Single Sign on with QAS

Posts: 30

Single Sign on with QAS

Hello guys,

Can someone please clarify the following from the SAS Support Website:

In order to use IWA on UNIX platforms:

- For the first maintenance release for SAS 9.4 and all versions on platforms other than Linux, you must purchase, install, and configure an additional third-party product (Quest Authentication Services 4.0).

- For the second maintenance release for SAS 9.4 on Linux platforms, you must ensure that a shared library that implements the GSSAPI with Kerberos 5 extensions is installed and configured to allow authentication against your Active Directory domain or Kerberos realm. Quest Authentication Services fulfills this requirement, as do the krb5 packages provided in supported operating system distributions and in various third-party solutions.

Is there anything other than QAS that can be used to configure SSO on Windows Desktop Clients, i.e. EG, SMC, DIS, etc.

Thanks in advance...

Valued Guide
Posts: 3,206

Re: Single Sign on with QAS

Bstone , understanding the issue of SAS with IWA between Unix and Windows systems will be helpful.

Windows AD is a LDAP implementation. The security and more in detail user an groups are based on URI identIfiers. That are relative long strings. Unix is based on just numbers often indicated as id en gid numbers. A LDAP system for Unix is serving that as those numbers.

You are used to logical human names, both systems are translating that for readability.

See the basic problem of translating URLS to numbers.

Unix security is not that developed as at Windows. All are missing the option off central management.

Yes there are more tools doing that translation as quas.  The most well known is win bind part of Samba.

Expect a lot of changes going on in this area. Microsoft did a Kerberos implementation...

---->-- ja karman --<-----
Posts: 30

Re: Single Sign on with QAS

Thanks, but...

The documentation is stating that in SAS 9.4 Maintenance 2, you can use QAS or krb5 packages. What krb5 packages and will SAS support this configuration if it's not QAS?

Valued Guide
Posts: 3,206

Re: Single Sign on with QAS

There are a lot of krb5 packages around. Eg Configuring a Kerberos 5 Client (red hat).

When SAS is relying on some interface delivered by a third party they can support the interfacing but not the third party's  internals.

With the WEB java container there was a long time struggle (jboss weblogic websphere) and they moved to an imbedded VM fabric approach at 9.4 .
They have support for VMS OS/2 and all kind of operating systems the OS supplier does not support. This is called level-c support.

Marvelous promption but can not taken seriously.

Now the krb5 packages it is integrating with Windows AD, this part is often outsourced to an external party as a service.

It is imbedded in the OS environment hopefully using a LDAP service (or similar), this serviced by an other party.

To organize the indentity service process and security there is often an other process (RBAC).

Now you are coming wanting to deliver an analytic/bi service. It should get integrated with those others or getting isolated ready to be dumped.
As SAS cannot take over all the responsability of all the level CIO CMO CSO managers they have to do something for acceptance.
IMO there was to much comment on the integration issues they had to make it available. I do not know what they want to support to what level.
  SAS does not support the in house at the clients present IT-policies, do they? (Overruling them by their own visions and ideas)

The best thing they could do is being cooperative at those levels.            

---->-- ja karman --<-----
Ask a Question
Discussion stats
  • 3 replies
  • 2 in conversation