Solved: Re: SAS Web Authentication using SAML and Shibboleth module

Gaetan · Posted 02-19-2019 04:37 AM

Hi everyone,

I adress this morning a new topic about Web authentication.

I want to describe first briefly my context

SAS Solution : Visual Analytics 9.4M5

System : Linux 64

Current user authentication : Metasever requests Active Directory through LDAP connection (no PAM configuration on the server)

Target user authentication : Web authentication (SAML with Shibboleth module)

Documentation used :

- Federated Security Domains with SAS and SAML (Mike Roda)

- Web Authentication (SAS Documentation)

In the documentation written by Mike Roda, no needs to configure JNDIRealm.

But, in the SAS documentation, step 14 indicates the method to configure JNDIRealm.

I would like to explain this apparent contradiction : In which context do we need to configure JNDIRealm ? when no PAM authentifiaction are configured or there is no link between this ?

Best regards,

Gaetan

Gaetan · Posted 02-19-2019 09:48 AM

Hi,

Following discussions with Mike Roda directly, Mike whom I would like to thank warmly for his availability, I communicate you his answer about this topic :

The JNDIRealm referred to in the SAS documentation on web authentication is a form of web authentication that uses the built-in functionality from the Apache tomcat software to authenticate with an LDAP server. We sometimes call this container-based security since the container (Apache Tomcat) is doing the authentication. This is provided in the SAS documentation as an example only and does not apply to your case. Instead of container-based security, you will be using the PrincipalFromRequestHeadersValve, which will intercept requests coming from the web server and set an authenticated user in the request.

For my part, I have just identified the issue. Issue comes from encoding password implementation (SAS Web App Server) with tcruntime-admin.sh script (SAS9.4M5).

You have to protect some special characters with backslash and do not enclose characters with quotes.

I suggest you to test your SAML configuration without password first in developpment environment.

Best regards,

Gaétan

View solution in original post

Gaetan · Posted 02-19-2019 09:48 AM

Hi,

Following discussions with Mike Roda directly, Mike whom I would like to thank warmly for his availability, I communicate you his answer about this topic :

The JNDIRealm referred to in the SAS documentation on web authentication is a form of web authentication that uses the built-in functionality from the Apache tomcat software to authenticate with an LDAP server. We sometimes call this container-based security since the container (Apache Tomcat) is doing the authentication. This is provided in the SAS documentation as an example only and does not apply to your case. Instead of container-based security, you will be using the PrincipalFromRequestHeadersValve, which will intercept requests coming from the web server and set an authenticated user in the request.

For my part, I have just identified the issue. Issue comes from encoding password implementation (SAS Web App Server) with tcruntime-admin.sh script (SAS9.4M5).

You have to protect some special characters with backslash and do not enclose characters with quotes.

I suggest you to test your SAML configuration without password first in developpment environment.

Best regards,

Gaétan