BookmarkSubscribeRSS Feed

SAS Viya 2025.03 SAS/CONNECT Client Update

Started ‎03-17-2025 by
Modified ‎03-17-2025 by
Views 334

The SAS Viya 2025.03 release introduces a change to the SAS/CONNECT client included in SAS Viya. This change allows the SAS/CONNECT client to leverage Authentication Domains maintained by the Credentials microservice in SAS Viya. When you are leveraging Spawner signons. In this post we will examine what the change is, why the change is important, and discuss some use cases where you might want to leverage Authentication Domains.

 

What is the change?

The change is in the SAS/CONNECT client included in the SAS Programming Runtime environment. This means that the update to the SAS/CONNECT client is available to interactive SAS sessions, such as those used by SAS Studio or SAS Batch Server sessions and SAS/CONNECT Server sessions.

 

In SAS 9.4 SAS/CONNECT clients, you were able to use Authentication Domains defined in the SAS 9.4 Metadata Server to store the credentials used to sign on to the remote SAS/CONNECT Server. With the SAS Viya 2025.03 release, you can also use Authentication Domains with the SAS/CONNECT client in SAS Viya, when doing a Spawner signon.

 

Obviously, in SAS Viya, the technology for creating and managing the Authentication Domains is different from SAS 9.4. With SAS Viya you can use either SAS Environment Manager or the SAS Viya CLI as a member of SAS Administrators to create Authentication Domains. The Authentication Domains can either be Password Domains or Token Domains.

 

The Password Domains store a username and password credential set that is made available to either an individual user or groups of users. Whereas the Token Domain stores a SAS Logon Manager refresh token for a specified SAS Viya user, and that refresh token is made available to either an individual user or group of users.

 

Clearly, the credential in a Token Authentication domain will be valid only with the current SAS Viya environment, where the refresh token is generated and stored. You cannot store a refresh token for your Production SAS Viya environment in your Development SAS Viya environment.

 

The existing authentication methods are still valid for the SAS/CONNECT client in SAS Viya. So, you can still leverage the existing OAuth Token, a username and password entered in code, an AUTHINFO file, or Kerberos authentication. This is covered in the SAS documentation and also discussed by my colleague Edoardo Riva in a previous post.

 

Why is this important?

 

Adding support for Authentication Domains with the SAS/CONNECT client in SAS Viya simplifies the migration of your existing SAS 9.4 code into your SAS Viya environment. If the SAS/CONNECT Servers, your code references are the same and can be reached from your SAS Viya environment; you can just run the same code as-is in your SAS Viya environment. You do not need to go back through your existing code and make changes switching to an alternative form of authentication.

 

Use Case for Password Authentication Domains

 

The main use case for leveraging Authentication Domains with the SAS/CONNECT client in SAS Viya, is the easy migration of code from your existing SAS 9.4 environments. If you have already been using Authentication Domains with the SAS/CONNECT client in SAS 9.4 and returning usernames and passwords from Authentication Domains in the SAS 9.4 Metadata Server, you can simply run this code as before on SAS Viya.

 

You will need to create the corresponding Authentication Domain on SAS Viya. This step will need to be completed by a member of the SAS Administrators group. Next, you will need to store the credential sets (usernames and passwords) that your end users require. If you are sharing a credential set amongst a group of users, you will need to store the credential set as a member of SAS Administrators group, and make that credential set available to the required group of users. Otherwise, individual end users can maintain their own credential sets in the Authentication Domain after the domain is created.

 

For example, you might have something like the following:

 

01_SR_Authentication-Domains-101-SAS_CONNECT.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

A member of SAS Administrators would store Credential Set 1 and make that available to the SAS Viya custom group "Group A". Then a member of SAS Administrators would store Credential Set 2 and make that available to the LDAP group "Group B". Finally, an end user Bob would store Credential Set 3 for themselves, without revealing the credentials to a member of SAS Administrators.

 

The code for the SAS/CONNECT client connection would look like the following:

 

%let rhost=my-connect-spawner.mydomain.com 7551;
signon rhost authdomain="ConnectAuth";

 

When this code is run:

 

  • If the end user is a member of "Group A" they authenticate with Credential Set 1,
  • If the end user is a member of "Group B" they authenticate with Credential Set 2,
  • If the end user is Bob, they authenticate with Credential Set 3.

It is important to ensure that an end user is not in both "Group A" and "Group B". Depending on your specific LDAP group structure you might find it easier to associate credential sets with SAS Viya custom groups rather than LDAP groups to meet this requirement.

 

Also, although we have said LDAP groups in the discussion above, those could be groups provided through SCIM, if you are using SCIM instead of LDAP.

 

Use Case for Token Authentication Domains

 

The use case for a Token Domain is slightly different. The credential set in a Token Domain is a refresh token for a specific user within the same SAS Viya environment. That refresh token is valid with SAS Logon Manager in that SAS Viya environment and not valid anywhere else.

 

Using a Token Domain only makes sense when you want a group of users within the SAS Viya environment to authenticate to the SAS/CONNECT Spawner in the same SAS Viya environment with a shared account. If you wanted the end users to authenticate as themselves to the SAS/CONNECT Spawner in the same SAS Viya environment, you would just use OAuth Token authentication.

 

If you do want to have a group of users, use a shared account for authenticating to the SAS/CONNECT Spawner inside the same SAS Viya environment, using the Token Domain makes more sense than using a Password Domain. The credential set in the Token Domain is refreshed each time it is used, whereas the credential set in the Password Domain would need to be updated each time the password changes for the shared account.

 

Setting up the credential set in the Token Domain does require a bit more configuration by a member of SAS Administrators. As well as creating the Authentication Domain, they will need to setup additional rules that allow the shared account to store the refresh token. This is covered in the documentation under Group Managed Service Accounts Used with Compute and CAS.

 

For example, if the shared account is called SASServiceUser1 and our Token Domain is called ConnectTokenDomain the rules would be:

 

/SASEnvironmentManager/domains
PrincipalType: User
Principal: SASServiceUser1
Permission: Read

/credentials/domains/ConnectTokenDomain/groups/*
PrincipalType: User
Principal: SASServiceUser1
Permission: Create,Read,Update,Delete

/credentials/domains/ConnectTokenDomain/users/*
PrincipalType: User
Principal: SASServiceUser1
Permission: Create,Read,Update,Delete

/credentials/domains/ConnectTokenDomain/credentials
PrincipalType: User
Principal: SASServiceUser1
Permission: Read

 

Once the member of SAS Administrators has completed these steps anyone with access to the credentials for the SASServicesUser1 can log in with that user and store the refresh token. When the refresh token is stored that is linked to a custom group, external LDAP or SCIM group, or a user. Then members of the custom group, external LDAP or SCIM group, or an individual user will be able to access that stored refresh token. As such they will be able to run code like the following:

 

%let rhost=sas-connect-spawner 17551;
signon rhost authdomain="ConnectTokenDomain";

 

Which will authenticate them to the SAS/CONNECT Spawner inside the SAS Viya environment as the SASServicesUser1.

 

Conclusion

 

The update to the SAS/CONNECT client in the SAS Viya 2025.03 release is targeted at making your migration of code from SAS 9.4 to SAS Viya easier. By adding support of Authentication Domains to the SAS/CONNECT client in SAS Viya you should be able to run your SAS 9.4 code as-is without changes in SAS Viya. This is based on the assumption that you have correctly defined the Authentication Domains in SAS Viya first.

 

 

Find more articles from SAS Global Enablement and Learning here.

Version history
Last update:
‎03-17-2025 06:11 AM
Updated by:
Contributors

sas-innovate-white.png

Special offer for SAS Communities members

Save $250 on SAS Innovate and get a free advance copy of the new SAS For Dummies book! Use the code "SASforDummies" to register. Don't miss out, May 6-9, in Orlando, Florida.

 

View the full agenda.

Register now!

SAS AI and Machine Learning Courses

The rapid growth of AI technologies is driving an AI skills gap and demand for AI talent. Ready to grow your AI literacy? SAS offers free ways to get started for beginners, business leaders, and analytics professionals of all skill levels. Your future self will thank you.

Get started

Article Tags