In this post I want to further explore the new authentication option for SAS Logon Manager on SAS Viya 3.4. This option enables tight integration between SAS Viya 3.4 and an existing SAS 9.4 environment. Specifically, it will enable the authentication to the SAS Viya 3.4 visual interfaces to be performed by the SAS 9.4 Logon Manager.

The integration enables the end-user of the SAS Viya 3.4 visual interfaces to authenticate with the SAS 9.4 Logon Manager. None of the authentication will occur with the SAS Viya 3.4 Logon Manager. Any authentication mechanism supported with SAS 9.4 is supported with this configuration. Any version of SAS 9.4 is supported with this configuration, the SAS 9.4 environment does not have to be running the latest maintenance release.

This authentication configuration only impacts the SAS Viya 3.4 visual interfaces using the SAS Logon Manager. An LDAP provider is still required and will be used for the Identities microservice. While for non-browser-based authentication to SAS Viya Logon Manager the credentials will be password to the SAS 9.4 Logon manager first, then tried against LDAP if that fails. This means that authentication with the Administration Command Line Interface (CLI) or SAS Mobile application will still authenticate against the SAS Viya Logon Manager first. Also, SAS Studio 4.4 is not impacted by this configuration.

The flow for this configuration can be drawn as:

 Click image to see a larger version

Where:

1. The client browser connects to SAS Viya Logon Manager.
2. If the request to SAS Logon does not have an existing session the SAS Viya Logon Manager displays the logon form that contains a link to perform SAS 9.4 authentication and the form to do LDAP authentication. If the end-user selects the link, SAS Logon constructs an authentication request and redirects the client browser to the SAS 9.4 Middle-Tier.
3. The client authenticates to SAS 9.4 getting a Service Ticket and is redirected to back SAS Logon Manager on SAS Viya.
4. The client connects to SAS Logon Manager on SAS Viya including the SAS 9.4 Service Ticket in the request.
5. SAS Logon Manager on SAS Viya connects to SAS 9.4 Middle-Tier to validate the Service Ticket and hence the End-User.
6. SAS Logon connects to the identities microservice to fetch custom and LDAP group information for the validated End-User.
7. The identities microservice either looks up the validated End-User in its cache or connects to Active Directory using the LDAP Service Account to update the cache.

We will need to configure SAS 9.4 to tell it about the SAS Viya 3.4 environment, as well as SAS Viya 3.4 to tell it about the SAS 9.4 environment.

SAS 9.4 Configuration

The SAS 9.4 configuration will be completed in SAS Management Console. There is only one metadata property that needs to be defined. This property was introduced in SAS 9.4 Maintenance 3, so if the SAS 9.4 environment is earlier than this then the property is not required.

The property is an advanced property for Logon Manager 9.4:

Property Name = ServiceUrl.Allowed
Property Value =  https://viya.sas.example.com/SASLogon/**

This is the URL for the SAS Viya Logon Manager with "/**" at the end. This is important, both the letter case of the property name and the double stars are required.

In SAS Management Console this will look like the following:

 Click image to see a larger version

If there are additional addresses that will be used to access the SAS Viya Logon Manager these can be added as comma separated values in the Property Value field.

Once this change has been made all instances of SASServer1 must be restarted to pick-up the new property.

SAS Viya Configuration

The SAS Viya 3.4 configuration is completed in SAS Environment Manager. There is no requirement to change any configuration files. Within SAS Environment Manager select Configuration, Definitions and add a new configuration for sas.logon.sas9. This requires the URLs for both the SAS 9.4 Logon Manger and the SAS Viya Logon Manager.

The properties for the sas.logon.sas9 settings are:

 In SAS Environment Manager this looks like:

 Click image to see a larger version

By default, the end-user will just be presented with a link at the bottom of the standard SAS Viya Logon Manager form. The text of the link is controller through the "linkText" property listed above. This default behavior means that end-users can chose to either use SAS 9.4 to authenticate or still use the LDAP provider. Also, this means that the sasboot user can still be used to access SAS Environment Manager.

Optionally, if the setting "autoLink" is enabled then the SAS Viya Logon Manager form will no-longer be displayed. This means the end-users will be automatically redirected to SAS 9.4 Logon Manager to authenticate. So, the end-users will not be able to use the LDAP provider and sasboot cannot be used to access SAS Environment Manager.

TLS Trust

Both the SAS 9.4 and SAS Viya 3.4 environments must be able to trust the TLS certificates presented to each other. This means that the Certificate Authority chain must be added to the respective trust stores. On the SAS 9.4 environment the trust chain for the SAS Viya 3.4 environment must be added. If the SAS 9.4 environment is Maintenance 3 or higher, then this is completed using the SAS Deployment Manager. Ideally, the trust stores for multi-machine deployments are kept synchronized, so the SAS Deployment Manager task will be run on all the server hosts. But strictly speaking the CA chain is only required on hosts running an instance of SASServer1. For earlier releases of SAS 9.4 this can be completed using the Java Keytool application to create a trust store and providing this to all instances of SASServer1.

On the SAS Viya 3.4 environment the CA chain for the SAS 9.4 environment must be added to the trust store. Previously I posted about the ways to manage the trust stores for SAS Viya. Ideally this will be completed on all the server hosts of the SAS Viya 3.4 environment. But, strictly speaking this only needs to be completed on any hosts running SAS Logon Manager.

While we have referenced a Certificate Authority chain – if the TLS certificate for either SAS 9.4 or SAS Viya 3.4 is self-signed it will be the actual TLS certificate itself that is added. For example, the default deployment process for SAS Viya 3.4 will create a self-signed certificate for the Apache HTTP Server. This single certificate would then be added to the SAS 9.4 trust store.

Compatibility of Usernames

Remember the Identities microservice must be able to take the username from the SAS 9.4 authentication event and correctly search for this in the defined LDAP provider for SAS Viya 3.4. This means that while you could log into SAS 9.4 using an internal account "@saspw", these will not work with SAS Viya 3.4 since they will not exist in the LDAP provider. Equally, you could sign into SAS 9.4 with an account that does not exist in any LDAP provider, for example a Google account. This again would not work with SAS Viya 3.4 unless the Google account was the AccountID used by the Identities microservice. Finally, domain-qualified usernames cannot be used with SAS Viya 3.4, even if the SAS 9.4 environment passed the domain-qualified username the domain will be stripped.

Single Sign-On & Single Sign-Out

The final two options are for Single Sign-On and Single Sign-Out. The first, for Single Sign-On, is self-explanatory; accessing the SAS Viya 3.4 applications from an active SAS 9.4 session will provide seamless access, there will be no need to sign-in again. The second requires slightly more explanation.

The Single Sign-out is actioned from the SAS Viya 3.4 side. So, if a user has two browser tabs open, one with a SAS Viya 3.4 web application and the other with a SAS 9.4 web application. Selecting sign-out in the SAS Viya 3.4 web application will also sign-out the user from the SAS 9.4 web application. However, the reverse is not true. If the user signs out from the SAS 9.4 web application, they will not be signed out from the SAS Viya 3.4 web application.

Impact for OTP

Since SAS Viya 3.3, SAS has supported directly accessing a SAS Cloud Analytic Services from a SAS 9.4 Maintenance 5 SAS session. One type of access supported is from a SAS 9.4 M5 session that uses a launch credential, like a Stored Process Server, Pooled Workspace Server, or a Workspace Server using Token Authentication. This configuration we examined before where a One-Time-Password is validated by the SAS Viya Logon Manager using the SAS 9.4 M5 Middle-Tier.

The new configuration option for Single Sign-on & Sign-out for SAS Viya 3.4 with SAS 9.4 has a minor impact on the settings for validating the One-Time-Password. For the first release of SAS Viya 3.4 there is a minor bug that prevents the property required for validating the One-Time-Password from being correctly specified. This can easily be worked around by setting the property using the SAS Bootstrap Config tool.

First initialize the environment variables required to use the SAS Bootstrap Config tool:

export CONSUL_TOKEN=`cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token` 
source /opt/sas/viya/config/consul.conf

Then set the property value:

/opt/sas/viya/home/bin/sas-bootstrap-config kv write --force -key config/SASLogon/sas.logon.sas9/baseServicesUrl -value http://sas94.middletier.customer.com:7980

This issue has been resolved for the late 2018 release of SAS Viya 3.4, where the value in SAS Environment Manager for "sas9LogonUrl" will be correctly formatted to provide the "baseServicesUrl" required to resolve the One-Time-Password.