BookmarkSubscribeRSS Feed

Request Federated Single Sign-On for SAS Customer Intelligence 360

Started ‎06-06-2019 by
Modified ‎08-31-2020 by
Views 7,081



SAS Customer Intelligence 360 now supports federated single sign-on (SSO), which enables users to sign in to the application by using their corporate login credentials.


With federated authentication, you can:

  • improve usability for end users. Users can sign in to multiple SAS applications with one account.
  • centralize user access management. Manage user accounts through your corporate identity provider (IDP), and set up specific access for tenants or external applications as needed.
  • enhance security for your organization. End users can use one set of credentials, which avoids situations where the same password is used for multiple systems. If your corporate login uses multi-factor authentication (MFA), this additional layer of security is also applied to your SAS applications.

In most cases, SSO is implemented across all SAS resources. This is the preferred experience, so each user has one identity for all interactions with SAS websites and applications.


When SSO is set up, you may have to reconfigure some of your SAS applications. For example, external applications that connect to SAS Customer Intelligence 360 must authenticate users through the REST API. For more information, see External API Users in the SAS Customer Intelligence User’s Guide.


A SAS representative will review these changes as you configure the federation process.


Gather Information and Resources

To request SSO for your SAS applications, SAS IT requires information about your organization and how you use your SAS applications.


Prepare to start the SSO process by completing the following steps:


  1. Designate a technical lead for your SAS applications. This person should:
    • have expert-level knowledge of the authentication and authorization model of your SAS applications
    • be able to administer your organization’s IDP
    • be available to work with SAS IT to set up and test the federation process

    Provide the contact information for this technical lead when you complete the SSO request form.

  2. Supply information about your organization’s IDP, such as:
    • the format for user names and attributes
    • issuer URIs
    • certificates
    • metadata

    Note: The preferred integration type is SAML, and the preferred method of federation is to use home-realm discovery (HRD). To ensure end-to-end security, your IDP must use encryption.

  3. List any security and compliance requirements for your SAS applications. For example:
    • Privacy Impact Assessments (PIAs)
    • customer agreements (such as software contracts or end-user license agreements)
    • compliance requirements for storing personal data, health data, financial data, and so on
    • specific compliance frameworks such as ISO 27001, NIST, HIPPA, and so on


Next Steps

After you have all the necessary information, you can complete the SSO request form here:


A representative from SAS will review your form and contact your technical lead to begin the SSO process.




I am understanding this as that the authentication part for login is now separated from SAS CI360 and handled by an IdP outside SAS (e.g. OneLogin, Okta, etc.). If so, while SAS Ci360 itself does not support restricting access from certain IP addresses (or accepting access only from certain IP addresses), would it be possible for customers to do such thing by configuring it at the IdP that they choose to use? 


I have seen some customers especially in banking who want to control the access to their SAS CI360 tenant only from their networks, just like accessing via VPN. I know the major IdPs like OneLogin, Okta, etc. provide a feature for their users to configure accepting/filtering access for login by IP addresses, and I wonder if we can do so for SAS CI360.



To respond to @YumaHase 


With federated single sign-on for SAS Customer Intelligence 360 (CI 360), the customer's identity provider (IDP) is the source of authentication. Yes, the customer can restrict authentication to only specific IPs or networks if the customer is using an IDP vendor or technology that provides this capability.


This IP restriction would only restrict the IP addresses that authenticate through SSO federation, In other words, IP restrictions would only apply to users of the customer’s CI 360 tenants that are managed by the customer’s IDP. If tenant admins have authorized users that are not managed by the customer IDP (for example, SAS employees or other outside consultants/contractors), those users would not be required to adhere to any IP or network restrictions. The IP restriction only applies to the IPs that access the customer's IDP and not all of the IPs that access CI 360. No IP restrictions are implemented or enforced by SAS personnel or the CI 360 systems.

If you are referring to the possibility of using a VPN for on-premises, agent-based access to CI 360, the current architecture does not support using a VPN nor the ability to restrict access to specific IP addresses.

Version history
Last update:
‎08-31-2020 10:22 AM
Updated by:




The early bird rate has been extended! Register by March 18 for just $695 - $100 off the standard rate.


Check out the agenda and get ready for a jam-packed event featuring workshops, super demos, breakout sessions, roundtables, inspiring keynotes and incredible networking events. 


Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags