AD or LDAP authentication onto the shoulders of the operating system itself, with PAM. But this would be my personal choice.
In this sense, with PAM and SSSD (or realm for Active Directory), you can let the operating system to authenticate internally with your Identity Provider, no matter which one. And once oyu do this, and you test that it works, that you can authenticate to the OS with your AD user, you only need to let SAS to use PAM on its terms (see http://support.sas.com/kb/49/432.html )
This would be my choice because then the authentication can be managed by its real experts. Also the authentication is much easier and secure for you, and, furthermore, Google is full of examples on how to do all of that.
https://www.google.nl/search?q=PAM+SSSD&rlz=1C1GCEU_nlNL823NL827&oq=PAM+SSSD&aqs=chrome..69i57.3591j...
This being said, let me answer ayour other questions:
1. I would not ever like to retrieve a password, encrypted or not. The more the confidential information is kept at origin, the best. A secure handshake is better!
2. Yes, there is always is, by increasing the level of the logs of the sas java process. I cannot recall not which one is the right one now, but if you are interested, I am sure SAS Technical Support can give you a hand there
3. If you use this authentication, yes, you would need local and AD user, corresponding, If you use the PAM module, you only need one that is in the AD or LDAP. Of course, extra admin actions would need to be taken then anyways in the SSSD configuration: which users would be part of what local groups, ACLs, roles for each local group, etc. The normal stuff.
4. I think I answer it already at the top.
Does this help? Please let us know.
Kind regards,
Juan