SAS Viya has supported integration with a third-party OpenID Connect provider since SAS Viya 3.3. In this article I want to look at configuring SAS Viya 3.5 to use Ping Identity as the third-party OpenID Connect provider. Ping Identity offer both PingFederate which is an on-prem solution and PingOne is a cloud-based solution. With both PingFederate and PingOne either SAML or OpenID Connect can be used for authentication, for the purposes of this article I will focus on OpenID Connect.
Ping Identity is a major Identity and Access Management (IAM) provider with solutions that work in any on-premises, cloud and hybrid environment. As they state on their website:
At Ping Identity, we champion the unique identity of enterprises to simplify how they provide secure and seamless digital experiences for their workforce and customers. We help prevent security breaches, increase productivity and provide personalized experiences. With a world-class network of partners, our singular focus is on enterprise customers and their success.
PingFederate is the on-premises solution which is described as:
PingFederate is an enterprise federation server that enables user authentication and single sign-on. It serves as a global authentication authority that allows employees, customers and partners to securely access all the applications they need from any device. PingFederate easily integrates with applications across the enterprise, third-party authentication sources, diverse user directories and existing IAM systems, all while supporting current and past versions of identity standards like OAuth, OpenID Connect, SAML and WS-Federation.
PingOne is the cloud-based solution that provides Identity as a Service, which is described as:
PingOne is a best-in-class Identity-as-a-Service (IDaaS) offering for organizations that prefer a more hands-free approach to identity and access management (IAM) for their customers and workforce.
PingFederate and PingOne offer both OpenID Connect and SAML to provide Single Sign-On into other applications. Here we are only concerned with one of the options: OpenID Connect.
All the steps documented here were made possible by Ping Identity providing me with a developer account and free trial licenses.
I found that PingFederate is a very powerful and easily customized package. At times the wealth of different options to configure made it confusing. To simplify the explanation of what was configured I created the diagram below:
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
We will walk through the configuration in the order shown in the diagram from 1-8. All this configuration is completed in the web administration console for PingFederate: https://<<hostname>>:9999/pingfederate/app. Which will result in being able to authenticate our Active Directory users through PingFederate using OpenID Connect. The steps are:
With all this complete, PingFederate will provide SAS Logon Manager with the end-users sAMAccountName as the preferred_username from Active Directory when the SASscope is requested.
I decided to add the new SASscope since I wanted to separate the additional configuration for SAS Viya from any existing configuration. This should ensure the configuration shown above has no impact on any existing applications integrated with Ping Federate. However, if Ping Federate is already configured to provide the sAMAccountName as the preferred_username this is not necessary. Equally, if no other applications are integrated with Ping Federate, the default scope can be updated instead of creating the new SASscope.
PingOne, as a cloud-based "Identity as a Service" (IaaS) offering, has less configuration options than PingFederate. Again, I’ve created a graphic to show what was configured.
Since we want to authenticate our Active Directory users into SAS Viya using PingOne we need to get those Active Directory users into PingOne. Ping Identity provides an application that is installed on-prem to synchronize the Active Directory content into PingOne, called AD Connect. So, the first step was to follow the Ping Identity documentation to deploy this component onto a Windows Server within the Active Directory domain. This makes the Active Directory users available to PingOne.
The rest of the configuration is completed in the PingOne web administration console: https://admin.pingone.com/web-portal. Under Applications, My Applications, OIDC we select Add Application and complete the following details:
In testing, PingOne was only able to provide the sAMAccountName to SAS Logon Manager when it was mapped to the sub attribute. Any attempts to define additional scopes, in the same way I did with PingFederate, did not work. But since the mapping is specific to the SAS Viya client definition it does not impact any other client applications defined in PingOne.
This completes all the configuration required in PingOne.
The SAS Viya configuration is completed within SAS Environment Manager. The settings are all contained within the sas.logon.oauth.providers.external_oauth definition. The following table provides the settings that are required for integration with PingFederate:
Attribute | Value |
---|---|
addShadowUserOnLogin: | True |
attributeMappings.user_name: | preferred_username |
authUrl: | https://<<PING_HOST>>:<<PING_PORT>>/as/authorization.oauth2 |
clientAuthInBody: | False |
discoveryUrl: | https://<<PING_HOST>>:<<PING_PORT>>/.well-known/openid-configuration |
emailDomain: | <<Customer email domain(s)>> |
issuer: | (not set) |
linkText: | Sign-in with PingFederate |
passwordGrantEnabled: | False |
relyingPartyId: | <<CLIENT_ID>> |
relyingPartySecret: | <<CLIENT_SECRET>> |
responseType: | (not set) |
scopes: | openid,SASscope |
showLinkText: | True |
tokenKey: | (not set) |
tokenKeyUrl: | (not set) |
tokenUrl: | https://<<PING_HOST>>:<PING_PORT>>/as/token.oauth2 |
type: | oidc1.0 |
userInfoUrl: | (not set) |
The <<CLIENT ID>> and <<CLIENT SECRET>> will need to be copied from the PingFederate administrative interface. The authUrl, discoveryUrl, and tokenUrl values will have the standard form shown in the table above, also all these values can be discovered from the https://<<PING_HOST>>:<<PING_PORT>>/.well-known/openid-configuration URL.
The other two specific properties, for PingFederate, control the username that SAS Viya will obtain from the ID Token provided by PingFederate. The attributeMappings.user_name attribute is set to preferred_username which will return the username from the ID Token. However, to ensure that PingFederate includes the preferred_username claim in the ID Token the scopes attribute must be set to "openid,SASscope". If SASscope is not included in the scopes then the preferred_username will not be added to the claims in the ID Token, and so the username will not be available to SAS Viya.
With this configuration complete, you can either wait for the configuration key/values to refresh or SAS Logon Manager can be restarted, for example on RedHat with:
systemctl restart sas-viya-saslogon-default
The following table provides the settings that are required for integration with PingOne:
Attribute | Value |
---|---|
addShadowUserOnLogin: | True |
attributeMappings.user_name: | sub |
authUrl: | https://sso.connect.pingidentity.com/sso/as/authorization.oauth2 |
clientAuthInBody: | False |
discoveryUrl: | https://sso.connect.pingidentity.com/<<CLIENT ID>>/.well-known/openid-configuration |
emailDomain: | <<Customer email domain(s)>> |
issuer: | (not set) |
linkText: | Sign-in with PingOne |
passwordGrantEnabled: | False |
relyingPartyId: | <<CLIENT_ID>> |
relyingPartySecret: | <<CLIENT_SECRET>> |
responseType: | (not set) |
scopes: | openid |
showLinkText: | True |
tokenKey: | (not set) |
tokenKeyUrl: | (not set) |
tokenUrl: | https://sso.connect.pingidentity.com/sso/as/token.oauth2 |
type: | oidc1.0 |
userInfoUrl: | (not set) |
The <<CLIENT ID>> and <<CLIENT SECRET>> will need to be copied from the PingOne administrative interface. The authUrl, discoveryUrl, and tokenUrl values will have the standard form shown in the table above, also all these values can be discovered from the https://sso.connect.pingidentity.com/<<CLIENT ID>>/.well-known/openid-configuration URL.
The other specific property, for PingOne, controls the username that SAS Viya will obtain from the ID Token provided by PingOne. The attributeMappings.user_name attribute is set to sub which will return the username from the ID Token. This is dependent on the mapping configured in the PingOne administrative interface.
With this configuration complete, you can either wait for the configuration key/values to refresh or SAS Logon Manager can be restarted, for example on RedHat with:
systemctl restart sas-viya-saslogon-default
Then when end-users access the SAS Viya environment the SAS Logon Manager form will now include the link to authenticate with either PingFederate or PingOne. If you want to provide true Single Sign-On where the SAS Logon Manager form is not displayed, you’ll need to follow the steps we’ve discussed before leveraging the login_hint parameter.
Remember, for the end-users to be correctly authenticated to the SAS Viya environment the value returned by PingFederate or PingOne must match the value returned from your LDAP provider as sas.identities.providers.ldap.user.accountID, by default sAMAccountName.
Ping Identity is a popular authentication provider offering both on-premises and Identity as a Service options. With SAS Viya 3.5, customers can configure authentication and single sign-on with Ping Identity using OpenID Connect. Getting the correct configuration setup in PingFederate or PingOne will be key to successfully implementing this authentication mechanism. The setup within SAS Viya 3.5 is straightforward so long as you are aware of and have planned for the correct format of username.
SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.