In a previous post we introduced the concept of SAS Web Server authentication with SAS 9.4. In this post I want to extend this discussion to one option for the authentication. In this post we will discuss using Microsoft Entra ID with OpenID Connect as the authentication with SAS 9.4.

 

In that previous post we covered adding the authenticated user as a header and the shared secret. Here we will only address the authentication module configuration for OpenID Connect with Microsoft Entra ID. This is the part enabling just step 1 in the diagram below.

 

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

SAS Technical Support are able to assist with the basic steps to integrate the SAS Web Server with the SAS Web Application Server, covered previously. However, they are not able to provide detailed assistance on the third-party configuration of Microsoft Entra ID, or the specifics of the Apache HTTP Server authentication module configuration.

 

 

Obtaining the Authentication Module

 

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that authenticates users against an OpenID Connect Provider. It can also function as an OAuth 2.0 Resource Server, validating access tokens presented by OAuth 2.0 clients against an OAuth 2.0 Authorization Server. More details can be found on the following GitHub project: https://github.com/OpenIDC/mod_auth_openidc.

 

The module is open sourced by OpenIDC, a subsidiary of ZmartZone Holding B.V. For commercial services you can contact OpenIDC. Licensed builds with support for Redis/Valkey over TLS, Redis Sentinel/Cluster as well as binary packages for Microsoft Windows, EOL Red Hat, Ubuntu and Debian releases, Oracle HTTP Server and IBM HTTP Server are available under a commercial agreement with OpenIDC.

 

For Linux operating systems most distributions will offer a package containing the mod_auth_openidc module, so it can be installed with your standard package management tools.

 

 

Microsoft Entra ID App Registration

 

In addition to obtaining the mod_auth_openidc module, we also need to have an application registration within Microsoft Entra ID. It is through this application registration that we configure Microsoft Entra ID to perform OpenID Connect authentication. Microsoft provides documentation for creating the application registration.

 

From the application registration in Microsoft Entra ID, we will need the following information for when we configure the mod_auth_openidc module:

 

1. Your Microsoft Entra ID tenant ID value,
2. The specific application ID which will be the client ID,
3. Your application’s client secret,
4. The Redirect URI for Web – which will be a URL on your SAS 9.4 environment users are redirected to,
5. The OpenID Connect metadata document URL, available from the Endpoints link within the application page in Microsoft Entra ID.

 

The other part of the application registration you need to pay attention to is the user identifier. Depending on how you want to pass the username to SAS 9.4 you might need to consider adding additional claims to the token generated by Microsoft Entra ID. Microsoft documentation covers the available additional claims that can be included in the token. You might want to leverage either the User Principal Name or the email address of users.

 

 

Configuring SAS Web Server

 

Once we have obtained the module and created the application registration in Microsoft Entra ID, we can configure the SAS 9.4 environment. Remember, in this post we are just addressing the OpenID Connect configuration, you still need to complete the steps we discussed in the previous post.

 

There will be two parts to the configuration of the SAS Web Server. First, we configure the OIDC module. For this we need to load the module into the SAS Web Server and create a configuration file with details of the Microsoft Entra ID application registration. To tell the SAS Web Server to load the new module you update the SAS-configuration-directory\Levn\Web\WebServer\conf\httpd.conf file and add the following line to the end of the other LoadModule lines:

 

LoadModule auth_openidc_module   "/etc/httpd/modules/mod_auth_openidc.so"

 

This assumes the mod_auth_openidc module is installed in the default location, otherwise you would amend the path to point to the correct location.

 

Then we create the file openidc.conf in the SAS-configuration-directory\Levn\Web\WebServer\conf\extra directory, to configure the module. This file should have the following contents:

 

# Azure AD Settings.
OIDCProviderMetadataURL https://login.microsoftonline.com/${tenantID}/v2.0/.well-known/openid-configuration
OIDCClientID ${clientID}
OIDCClientSecret ${clientSecret}
OIDCScope "openid profile email"
OIDCRemoteUserClaim email ^(.*)@
OIDCRedirectURI https://${SAS94Hostname}:8343/oauth2callback
OIDCCryptoPassphrase s0meR&nd0mText

<Location /oauth2callback>
   AuthType openid-connect
   require valid-user
</Location>

 

The settings we have defined for the mod_auth_openidc module are:

 

• OIDCProviderMetadataURL, URL where OpenID Connect Provider metadata can be found, replace ${tenantID} with your Microsoft Entra ID tenant ID
• OIDCClientID, Client identifier used in calls to the statically configured OpenID Connect Provider, replace ${clientID} with your client ID
• OIDCClientSecret, Client secret used in calls to the statically configured OpenID Connect Provider, replace ${clientSecret} with your client secret
• OIDCScope, Define the OpenID Connect scope that is requested from the OP (e.g. "openid email profile")
• OIDCRemoteUserClaim, the claim that is used when setting the REMOTE_USER variable on OpenID Connect protected paths. An optional regular expression can be added as a 2nd parameter that will be applied to the resulting value from the 1st parameter and the first match returned from that expression will be set as the REMOTE_USER. E.g. to strip a domain from an e-mail style address you’d use ^(.*)@
• OIDCRedirectURI, the redirect_uri for this OpenID Connect client; this is a vanity URL that must ONLY point to a path on your server protected by this module but it must NOT point to any actual content that needs to be served
• OIDCCryptoPassphrase, sets a password for crypto purposes, this is used for:
• encryption of the (temporary) state cookie
• encryption of cache entries, that may include the session cookie

 

• Location /oauth2callback, defines the security constraint for the URL that matches the OIDCRedirectURI which is a virtual location that handles the authentication response from the OpenID Connect Provider

 

For more details on these options see: https://github.com/OpenIDC/mod_auth_openidc/blob/master/auth_openidc.conf.

 

Then we can add the security constraint to the SAS Logon Manager login endpoint. If we assume you have completed the steps we discussed in the previous post, then your configuration should look like the following:

 

<Location /SASLogon/login>
  AuthType authentication_type 
  require valid-user

  RequestHeader set X-Remote-User %{REMOTE_USER}s
  RequestHeader set Authorization "Basic OlRoMXNJU3RoM1BAc3N3MHJk"
</Location>

 

We just need to update this to the following:

 

include /opt/sas/config/Lev1/Web/WebServer/conf/extra/openidc.conf

<Location /SASLogon/login>
  AuthType openid-connect
  require valid-user
  RequestHeader set X-Remote-User %{REMOTE_USER}s
  RequestHeader set Authorization "Basic OlRoMXNJU3RoM1BAc3N3MHJk"
</Location>

 

Which file we add this to will depend on how we have configured the SAS Web Server. If the SAS Web Server is only serving HTTP, then we edit the SAS-configuration-directory\Levn\Web\WebServer\conf\httpd.conf file. Whereas, if we are serving HTTPS, we edit the SAS-configuration-directory\Levn\Web\WebServer\conf\extra\httpd-ssl.conf file and add the location block inside the VirtualHost directive.

 

 

CSRF Settings

 

The default Cross-site request forgery (CSRF) settings for SAS 9.4 limit the third parties that can redirect browser traffic to SAS 9.4. Since OpenID Connect authentication relies on the redirection from the provider to the relying party, we need to enable this.

 

We need to update the sas.web.csrf.referers.knownHosts setting to allow access from Microsoft Entra ID. You should follow the documented steps to add https://login.microsoftonline.com/ to the knownHosts property.

 

 

SAS Logon Manager Log-off Behaviour

 

The log off behaviour of the SAS Logon Manager must be updated. Without these changes the end user is not correctly logged out of the SAS Web Applications. The mod_auth_openidc module requires that the application call a specific URL with a logout parameter to log out the end user. Therefore, the SAS Logon Manager must be updated to include this step in the logout processing.

 

We update the custom log off message for the SAS Logon Manager following the steps outlined here: https://go.documentation.sas.com/doc/en/bicdc/default/bimtag/p1eq380abe3z6en1tpnsj931qrke.htm. We just need to add the following to the logoff and timeout messages:

 

<script type="text/javascript">
 window.location.replace("https://${SAS94Hostname}:8343/oauth2callback?logout=https://${SAS94Hostname}:8343/logout.html");
</script>

 

In addition, we also need to create the custom HTML page the logout of mod_auth_openidc redirects to, which might just contain the following:

 

<HTML class="bg">
<head>
    <link type="text/css" rel="stylesheet" href="/SASLogon/themes/default/css/sas.css" />
</head>
<body>
<div class="content">
<p>You have successfully logged out from SAS 9.4.
<br>You are also logged out from OpenID Provider: Microsoft Entra ID.
<br>You should now close your browser.</p>
</div>
</body>
</HTML>

 

This would be created in the SAS-configuration-directory\Levn\Web\WebServer\htdocs directory.

 

Then when users log out, they will be presented with the following message:

 

User Settings

 

For the end user to be able to log into SAS® 9.4 we must have a login associated with a Metadata Identity that matches the string passed from the SAS Web Server. For inbound authentication it does not matter what authentication domain the login is associated with. So, you need to ensure your end users have the correct format of the username returned from Microsoft Entra ID present in their Metadata Identity.

 

Remember that there will be no credentials made available to SAS 9.4 for launching a SAS Workspace Server session. As such, we need to provide credentials in an alternative way. We could configure SAS Token Authentication for the SAS Workspace Server. Or we could store a credential in an authentication domain.

 

 

Conclusion

 

In this post we have shown how you can configure your SAS 9.4 environment to allow your end users to log into the SAS web applications using OpenID Connect and Microsoft Entra ID. This post has only focused on the authentication module configuration. The previous post dealt with the other key parts of the configuration.

 

If you want to explore this topic in more detail a workshop is available in learn.sas.com called SAS® 9.4 Advanced Topics in Authentication – Modern Web Authentication. This workshop includes both video information and hands-on practice sessions.

 

 

Find more articles from SAS Global Enablement and Learning here.