cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS 9.4 M9 Multifactor Authentication

Started 10 hours ago by
Modified 10 hours ago by
Views 49

In this post I want to discuss the ways you can provide multifactor authentication to your users with the SAS 9.4 Maintenance 9 release. I want to cover the different options you have today and explain some of the differences. Then I also want to mention some features that will enhance this capability. 

 

What we mean by multifactor authentication

When you log into your SAS 9.4 environment you are proving to SAS 9.4 that you are who you say you are. Traditionally, you’d do this by providing your username and password. Unfortunately, that’s now not the best way to do things. Firstly, usernames are quite often easy to discover; it might even just be your email address. Then we have passwords, since they can be hard to remember people pick simple ones, or even use the same password for multiple services.

 

This is why modern authentication services have added a way to better secure access to computer systems. One authentication service that is available is Two-Step Verification or Multifactor Authentication (MFA). This operates on the principle that when you log in you need more than just your username and password. You need to have a second verification method or factor to prove you are who you say you are.

 

A factor in authentication is a way you can confirm your identity when you try and log in. For example, a password is one kind of factor, the password is something you know. The three most common factors are:

 

  • Something you know - Like a password, or a memorized PIN.
  • Something you have - Like a smartphone, or a secure USB key.
  • Something you are - Like a fingerprint, or facial recognition.

 

A common approach is for users to leverage their own smart phones to assist with this Two-Step Verification process.

 

These Two-factor authentication (2FA) applications on smart phone make adoption for end users much easier. The providers normally have a simple self-registration process for end users to enroll their devices. These 2FA applications normally support a range of authentication methods such as:

 

  • Time-based One-Time Passwords, which uses a shared secret and the current time to create a unique, short-lived numeric code.
  • Push Notifications, in which users receive a notification on their smart phones to approve or deny a sign-in attempt.

 

Push notifications can then be further enhanced by the provider. For example, both Duo and OKTA offer location information in push notifications. The addition of the location information allows the user to easily see the location of the service they are providing the verification for. Also, several providers offer number challenge alongside push notification. With Push Notification with Number Challenge users validate their log in attempt by completing a number matching challenge in addition to approving a push notification in the 2FA application.

 

 

SAS 9.4 M9 Current Options

Starting with the SAS 9.4 Maintenance 9 release multifactor authentication (MFA) can be configured for SAS Logon Manager, see the SAS documentation: Multifactor Authentication (MFA) in SAS 9.4M9 and the SAS 2025 Innovate presentation Secure Your SAS9 Applications Using Multi-Factor Authentication. SAS Logon Manager is the SAS web application that drives all authentication requests for the SAS 9.4 web applications. If you enable MFA, then any of your users who log into any SAS web application through SAS Logon Manager are authorized to access the application only after they present successfully two forms of authentication.

 

The two forms of authentication are:

 

  1. Username and password entered in the SAS Logon Manager form and passed to the SAS Metadata Server for authentication.
  2. One-time Passcode generated by an authenticator service. SAS integrates with the following MFA authenticators:
    1. Time-based One-time Password (TOTP) authenticators such as Google Authenticator, Microsoft Authenticator, Oracle Mobile Authenticator (OMA), Authy, Duo Mobile, or 2FAS.
    2. SAS Authenticator which is built into the SAS Logon Manager application. When a user attempts to authenticate SAS Logon Manager generates a one-time MFA token and delivers that to the user in an email message or a SMS text message.

 

It is a best practice to configure MFA for SAS Logon Manager during your initial installation of SAS 9.4M9 or later. However, if you upgraded from a previous maintenance release prior to SAS 9.4M9 or later, or did not enable MFA during the deployment process, you can implement MFA manually.

 

SAS also provides policies that allow MFA to be bypassed securely. For example, if you enable guest access, the SAS Anonymous Web User does not need to participate in MFA. You can add the entity to a reserved metadata group called BypassMFAGroup.

 

When using the TOTP authenticators, you as a SAS administrator do not register each end user. Instead, when the end user authenticates for the first time, they are presented with the options to register their TOTP authenticator application. After they have entered their credentials and the system recognizes that the account has not been fully configured for MFA a screen containing a QR code is displayed.

 01_SR_SAS94M9_qrcodeformfa.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

The end user then scans the QR code with their TOTP authenticator application to complete the registration of the SAS 9.4 environment with their application.

 

When using the SAS Authenticator, you as a SAS Administrator must choose between delivering the MFA token via email or SMS text message. If you decide to use email, you will be using the same email server and port you configured at the time you deployed SAS 9.4. Also, you must have an email address registered again the metadata identity for each of your end users.

 

Alternatively, if you decide to use SMS text messages then SAS only supports the following SMS service providers:

 

  • Amazon SNS Provider Service
  • Twilio Provider Service
  • Vonage Provider Service

 

The SAS documentation covers the configuration of the SMS service providers

 

 

To summarize, with SAS 9.4 M9 and later, you as a SAS Administrator can enable multifactor authentication for SAS Logon Manager. This will provide greater security for users accessing the SAS web applications. You can decide between end user’s leveraging a 2FA authenticator application on their smart phones or sending the MFA token via email or SMS.

 

However, this solution does not provide multifactor authentication for client server connections to the SAS 9.4 environment.

 

 

SAS 9.4 Maintenance 10 Plans

With SAS 9.4 Maintenance 10, SAS plan to update SAS 9.4 to provide multifactor authentication with the SAS 9.4 server tier. This includes all SAS servers like the SAS Metadata Server, Workspace Server, Stored Process Server, OLAP Server, Connect Servers, LASR Servers etc.

 

Since most of such connections are between a SAS client and the server process; there is not a good point to attempt to prompt the end user for additional authentication factors. SAS clients such as SAS Enterprise Guide and SAS Management Console provide for end users to create connection profiles and do not necessarily prompt for authentication details on every separate connection. As such, the model with server-side multifactor authentication is to leverage push notification with a 2FA authenticator application. When a server-side multifactor authentication session is established, it is user based.

 

At this stage the expectation is that Cisco Duo and OKTA will be the two supported 2FA authenticator application providers. This requires a commercial relationship with the provider, although Duo does have a starting “free” tier with limited user numbers. To be able to leverage push notification additional setup and registration will be required in those third-party MFA providers.

 

The introduction of the SAS server-side MFA will impact the initial SAS 9.4 MFA with SAS Logon Manager. To ensure the best SAS 9 user experience, SAS Logon Manager multifactor authentication capabilities will be updated to use the same third-party Cisco DUO or OKTA for the session-based authentication. Work is planned to allow server-side multifactor authentication challenges to be bypassed for users who have successfully authenticated via SAS Logon Manager.

 

 

Conclusion

SAS is providing you as a SAS Administrator more tools to help you secure your SAS 9.4 environments. The current MFA with SAS Logon Manager enables you to provide additional security to the riskiest of connections to your SAS 9.4 environment, i.e. web browsing connections. During 2026 and 2027 SAS will further enhance this offering with server-side MFA, protecting client-server connections. This will also introduce support for MFA with push notifications. You can see more details on the future state by reviewing the SAS Innovate 2026 presentation Expanding MFA Across the SAS 9 Ecosystem.

 

 

Find more articles from SAS Global Enablement and Learning here.

0 Likes
Contributors
Version history
Last update:
10 hours ago
Updated by:
SAS Employee

Catch up on SAS Innovate 2026

Nearly 200 sessions are now available on demand with the SAS Innovate Digital Pass.

Explore Now →

SAS AI and Machine Learning Courses

The rapid growth of AI technologies is driving an AI skills gap and demand for AI talent. Ready to grow your AI literacy? SAS offers free ways to get started for beginners, business leaders, and analytics professionals of all skill levels. Your future self will thank you.

Get started

Article Labels
Article Tags