cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS Viya Multiple SCIM Providers

Started yesterday by
Modified yesterday by
Views 78

As a reminder SAS Viya supports providing the identity information for end users through either LDAP or SCIM. Specifically, for SCIM (System for Cross-domain Identity Management) SAS Viya is a version 2.0 server. As such, identity information can be loaded by a SCIM version 2.0 client such as Microsoft Entra ID or OKTA. It is also worth noting that LDAP and SCIM in the same SAS Viya environment is not supported. In this post I want to discuss the idea of using multiple different SCIM version 2.0 clients to push identity information to a single SAS Viya environment.

 

What is Supported

 

As we have stated SAS Viya is a SCIM version 2.0 server, since the versions of SCIM are not backwards compatible only a SCIM version 2.0 client is able to push identity information. In the official SAS Documentation we provide examples of using Microsoft Entra ID and OKTA. These are not the only supported SCIM version 2.0 clients, just these are the two SAS has documented as examples. Any SCIM version 2.0 client that implements the protocol sufficiently will work with SAS Viya. However, SAS cannot provide support for these third parties. Assistance with the configuration of the third party should be provided by that third party.

 

Since using either SCIM or LDAP is supported in a SAS Viya environment, enabling SCIM means disabling LDAP. While LDAP provides both identity and authentication services, SCIM only provides the identities. So, enabling SCIM also means you will need to select an authentication protocol to use along with SCIM. The authentication protocol will be either SAML or OpenID Connect. As with SCIM SAS Viya supports defining multiple SAML or OpenID Connect authentication providers. You can also mix SAML and OpenID Connect.

 

For SAS Viya environments with multiple SAML and/or OpenID Connect providers, the configuration setting sas.logon.zone.idpDiscovery.enabled simplifies the login process for end users. Setting sas.logon.zone.idpDiscovery.enabled to true then prompts users for their email address when they log in. SAS Logon Manager compares the text string after the "@" with the values configured for emailDomain in any OIDC or SAML providers in the environment. If a string match is found, SAS Logon Manager redirects the browser to the corresponding third-party IdP. Otherwise, SAS Logon Manager displays the standard login form.

 

Why would I do that?

 

So, we are all now aware that we can configure multiple SCIM version 2.0 clients to push identity information to SAS Viya. Also, we can configure multiple SAML and/or OpenID Connect providers to allow those SCIM users to authenticate to SAS Viya. But why would we want to do that?

 

One use case that might prompt us to have multiple providers linked to a single SAS Viya environment is where we have separate groups of users. We might have users who are part of our organisation in one provider and other external users in one or more other providers. The users that are part of our organisation might be in Microsoft Entra ID while the external users are in OKTA. We would then configure Microsoft Entra ID for SCIM and OpenID Connect as well as configuring OKTA for SCIM and SAML or OpenID Connect. With this setup both groups of users would be able to access the SAS Viya environment.

 

Another use case would be where there is a reluctance to add functional or service accounts to the corporate Identity Provider when they are just used within SAS Viya. For example, if the Group Managed Service Accounts will only access resources within SAS Viya, corporate IT might not want to add them to the Microsoft Entra ID tenant used across the organization. In such a case we could deploy Keycloak and manage those functional accounts purely within Keycloak. We can then use the SCIM for Keycloak (https://scim-for-keycloak.de/) product to provide the SCIM client implementation in Keycloak. Here, the business users would authenticate with OpenID Connect from Microsoft Entra ID, and the functional users would authenticate with SAML or OpenID Connect from Keycloak.

 

Caution

 

As with a SAS Viya environment configured with only one SCIM provider, or with an LDAP provider, we must ensure that any email addresses defined for users are unique. We cannot have a user with the same email address as another user or one user with the same email address in different SCIM providers attached to the Viya environment.

 

Conclusion

 

In this short post we have just introduced the idea that you can configure multiple providers for your SAS Viya environment. These can be multiple SCIM version 2.0 clients or multiple SAML and/or OpenID Connect authentication providers. This gives you the flexibility to have different groups of users access your single SAS Viya environment. In future post we’ll look in more detail on how you might configure Keycloak as a SCIM version 2.0 client. You can refer to the SAS documentation for details of using Microsoft Entra ID and OKTA as a SCIM version 2.0 client.

 

 

Find more articles from SAS Global Enablement and Learning here.

Version history
Last update:
yesterday
Updated by:
SAS Employee
Contributors

Ready to join fellow brilliant minds for the SAS Hackathon?

Build your skills. Make connections. Enjoy creative freedom. Maybe change the world. Registration is now open through August 30th. Visit the SAS Hackathon homepage.

Register today!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags