SAS Viya 3.5 OpenID Connect with WSO2
SAS Viya has supported integration with a third-party OpenID Connect provider since SAS Viya 3.3. In this article I want to look at configuring SAS Viya 3.5 to use WSO2 Identity Server as the third-party OpenID Connect provider. WSO2 Identity Server also offers SAML integration, but for the purposes of this article I will be focusing on OpenID Connect.
What is WSO2 Identity Server
WSO2 Identity Server is an Identity and Access Management (IAM) solution available for multiple operating systems and is also provided as a cloud-based subscription option. WSO2 describes Identity Server as:
For the purposes of writing this article, I have used WSO2 Identity Server deployed to a Microsoft Windows Server and connected it to Active Directory. This is the same Active Directory that the SAS Viya Identities microservice is connected to. So, the same users are available in WSO2 Identity Server and SAS Viya.
WSO2 Identity Server Configuration
First, we will configure WSO2 Identity Server. Since we have Active Directory defined as a User Store for WSO2 Identity Server and SAS Viya Identities microservice is configured against the same Active Directory we want to authenticate users based on their sAMAccountName attribute. This will ensure the end-users authenticating with OpenID Connect are correctly identified with the Identities microservice.
To ensure changes do not impact other applications using WSO2 Identity Server we will define a new Claim for the end-user’s sAMAccountName. In the WSO2 Identity Server Management Console complete the following:
- Select Add under Claims
- Select Add External Claim
- Select http://wso2.org/oidc/claim as Dialect URI
- Enter SASuserid as External Claim URI
- Select http://wso2.org/claims/externalid as Mapped Local Claim
- Select Add
- Select List under Claims
- Select http://wso2.org/claims
- Select Edit for External User ID
- Select Add Attribute Mapping
- Select the Active Directory Domain under User Store Domain Name
- Enter sAMAccountName as Mapped Attribute
- Select Supported by Default
- Select Update
- Select List under OIDC Scopes
- Select Add claims against openid
- Select Add OIDC Claim
- Select SASuserid
- Select Finish
We can confirm that the External User ID is present for our Active Directory users by selecting List under Users and Roles, then Users, and User Profile against one of the Active Directory users. Because we selected Supported by Default earlier this will be included in the User Profile and will contain the sAMAccountName for the Active Directory user.
Now that the mapping of sAMAccountName to an available OpenID Connect claim is complete the SAS Viya environment can be added as a Service Provider. Complete the following steps in the WSO2 Identity Server Management Console
- Select Add under Service Providers
- Select Manual Configuration
- Enter a name for the Service Provider, for example "SAS Viya", and a description if required
- Select Register
- Expand Claim Configuration
- Select Use Local Claim Dialect
- Select Add Claim URI
- Select http://wso2.org/claims/externalid as Local Claim
- Select Mandatory Claim
- This should look like the following:
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page. - Expand Inbound Authentication Configuration
- Expand OAuth/OpenID Connect Configuration and select Configure
- Ensure only Code and Refresh Token are selected Allowed Grant Types
- Enter the Callback Url as: http://<sasviya.hostname>/SASLogon/login/callback/external_oauth
- Select SSO Session Based as Access Token Binding Type
- Select JWT as Token Issuer
- Select Add
- You will be returned to the initial page and the OAuth Client Key and OAuth Client Secret will be displayed. These should be copied to be entered in SAS Environment Manager for the SAS Logon Manager configuration. This will look like the following:
- Select Update
This completes adding SAS Logon Manager as a Service Provider in WSO2 Identity Server. Further configuration is completed within SAS Viya.
TLS Trust
SAS Logon Manager will directly connect to WSO2 Identity Server to exchange the authorization code for the OpenID Connect ID Token. This means that SAS Logon Manager must be able to trust the certificate presented by the WSO2 Identity Server. If the WSO2 Identity Server certificate is signed by a commercial Certificate Authority (CA) then the CA certificate is most likely already included in the SAS Viya trust stores. Otherwise, you will need to add the CA certificate or Server Certificate, if it is self-signed, to the SAS Viya trust stores. The official documentation covers managing the trust stores.
If a self-signed certificate is used for WSO2 Identity Server, the following Java keytool command can be used to extract the server certificate:
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file pkn.pem
Then OpenSSL can be used to convert from a binary format into a BASE64 format:
openssl x509 -inform der -in pkn.pem -outform PEM -out pkn_pem.pem
This BASE64 format file can then be added to the SAS Viya trust stores.
Extracting the Public Key
The private key for WSO2 Identity Server is used to sign the ID Token. SAS Logon Manager requires access to the corresponding public key to validate the signature. With WS02 Identity Server 5.10.0 the JWKS URL only provides the modulus of this public key, which is not enough for SAS Logon Manager. Therefore, we need to manually extract the public key from the WS02 Identity Server certificate.
The Java Keytool command shown above, in the previous section, can be used to extract the Server Certificate from the Java keystore used by WSO2 Identity Server. OpenSSL can then be used to display the corresponding public key from this Server Certificate:
openssl x509 -pubkey -noout -inform der -in pkn.pem
This should output something like the following:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvgPrTfqlkEre5ifB0/M
1we4Irxh+VyQSGnfOS+pqUJN2hAyo3Qx0zqwX5six4TXiJetDzzU1R50zEtrw3um
gEWAXVj/oQxT+CQvFj+2tYAghk4G/eokGUauqeCsEtnI8O/9o1mATQ+IiVJcpG7H
JbZGK4escnpBL3TiRV75g9RxzSiKJAsEycLwyaJ8hbgSCbhO6pblzAIK/VErSGJ9
HPW2fpjDlBGYN0llM/q+2oFhPvIgEcaH6kZZiDcMGmw1ey/XzjRXP8i2JluxOjzm
4d2ILFTjyI50VM/ShThNfUfsfLMl64JFlxoeRMIzhSG7EE/plyGzQnpl5rHH7JMW
dwIDAQAB
-----END PUBLIC KEY-----
This will be required for the configuration of SAS Logon Manager.
SAS Viya Configuration
The SAS Viya configuration is completed within SAS Environment Manager. The settings are all contained within the sas.logon.oauth.providers.external_oauth definition. The following table provides the settings that are required for integration with WSO2:
| Attribute | Value |
|---|---|
| addShadowUserOnLogin: | True |
| attributeMappings.user_name: | SASuserid |
| authUrl: | https://<<WSO2_DOMAIN>>/oauth2/authorize |
| clientAuthInBody: | (not set) |
| discoveryUrl: | https://<<WSO2_DOMAIN>>/oauth2/oidcdiscovery/.well-known/openid-configuration |
| emailDomain: | <<Customer email domain(s)>> |
| issuer: | https://<<WSO2_DOMAIN>>/oauth2/token |
| linkText: | Sign-in with WSO2 |
| passwordGrantEnabled: | False |
| relyingPartyId: | <<CLIENT KEY>> |
| relyingPartySecret: | <<CLIENT SECRET>> |
| responseType: | (not set) |
| scopes: | openid |
| showLinkText: | True |
| tokenKey: | <<PUBLIC KEY>> |
| tokenKeyUrl: | (not set) |
| tokenUrl: | https://<<WSO2_DOMAIN>>/oauth2/token |
| type: | oidc1.0 |
| userInfoUrl: | (not set) |
The <<CLIENT KEY>> and <<CLIENT SECRET>> will be the values copied from the WSO2 Identity Server Management Console. The authUrl, discoveryUrl, issuer, and tokenUrl values will have the standard form shown in the table above, also all these values can be discovered from the https://<<WSO2_DOMAIN>>/oauth2/oidcdiscovery/.well-known/openid-configuration URL.
The attributeMappings.user_name attribute is set to SASuserid which will return the sAMAccountName from the ID Token. This is only available because we added the configuration in the WSO2 Identity Server Management Console to create this additional claim. Finally, since the public key corresponding to the private key used to create the signature is not directly available from the WSO2 Identity Server this is entered manually into the tokenKey attribute.
With this configuration complete you can either wait for the configuration key/values to refresh or SAS Logon Manager can be restarted, for example on RedHat with:
systemctl restart sas-viya-saslogon-default
Then when end-users access the SAS Viya environment the SAS Logon Manager form will now include the link to authenticate with WS02 Identity Server. If you want to provide true Single Sign-On where the SAS Logon Manager form is not displayed, you’ll need to follow the steps we’ve discussed before leveraging the login_hint parameter.
With the current setup once the end-user has authenticated to WSO2 Identity Server they are asked for confirmation to share their External User ID with SAS Viya. As shown here:
This can be disabled in WSO2 Identity Server Management Console. Under the SAS Viya Service Provider expand Local & Outbound Authentication Configuration and select Skip Login Consent. This will prevent the consent screen being displayed to end-users.
Remember, for the end-users to be correctly authenticated to the SAS Viya environment the value returned by SASuserid from WSO2 must match the value returned from your LDAP provider as sas.identities.providers.ldap.user.accountID, by default sAMAccountNAme.
Conclusion
WSO2 Identity Server is an alternative OpenID Connect provider that some customers might already be using for other applications. Getting the correct configuration setup in WSO2 Identity Server will be key to successfully implementing this authentication mechanism. The setup within SAS Viya 3.5 is straightforward so long as you are aware of and have planned for the correct format of username.
