SAS Viya has supported integration with a third-party OpenID Connect provider since SAS Viya 3.3. In this article I want to look at configuring SAS Viya 3.5 to use WSO2 Identity Server as the third-party OpenID Connect provider. WSO2 Identity Server also offers SAML integration, but for the purposes of this article I will be focusing on OpenID Connect.
WSO2 Identity Server is an Identity and Access Management (IAM) solution available for multiple operating systems and is also provided as a cloud-based subscription option. WSO2 describes Identity Server as:
For the purposes of writing this article, I have used WSO2 Identity Server deployed to a Microsoft Windows Server and connected it to Active Directory. This is the same Active Directory that the SAS Viya Identities microservice is connected to. So, the same users are available in WSO2 Identity Server and SAS Viya.
First, we will configure WSO2 Identity Server. Since we have Active Directory defined as a User Store for WSO2 Identity Server and SAS Viya Identities microservice is configured against the same Active Directory we want to authenticate users based on their sAMAccountName attribute. This will ensure the end-users authenticating with OpenID Connect are correctly identified with the Identities microservice.
To ensure changes do not impact other applications using WSO2 Identity Server we will define a new Claim for the end-user’s sAMAccountName. In the WSO2 Identity Server Management Console complete the following:
We can confirm that the External User ID is present for our Active Directory users by selecting List under Users and Roles, then Users, and User Profile against one of the Active Directory users. Because we selected Supported by Default earlier this will be included in the User Profile and will contain the sAMAccountName for the Active Directory user.
Now that the mapping of sAMAccountName to an available OpenID Connect claim is complete the SAS Viya environment can be added as a Service Provider. Complete the following steps in the WSO2 Identity Server Management Console
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
This completes adding SAS Logon Manager as a Service Provider in WSO2 Identity Server. Further configuration is completed within SAS Viya.
SAS Logon Manager will directly connect to WSO2 Identity Server to exchange the authorization code for the OpenID Connect ID Token. This means that SAS Logon Manager must be able to trust the certificate presented by the WSO2 Identity Server. If the WSO2 Identity Server certificate is signed by a commercial Certificate Authority (CA) then the CA certificate is most likely already included in the SAS Viya trust stores. Otherwise, you will need to add the CA certificate or Server Certificate, if it is self-signed, to the SAS Viya trust stores. The official documentation covers managing the trust stores.
If a self-signed certificate is used for WSO2 Identity Server, the following Java keytool command can be used to extract the server certificate:
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file pkn.pem
Then OpenSSL can be used to convert from a binary format into a BASE64 format:
openssl x509 -inform der -in pkn.pem -outform PEM -out pkn_pem.pem
This BASE64 format file can then be added to the SAS Viya trust stores.
The private key for WSO2 Identity Server is used to sign the ID Token. SAS Logon Manager requires access to the corresponding public key to validate the signature. With WS02 Identity Server 5.10.0 the JWKS URL only provides the modulus of this public key, which is not enough for SAS Logon Manager. Therefore, we need to manually extract the public key from the WS02 Identity Server certificate.
The Java Keytool command shown above, in the previous section, can be used to extract the Server Certificate from the Java keystore used by WSO2 Identity Server. OpenSSL can then be used to display the corresponding public key from this Server Certificate:
openssl x509 -pubkey -noout -inform der -in pkn.pem
This should output something like the following:
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhvgPrTfqlkEre5ifB0/M 1we4Irxh+VyQSGnfOS+pqUJN2hAyo3Qx0zqwX5six4TXiJetDzzU1R50zEtrw3um gEWAXVj/oQxT+CQvFj+2tYAghk4G/eokGUauqeCsEtnI8O/9o1mATQ+IiVJcpG7H JbZGK4escnpBL3TiRV75g9RxzSiKJAsEycLwyaJ8hbgSCbhO6pblzAIK/VErSGJ9 HPW2fpjDlBGYN0llM/q+2oFhPvIgEcaH6kZZiDcMGmw1ey/XzjRXP8i2JluxOjzm 4d2ILFTjyI50VM/ShThNfUfsfLMl64JFlxoeRMIzhSG7EE/plyGzQnpl5rHH7JMW dwIDAQAB -----END PUBLIC KEY-----
This will be required for the configuration of SAS Logon Manager.
The SAS Viya configuration is completed within SAS Environment Manager. The settings are all contained within the sas.logon.oauth.providers.external_oauth definition. The following table provides the settings that are required for integration with WSO2:
|emailDomain:||<<Customer email domain(s)>>|
|linkText:||Sign-in with WSO2|
The <<CLIENT KEY>> and <<CLIENT SECRET>> will be the values copied from the WSO2 Identity Server Management Console. The authUrl, discoveryUrl, issuer, and tokenUrl values will have the standard form shown in the table above, also all these values can be discovered from the https://<<WSO2_DOMAIN>>/oauth2/oidcdiscovery/.well-known/openid-configuration URL.
The attributeMappings.user_name attribute is set to SASuserid which will return the sAMAccountName from the ID Token. This is only available because we added the configuration in the WSO2 Identity Server Management Console to create this additional claim. Finally, since the public key corresponding to the private key used to create the signature is not directly available from the WSO2 Identity Server this is entered manually into the tokenKey attribute.
With this configuration complete you can either wait for the configuration key/values to refresh or SAS Logon Manager can be restarted, for example on RedHat with:
systemctl restart sas-viya-saslogon-default
Then when end-users access the SAS Viya environment the SAS Logon Manager form will now include the link to authenticate with WS02 Identity Server. If you want to provide true Single Sign-On where the SAS Logon Manager form is not displayed, you’ll need to follow the steps we’ve discussed before leveraging the login_hint parameter.
With the current setup once the end-user has authenticated to WSO2 Identity Server they are asked for confirmation to share their External User ID with SAS Viya. As shown here:
This can be disabled in WSO2 Identity Server Management Console. Under the SAS Viya Service Provider expand Local & Outbound Authentication Configuration and select Skip Login Consent. This will prevent the consent screen being displayed to end-users.
Remember, for the end-users to be correctly authenticated to the SAS Viya environment the value returned by SASuserid from WSO2 must match the value returned from your LDAP provider as sas.identities.providers.ldap.user.accountID, by default sAMAccountNAme.
WSO2 Identity Server is an alternative OpenID Connect provider that some customers might already be using for other applications. Getting the correct configuration setup in WSO2 Identity Server will be key to successfully implementing this authentication mechanism. The setup within SAS Viya 3.5 is straightforward so long as you are aware of and have planned for the correct format of username.
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.