BookmarkSubscribeRSS Feed

Connecting Two SAS Viya 3.4 Environments for Authentication

Started ‎04-21-2019 by
Modified ‎04-21-2019 by
Views 1,494

In this article the aim is to connect the SAS Logon Manager instances from two different SAS Viya 3.4 environments. Therefore, accessing the second environment will be via logging into the first environment. This would provide Single Sign-On with browser-based clients for customers that need to deploy two different environments for licensing considerations.


The connection between environments will be via OAuth/OpenID Connect. The first environment will perform authentication using the default LDAP provider, while the second environment will automatically redirect to the first environment for authentication. Both environments will be configured with the same LDAP provider settings.


Note: With SAS Viya 3.4, this configuration only applies to a single tenant environment. This will not work in a multi-tenant environment.


The type of configuration we are attempting is shown here in the following diagram.



Select any image to see a larger version.



Both environments must be installed and configured. Both environments should be confirmed to be operating correctly before completing any further steps.


The TLS certificates used by Apache HTTP Server are assumed to be using a site-signed or third-party signed certificate. Both environments will already be configured to trust the CA certificate chain that signs the respective Apache HTTP Server certificate. This configuration could be completed with self-signed certificates used by Apache HTTP Server, the respective certificates would need to be added to the trust stores in the other environments. For more information on managing the trust stores, see the official documentation.


Which Environment is Which

One of the environments will perform the authentication of end-users, but both environments must recognize those users. This means that both environments need to use the same LDAP provider to ensure this consistency. If the LDAP filters are the same for both environments it does not matter which environment performs the authentication. However, if one environment will be limited to a smaller sub-set of users then the environment with the complete group of users should be the environment performing authentication.


First SAS Viya Environment Configuration

The first environment will be the environment performing the authentication. The SAS Logon Manager in the second environment will redirect to this SAS Logon Manager for authentication. The second environment SAS Logon Manager must be configured as a client to the first environment SAS Logon Manager.


Set an environment variable containing the content of the SAS Configuration Server client token:


export CONSUL_TOKEN=`cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token`


Use CURL to obtain an access token from SAS Logon Manager which will be used to register the new client:


curl -X POST "http://localhost/SASLogon/oauth/clients/consul?callback=false&serviceId=sas.viya2" -H "X-Consul-Token: $CONSUL_TOKEN"


You should get the following json response containing the access token:




You will need to either copy the content of “access_token” or you could use JQ to set this as an environment variable:


export BEARER=`curl -X POST "https://localhost/SASLogon/oauth/clients/consul?callback=false&serviceId=sas.viya2" -H "X-Consul-Token: $CONSUL_TOKEN" 2>/dev/null | jq '.access_token'|sed -e 's/^"//' -e 's/"$//'`;


Use OpenSSL to generate a random client secret for the new client you will register:


openssl rand -base64 64


You should see something like the following, split over multiple lines:




Build the following CURL command to register the SAS Logon Manager in the second environment, you must replace <<CLIENT_SECRET>> with the value generated by OpenSSL. You must also update the redirection_uri to point to the second SAS Viya environment. The example shown below uses an environment variable for the access_token, if you are not using an environment variable replace $BEARER with your access token.


curl -X POST "https://localhost/SASLogon/oauth/clients" 
-H "Content-Type:application/json" -H "Authorization: Bearer $BEARER" 
-d '{"client_id": "sas.viya2", 
"client_secret": "<<CLIENT_SECRET>>", 
"scope": ["openid", "*"], 
"resource_ids": "none", 
"authorities": ["uaa.resources", "sasapp"], 
"authorized_grant_types": ["client_credentials", 
"authorization_code", "refresh_token"], 
"redirect_uri": "https://<<SASVIYA2>>/SASLogon/login/callback/external_oauth", 
"access_token_validity": 43200, 
"autoapprove": "true", 
"user_sessions": "true"}' -k


Second SAS Viya Environment

Open SAS Environment Manager in the second SAS Viya environment as a member of SAS Administrators.

  1. Select Configuration
  2. Select Definitions from the View drop down
  3. Select sas.logon.oauth.providers.external_oauth and select New Configuration button
  4. Enter the following configuration values:
    1. Enter “https://<<SASVIYA1>>/SASLogon/oauth/authorize” as authURL
    2. Enter your email domain, for example
    3. Enter “http://localhost/SASLogon/oauth/token” as issuer
    4. Enter “Use SAS Viya 1” as linkText
    5. Enter “sas.viya2” as relyingPartyID
    6. Enter the client secret generated with OpenSSL as relyingPartySecret
    7. Enter “https://<<SASVIYA1>>/SASLogon/token_key” as tokenKeyUrl
    8. Enter “https://<<SASVIYA1>>/SASLogon/oauth/token” as tokenURL
    9. Save changes
  5. Sign out from SAS Environment Manager
  6. Restart SAS Logon Manager

At this point you should be able to log into the second SAS Viya environment by providing credentials and being authenticated with the first SAS Viya environment. This will be by selecting the link on the second SAS Viya environment SAS Logon Manager form title “Use SAS Viya 1”.



Currently signing out of the second SAS Viya environment does not sign out from the first SAS Viya environment and vice versa.


Create a new HTML page on the second SAS Viya environment to call the logout on the first SAS Viya environment:


cat << 'EOF' > /var/www/html/CustomLogout.html
<!DOCTYPE html>
<html lang="en" dir="ltr">
  <meta charset="utf-8" />
  <meta name="viewport" content="initial-scale=1" />
  <link type="text/css" href="/SASLogon/resources/oss/stylesheets/sas_ie.css" rel="stylesheet" />
  <link type="text/css" href="/SASLogon/resources/oss/stylesheets/sas.css" rel="stylesheet" />
<div class="content"><img src="/SASLogon/resources/images/saslogo.svg" class="saslogo" aria-label="SAS logo" alt="SAS logo">
<H2 style="font-size: 1rem; font-weight: 700;">You are now signed out from both SAS Viya environments</h2>
<iframe style="width:0;height:0;border:0; border:none;" src="https://<<SASVIYA1>>/SASLogon/ "></iframe>


Remember to replace <<SASVIYA1>> with the correct address for the first SAS Viya environment.


Open SAS Environment Manager in the second SAS Viya environment as a member of SAS Administrators.

  1. Select Configuration
  2. Select Definitions from the View drop down
  3. Select sas.custom and select New Configuration button
  4. Enter the following configuration values:
    1. Enter “/CustomLogout.html” as logout
    2. Enter “/CustomLogout.html” as timedout
    3. Save changes
  5. Sign out from SAS Environment Manager

An additional message will now be shown on the bottom of the logout page from the second SAS Viya environment stating that users have been logged out from both environments. As shown here:




Then repeat these steps in the first environment referencing the second environment to ensure logout from the first environment also logs out from the second environment.


Automatic Redirection

So far end-users must select a link on the second SAS Viya environment SAS Logon Manager form to login via the first SAS Viya environment. To provide a more streamlined approach the second SAS Viya environment can be configured to automatically redirect to the first SAS Viya environment.


This is accomplished by adding the login_hint parameter. This query string parameter is passed in the authorize request, which is /SASLogon/oauth/authorize in SAS Viya. SAS Logon Manager expects to receive an email domain for the hint. Recall that the sas.logon.oauth.providers.external_oauth configuration definition contains an emailDomain field. If the login hint matches one of the email domains specified in this field, SAS Logon Manager will redirect the user automatically to that IdP before even showing the sign-in page.


For HTTPS environments add the following to the end of the VirtualHost SSL configuration. For example, on RedHat Linux this is ths /etc/httpd/conf.d/ssl.conf file. For deployments that are using HTTP, this should be placed in a new .conf file. Httpd processes the .conf files in alphabetical order and this one needs to occur before the proxy configuration in proxy.conf so it should be named accordingly, for example login_hint.conf. Putting the redirect rule in both places is fine too. Restart httpd after making any changes to the configuration.


RewriteEngine On
RewriteRule "SASLogon/oauth/authorize" "/SASLogon/oauth/authorize?login_hint=<<email domain>>" [QSA,PT]



With the steps detailed above complete, any attempt to access a SAS Viya 3.4 web application from the second SAS Viya environment will result in the browser being redirected to the SAS Logon Manager from the first SAS Viya environment. The username & password will be authenticated by the first environment, and the internal OAuth token generated by the first environment will be used to authenticate to the SAS Logon Manager of the second environment. All other authentication within the second environment remains the same. Once the OAuth token from the first environment is used to authenticate to the second environment SAS Logon Manager, that second SAS Logon Manager generates its own internal OAuth token for the second environment.


Logging out from either environment will also trigger a log-out from the other environment, due to the inclusion of the custom content on both logout pages. The same content is also used for the timeout page, so letting either environment timeout will also trigger a logout from the other environment.

Version history
Last update:
‎04-21-2019 01:48 AM
Updated by:



Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.

If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website. 

Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags