In this article the aim is to connect the SAS Logon Manager instances from two different SAS Viya 3.4 environments. Therefore, accessing the second environment will be via logging into the first environment. This would provide Single Sign-On with browser-based clients for customers that need to deploy two different environments for licensing considerations.
The connection between environments will be via OAuth/OpenID Connect. The first environment will perform authentication using the default LDAP provider, while the second environment will automatically redirect to the first environment for authentication. Both environments will be configured with the same LDAP provider settings.
Note: With SAS Viya 3.4, this configuration only applies to a single tenant environment. This will not work in a multi-tenant environment.
The type of configuration we are attempting is shown here in the following diagram.
Select any image to see a larger version.
Both environments must be installed and configured. Both environments should be confirmed to be operating correctly before completing any further steps.
The TLS certificates used by Apache HTTP Server are assumed to be using a site-signed or third-party signed certificate. Both environments will already be configured to trust the CA certificate chain that signs the respective Apache HTTP Server certificate. This configuration could be completed with self-signed certificates used by Apache HTTP Server, the respective certificates would need to be added to the trust stores in the other environments. For more information on managing the trust stores, see the official documentation.
One of the environments will perform the authentication of end-users, but both environments must recognize those users. This means that both environments need to use the same LDAP provider to ensure this consistency. If the LDAP filters are the same for both environments it does not matter which environment performs the authentication. However, if one environment will be limited to a smaller sub-set of users then the environment with the complete group of users should be the environment performing authentication.
The first environment will be the environment performing the authentication. The SAS Logon Manager in the second environment will redirect to this SAS Logon Manager for authentication. The second environment SAS Logon Manager must be configured as a client to the first environment SAS Logon Manager.
Set an environment variable containing the content of the SAS Configuration Server client token:
export CONSUL_TOKEN=`cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token`
Use CURL to obtain an access token from SAS Logon Manager which will be used to register the new client:
curl -X POST "http://localhost/SASLogon/oauth/clients/consul?callback=false&serviceId=sas.viya2" -H "X-Consul-Token: $CONSUL_TOKEN"
You should get the following json response containing the access token:
{"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImxlZ2FjeS10b2tlbi1rZXkiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiI2MDBhYTRmZDE0MDQ0MzlkYTQyN2E5ZDMwZGVkMTJiNCIsInN1YiI6InNhcy5hZG1pbiIsImF1d Ghvcml0aWVzIjpbImNsaWVudHMucmVhZCIsImNsaWVudHMuc2VjcmV0IiwidWFhLnJlc291cmNlIiwiY2xpZW50cy53cml0ZSIsInVhYS5hZG1pbiIsImNsaWVudHMuYWRtaW4iLCJzY2ltLndyaXRlIiwic2NpbS5yZWFkIl0sIn Njb3BlIjpbInVhYS5hZG1pbiJdLCJjbGllbnRfaWQiOiJzYXMuYWRtaW4iLCJjaWQiOiJzYXMuYWRtaW4iLCJhenAiOiJzYXMuYWRtaW4iLCJncmFudF90eXBlIjoiY2xpZW50X2NyZWRlbnRpYWxzIiwicmV2X3NpZyI6ImM3NjM 5NmRmIiwiaWF0IjoxNTQ3NzMwMzgwLCJleHAiOjE1NDc3NzM1ODAsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3QvU0FTTG9nb24vb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsic2FzLioiLCJ1YWEiLCJzYXMuYWRtaW4i XX0.K3x0H8VP_8da08yAycpDiDV7MwOwtn9xvwZEQaEW7EcKwqYt7jsjsCskQarwUBpgpQDOrdMmi6k0y1UfRh9yohlyi6Gu5_2adV0PIGDdrdc4OARAbZNJ9fhKAcGfiKA7mg3SjWdMVzmJ4DWT8eQ8bjSpV8y1iqF944FJv85-k t4","token_type":"bearer","expires_in":43199,"scope":"uaa.admin","jti":"600aa4fd1404439da427a9d30ded12b4"}
You will need to either copy the content of “access_token” or you could use JQ to set this as an environment variable:
export BEARER=`curl -X POST "https://localhost/SASLogon/oauth/clients/consul?callback=false&serviceId=sas.viya2" -H "X-Consul-Token: $CONSUL_TOKEN" 2>/dev/null | jq '.access_token'|sed -e 's/^"//' -e 's/"$//'`;
Use OpenSSL to generate a random client secret for the new client you will register:
openssl rand -base64 64
You should see something like the following, split over multiple lines:
yzA/d5IZsJ76GnoVb/YZXE4i9P02rMLqZhz/pmSTwf/Pgupnl1Cz4YKYjf1ZA8xgbIsHMOS61z4RchesGxTajg==
Build the following CURL command to register the SAS Logon Manager in the second environment, you must replace <<CLIENT_SECRET>> with the value generated by OpenSSL. You must also update the redirection_uri to point to the second SAS Viya environment. The example shown below uses an environment variable for the access_token, if you are not using an environment variable replace $BEARER with your access token.
curl -X POST "https://localhost/SASLogon/oauth/clients" -H "Content-Type:application/json" -H "Authorization: Bearer $BEARER" -d '{"client_id": "sas.viya2", "client_secret": "<<CLIENT_SECRET>>", "scope": ["openid", "*"], "resource_ids": "none", "authorities": ["uaa.resources", "sasapp"], "authorized_grant_types": ["client_credentials", "authorization_code", "refresh_token"], "redirect_uri": "https://<<SASVIYA2>>/SASLogon/login/callback/external_oauth", "access_token_validity": 43200, "autoapprove": "true", "user_sessions": "true"}' -k
Open SAS Environment Manager in the second SAS Viya environment as a member of SAS Administrators.
At this point you should be able to log into the second SAS Viya environment by providing credentials and being authenticated with the first SAS Viya environment. This will be by selecting the link on the second SAS Viya environment SAS Logon Manager form title “Use SAS Viya 1”.
Currently signing out of the second SAS Viya environment does not sign out from the first SAS Viya environment and vice versa.
Create a new HTML page on the second SAS Viya environment to call the logout on the first SAS Viya environment:
cat << 'EOF' > /var/www/html/CustomLogout.html <!DOCTYPE html> <html lang="en" dir="ltr"> <head> <meta charset="utf-8" /> <meta name="viewport" content="initial-scale=1" /> <link type="text/css" href="/SASLogon/resources/oss/stylesheets/sas_ie.css" rel="stylesheet" /> <link type="text/css" href="/SASLogon/resources/oss/stylesheets/sas.css" rel="stylesheet" /> </head><body> <div class="content"><img src="/SASLogon/resources/images/saslogo.svg" class="saslogo" aria-label="SAS logo" alt="SAS logo"> <H2 style="font-size: 1rem; font-weight: 700;">You are now signed out from both SAS Viya environments</h2> <iframe style="width:0;height:0;border:0; border:none;" src="https://<<SASVIYA1>>/SASLogon/logout.do "></iframe> </div> </body> </HTML> EOF
Remember to replace <<SASVIYA1>> with the correct address for the first SAS Viya environment.
Open SAS Environment Manager in the second SAS Viya environment as a member of SAS Administrators.
An additional message will now be shown on the bottom of the logout page from the second SAS Viya environment stating that users have been logged out from both environments. As shown here:
Then repeat these steps in the first environment referencing the second environment to ensure logout from the first environment also logs out from the second environment.
So far end-users must select a link on the second SAS Viya environment SAS Logon Manager form to login via the first SAS Viya environment. To provide a more streamlined approach the second SAS Viya environment can be configured to automatically redirect to the first SAS Viya environment.
This is accomplished by adding the login_hint parameter. This query string parameter is passed in the authorize request, which is /SASLogon/oauth/authorize in SAS Viya. SAS Logon Manager expects to receive an email domain for the hint. Recall that the sas.logon.oauth.providers.external_oauth configuration definition contains an emailDomain field. If the login hint matches one of the email domains specified in this field, SAS Logon Manager will redirect the user automatically to that IdP before even showing the sign-in page.
For HTTPS environments add the following to the end of the VirtualHost SSL configuration. For example, on RedHat Linux this is ths /etc/httpd/conf.d/ssl.conf file. For deployments that are using HTTP, this should be placed in a new .conf file. Httpd processes the .conf files in alphabetical order and this one needs to occur before the proxy configuration in proxy.conf so it should be named accordingly, for example login_hint.conf. Putting the redirect rule in both places is fine too. Restart httpd after making any changes to the configuration.
RewriteEngine On RewriteRule "SASLogon/oauth/authorize" "/SASLogon/oauth/authorize?login_hint=<<email domain>>" [QSA,PT]
With the steps detailed above complete, any attempt to access a SAS Viya 3.4 web application from the second SAS Viya environment will result in the browser being redirected to the SAS Logon Manager from the first SAS Viya environment. The username & password will be authenticated by the first environment, and the internal OAuth token generated by the first environment will be used to authenticate to the SAS Logon Manager of the second environment. All other authentication within the second environment remains the same. Once the OAuth token from the first environment is used to authenticate to the second environment SAS Logon Manager, that second SAS Logon Manager generates its own internal OAuth token for the second environment.
Logging out from either environment will also trigger a log-out from the other environment, due to the inclusion of the custom content on both logout pages. The same content is also used for the timeout page, so letting either environment timeout will also trigger a logout from the other environment.
Are you ready for the spotlight? We're accepting content ideas for SAS Innovate 2025 to be held May 6-9 in Orlando, FL. The call is open until September 25. Read more here about why you should contribute and what is in it for you!
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.