A shared login is an account that is shared with multiple users, but individual users cannot see the user ID or the password that is associated with the account. Shared logins are particularly useful for cases in which an application, instead of a user, owns the data. Shared logins are also useful in a one-to-many scenario in which a large number of users need access to data. With a shared login, there is no need to create a login account for each individual user.
Shared logins consist of a shared login key, the login account, and the users or groups who are members of the (shared) login account. The SAS Federation Server administrator creates and controls the shared logins for SAS Federation Server.
When using a shared login to authenticate to a data source, users do not need to know the credentials that they are using because the shared login retrieves credentials for the user who is logged on and provides the credentials to SAS Federation Server. In turn, the server connects the user to the database through the appropriate data service or data source name (DSN).
The implementation of shared logins has changed in SAS Federation Server 4.2. Here is a summary of the tasks:
When establishing connection to the SAS Federation Server, the following logic is used to find the proper login:
The following figure shows how to configure a shared login, using SAS Federation Server Manager and SAS Management Console:
The tasks presented in the following topics outline the basic steps to create a shared login for SAS Federation Server:
This shared login key is used when configuring an authentication domain in SAS Metadata Server. The shared login key is case sensitive. Using SAS Federation Server Manager:
TIP: You can also use administration DDL to set a shared login key:
ALTER SERVER {OPTIONS (SHAREDLOGINKEY name-of-key) }
The shared login account is actually a group that serves as the shared login account, so the name of the group should reflect that (reference step 4a below).
Outbound only: An outbound domain is used only to provide SAS applications with access to external resources, such as a third-party vendor database. Trusted only: The trusted user is a privileged service identity that can act on behalf of all other users. A login in a trusted domain can be accessed only by a trusted user. |
e. On the Authorizations tab, ensure that the SAS Administrators group has these permissions:
When you create a data service, a DSN with the same name is automatically created for you.
.
Important: Select a stand-alone data source domain. Do not select the domain with the shared login key that was created in SAS Metadata Server. When the DSN is set to use a shared login, SAS Federation Server appends the selected domain with @ shared login key and verifies that data_source@<shared login key> exists in SAS Metadata as a valid authentication domain that includes user and password account information. |
Note: The Consumer group identifies which shared login should be used if a conflict occurs for a user. The Consumer group should be a group that is directly or indirectly a member of the shared login.
Connections made with a DSN use a credentials search order (CSO) as specified in the DSN access configuration. By default, login credentials are searched in this order: Personal, Group, and Shared Login. For additional information about credentials search order for DSNs, see the SAS Federation Server Administrator’s Guide.
Join us for SAS Innovate 2025, our biggest and most exciting global event of the year, in Orlando, FL, from May 6-9. Sign up by March 14 for just $795.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.