We’re smarter together. Learn from this collection of community knowledge and add your expertise.

Configuring Shared Logins for SAS Federation Server 4.2

by SAS Employee PatB on ‎11-07-2016 09:49 AM - edited on ‎11-07-2016 09:49 AM by Community Manager (1,491 Views)

What Is a Shared Login?

A shared login is an account that is shared with multiple users, but individual users cannot see the user ID or the password that is associated with the account. Shared logins are particularly useful for cases in which an application, instead of a user, owns the data. Shared logins are also useful in a one-to-many scenario in which a large number of users need access to data. With a shared login, there is no need to create a login account for each individual user.

 

Shared logins consist of a shared login key, the login account, and the users or groups who are members of the (shared) login account. The SAS Federation Server administrator creates and controls the shared logins for SAS Federation Server.

 

When using a shared login to authenticate to a data source, users do not need to know the credentials that they are using because the shared login retrieves credentials for the user who is logged on and provides the credentials to SAS Federation Server. In turn, the server connects the user to the database through the appropriate data service or data source name (DSN).

 

Outline of Shared Login Tasks

The implementation of shared logins has changed in SAS Federation Server 4.2. Here is a summary of the tasks:

 

  • Create a shared login key for SAS Federation Server using administrative DDL or in SAS Federation Server Manager in the properties of a federation server object. The shared login key is case sensitive. The key that is defined in SAS Federation Server must match the key that is part of the shared login definition in the SAS Metadata Server.
  • Create a shared login account (group) in SAS Metadata Server using SAS Management Console. The shared login account includes the login to be shared and its domain.
  • Add consumers of the shared login as members of the shared login account. Consumers are SAS Federation Server user accounts or groups. You should never use the actual shared login group as a consumer group in a DSN.
  • Create a data service for the applicable data source. In the DSN, specify that the data will be accessed with a shared login.

About the Authentication Domain

When establishing connection to the SAS Federation Server, the following logic is used to find the proper login:

 

  • If connecting with a DSN configured to use a personal or group login, SAS Federation Server uses the authentication domain associated with the data service to look up a login for the user.
  • If connecting with a DSN configured to use a shared login, SAS Federation Server uses the authentication domain associated with the data service and appends the domain with a suffix of “@<shared login key>” to look up a login for the user.

The following figure shows how to configure a shared login, using SAS Federation Server Manager and SAS Management Console:

Auth_Domain_Flow.png

Figure 1: Working with the Shared Login Authentication Domain

 

Creating a Shared Login

The tasks presented in the following topics outline the basic steps to create a shared login for SAS Federation Server:

 

  1. Set a shared login key (SAS Federation Server Manager).
  2. Create the shared login account (SAS Management Console).
  3. Create a data service and DSN for the data source (SAS Federation Server Manager).

Set a Shared Login Key using SAS Federation Server Manager

This shared login key is used when configuring an authentication domain in SAS Metadata Server. The shared login key is case sensitive. Using SAS Federation Server Manager:

 

  1. Login to SAS Federation Server Manager.
  2. Locate the federation server object in the tree, and log on to the server if prompted to do so.
  3. Select Action menu> Properties in the upper left corner.
  4. Click the Security tab and enter the shared login key.

       SL_Key.png

        Figure 2: Setting the Shared Login Key in SAS Federation Server Manager

 

  1. Click OK to exit the properties dialog box.

       TIP: You can also use administration DDL to set a shared login key:

  ALTER SERVER {OPTIONS (SHAREDLOGINKEY name-of-key) }

 

Create a Shared Login Account using SAS Management Console

The shared login account is actually a group that serves as the shared login account, so the name of the group should reflect that (reference step 4a below).

 

    1. Login to SAS Management Console.
    2. On the Plug-ins tab, select User Manager.
    3. Right-click and select New > Group.
    4. In the New Group Properties dialog box:
      1. On the General tab, enter a name for the shared login (for example, Oracle Shared Login for FedServer).
      2. On the Members tab, add users and groups who will use the shared login.
      3. On the Accounts tab, add the account and password.
      4. Select New for Authentication Domain.
      • Authentication Domain: The authentication domain must be named in this format: <data_service_domain>@<shared_login_key>. For example, if the domain for the data service is OracleAuth and the shared login key is FSKey1, then the shared login domain must be OracleAuth@FSKey1. The shared login key is case sensitive and must match the shared login key that was set in SAS Federation Server Manager.
      • Select Outbound only and Trusted only for the domain.

                                            SL_new_auth_domain.png 

                                            Figure 3: SAS Metadata Server: New Authentication Domain for Shared Login

  

Outbound only: An outbound domain is used only to provide SAS applications with access to external resources, such as a third-party vendor database.

Trusted only: The trusted user is a privileged service identity that can act on behalf of all other users. A login in a trusted domain can be accessed only by a trusted user.

 

                        e.  On the Authorizations tab, ensure that the SAS Administrators group has these permissions:

            • ManageMemberMetadata
            • ManageCredentialsMetadata
            • ReadMetadata
            • WriteMetadata

Create a Data Service and DSN using SAS Federation Server Manager

When you create a data service, a DSN with the same name is automatically created for you.

 

      1. Login to SAS Federation Server Manager.
      2. Select a federation server object in the tree, and log on to the server if you are prompted.
      3. Select Action > New Data Service, or click the New Data Service icon on the toolbar.
      4. In the Identification dialog box, enter the name of the data service and click Next to continue.
      5. In the Authentication Domain dialog box, select an Authentication Domain from the list of available domains and click Next to continue.

         Data_Svc_Domain.png

         Figure 4: Defining the Data Service Authentication Domain

.

Important: Select a stand-alone data source domain. Do not select the domain with the shared login key that was created in SAS Metadata Server. When the DSN is set to use a shared login, SAS Federation Server appends the selected domain with @ shared login key and verifies that data_source@<shared login key> exists in SAS Metadata as a valid authentication domain that includes user and password account information.
      1. In the Summary dialog box, verify the settings and click Finish.


Set the Shared Login Indicator in the DSN

      1. Select the Data Source Names tab affiliated with the Oracle data service that you just created. You should see a DSN that is named for the new data service.
      2. Select Action menu, Properties and click Next until you reach the Access dialog box.
      3. Click Shared login.

       DSN.png

       Figure 5: DSN with Shared Login Selected
 
      1. Click the down arrow under Consumer group and select a group if necessary.

Note: The Consumer group identifies which shared login should be used if a conflict occurs for a user. The Consumer group should be a group that is directly or indirectly a member of the shared login.

 

      1. Click Next, Next, Next, and Finish.

Credentials Search Order

Connections made with a DSN use a credentials search order (CSO) as specified in the DSN access configuration. By default, login credentials are searched in this order: Personal, Group, and Shared Login. For additional information about credentials search order for DSNs, see the SAS Federation Server Administrator’s Guide.

 

 

 

Contributors
Your turn
Sign In!

Want to write an article? Sign in with your profile.


Looking for the Ask the Expert series? Find it in its new home: communities.sas.com/askexpert.