A Guide to Authentication Mechanisms in SAS Viya 4
SAS Viya supports a robust set of authentication mechanisms, enabling secure user access while integrating with a variety of identity and access management systems. In this blog, we’ll take a look at the supported authentication mechanisms in SAS Viya 4, explaining how each one works and where it can be most effective.
The SAS Viya platform provides a broad security framework that supports multiple third-party authentication options. The following diagram illustrates how SAS Viya platform authentication is provided by SAS Logon Manager, a service that is based on the Cloud Foundry User Account and Authentication (UAA) server and enables single sign-on within the SAS Viya environment between services. By default, authentication is performed using LDAP. In the other hand we have the SAS Identities service that provides the user and the group information to other services. Either reads user and group information from an LDAP provider or receives the information from a SCIM v2.0 client.
Why Authentication Matters in SAS Viya 4?
Authentication is the process of verifying that users are who they claim to be before granting access to the system. For an enterprise-grade platform like SAS Viya 4, supporting diverse authentication methods is essential to accommodate different organizational setups and security requirements. Authentication ensures that only authorized users access the data and analytical tools within SAS Viya, keeping the environment secure.
Authentication Mechanisms Supported in SAS Viya 4
SAS Viya 4 supports a range of authentication methods to provide flexible and secure options for different organizational needs. These methods include:
- OpenID Connect (OIDC) Where SSO can be used with it
Single Sign-On (SSO) allows users to access SAS Viya 4 without logging in multiple times, provided they are already authenticated in the organization’s network. SSO is implemented using the OpenID Connect (OIDC) protocol, a modern standard that builds on OAuth 2.0.
- How It Works: Users authenticate through an identity provider (IdP) that supports OIDC, such as Azure AD, Okta, or Google Identity Platform. Once authenticated, users receive a token, allowing access to SAS Viya without additional logins.
- Configuration: OIDC is configured within SAS Viya’s identity and access management settings, with support for several industry-standard IdPs.
- Use Case: Ideal for larger organizations with existing identity management systems, providing a seamless and secure experience for users.
SSO with OIDC reduces login fatigue for users, enhances security by centralizing authentication, and simplifies access management for administrators.
When using OIDC, Viya can impersonate the end user for outbound SSO authentication to Azure services, which is another advantage of it over SAML or LDAP, especially for customers that plan to use one or more of the following Azure services with Viya;
- LDAP Authentication
LDAP (Lightweight Directory Access Protocol) authentication allows SAS Viya 4 to authenticate users against an LDAP-compliant directory service, such as Microsoft Active Directory.
- How It Works: Users provide their credentials, which are validated against the LDAP directory. If credentials match, the user gains access.
- Configuration: LDAP details are specified in SAS Viya’s configuration settings, linking to the organization’s directory service.
- Use Case: Common in organizations with established LDAP directories, particularly those using Microsoft Active Directory or OpenLDAP.
LDAP provides a straightforward way to leverage existing user credentials, making it easier to manage access across an organization.
- SAML Authentication
Is an open standard that enables secure exchange of authentication and authorization data between parties, primarily between an Identity Provider (IdP) and a Service Provider (SP). It is widely used for implementing Single Sign-On (SSO) in web applications and services
- How It Works: A user attempts to access a SAS Viya application then SAS Viya redirects the user to the IdP’s login page via the SAML protocol, the user logs in using their credentials (e.g. username/password, MFA) and the IdP validates the credentials. The IdP sends the SAML assertion an XML document) to SAS Viya’s assertion consumer (ACS) url and SAS Viya validates the assertion extraction the user attributes like email and roles and grants access to the application if the validation is successful.
- Configuration: SAML supports configuring SAS Logon Manager to be integrated with a SAML identity provider (IdP) that is external to the SAS Viya platform deployment. The IdP can be internal or external to your environment. If it is internal, a tool similar to Oracle Access Manager can be used. If it is external, something like salesforce.com can be used. SAML does not completely replace the default IdP. End-users accessing SAS Logon Manager can choose SAML authentication or the default IdP, and the user identity and group membership information is looked up in the selected IdP. This option also provides single sign-on with the third-party SAML provider.
- Use Case: Ideal for large organizations with thousands of users, managing identities through a centralized IdP with SAML simplifies administration. Adding or removing users in the IdP automatically updates their access to SAS Viya and when a cross organizational access is required.
- Kerberos Authentication
Kerberos is a network authentication protocol that is used to verify user or host identity. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a service (and vice versa) across an unsecure network connection. During Kerberos authentication, a user’s credentials (user ID and password) are not sent over the network. Instead, both the client and the service use the credentials that were supplied as a key in an encryption algorithm to encrypt the message that is sent between the client and the service
- How It Works: In Viya 4 you can configure SAS Logon Manager and SAS Servers for Kerberos authentication. This option replaces the option to use the default identity provider for authentication to SAS Logon Manager. Kerberos provides the user with single sign-on capabilities from the browser on their desktop. Single sign-on allows the user to access the SAS visual interfaces without being prompted to enter their credentials.
- Configuration: Kerberos support in SAS Viya 4 requires configuring the system to integrate with a Key Distribution Center (KDC), such as Microsoft Active Directory.
- Use Case: Commonly used in enterprises with Windows-based infrastructure and Kerberos-enabled networks.
Kerberos simplifies the user experience in secure environments by allowing users to authenticate seamlessly across multiple applications.
- Additional Authentication Mechanisms
- Multi-Factor Authentication (MFA) adds an extra layer of security to the authentication process by requiring users to provide more than one method of verification to access SAS Viya. This strengthens security by making it harder for unauthorized users to gain access, even if they have the correct credentials.
How MFA Works in SAS Viya: The user enters their primary credentials, typically a username and password. The user is prompted to provide an additional verification method, such as a code sent via SMS or email or push notification from an authenticator app.
MFA in SAS Viya is typically implemented through an Identity Provider (IdP) that supports MFA, such as Okta, Azure AD, or Ping Identity, using protocols like SAML or OpenID Connect (OIDC).
- Conditional Access Policies are rules that control how users authenticate, and access SAS Viya based on specific conditions. These policies are typically enforced by the Identity Provider (IdP) or access management solution, such as Azure AD Conditional Access or Okta Adaptive MFA.
How Conditional Access Works
Conditional Access evaluates context and applies access rules based on factors such as:
- User Identity: Specific users or groups (e.g., administrators vs. regular users).
- Location: IP address or geolocation of the login attempt.
- Device: Whether the device is managed, compliant, or meets security standards.
- Application: The application being accessed (e.g., SAS Viya).
- Risk Level: User or session risk (e.g., detected suspicious activity).
Which Authentication Mechanism Should You Choose?
Choosing the right authentication mechanism depends on the organization’s existing infrastructure, user base, and security requirements:
- OIDC with Single Sign-On (SSO) is an excellent choice for medium to large organizations looking to streamline access and improve the user experience.
- LDAP is ideal for organizations with existing LDAP directories that want to leverage established credentials.
- SAML in SAS Viya ensures secure, scalable, and convenient authentication for enterprise environments, particularly where centralized user management and SSO are critical.
- Kerberos is particularly useful in Windows-based ecosystems, providing a seamless and secure authentication experience.
Conclusion
SAS Viya 4 provides a versatile and secure platform with flexible authentication mechanisms to meet various organizational needs. Whether you need seamless Single Sign-On, additional security with Multi-Factor Authentication, or custom solutions, SAS Viya 4 has the tools to secure access effectively. By selecting the appropriate authentication method, organizations can ensure a secure, efficient, and user-friendly experience, making SAS Viya 4 a valuable asset in data analytics and AI initiatives.
With these authentication options, SAS Viya 4 empowers organizations to protect their data, support compliance, and foster a secure analytics environment. Selecting the right authentication mechanism will provide the balance of security and convenience needed for an effective, robust SAS Viya 4 deployment.
References:
