SAS Viya OKTA OIDC Integration

2 Likes

In this article we will learn how to integrate SAS Viya with Okta's OpenID Connect (OIDC) for Single Sign-On authentication. We will first look at the major steps involved in user authentication flow in SAS Viya integrated with Okta. We will then look at the configuration steps involved in integrating SAS Viya with Okta. We will then finally demonstrate a user signing in using Okta SSO.

Note: These instructions are correct at the time of writing this article: July 2022. Since then the Okta portal screens and options might have changed.

SAS Viya - Okta OIDC user authentication flow

The sequence diagram below is self-explanatory. It starts with user entering SAS Viya visual interface url in browser and then be redirected to SASLogon page where the user chooses to logon with Okta SSO.

Okta Configuration

The configuration of Okta requires admin level access. If you do not have access to an Okta tenant in your organization, you can follow the steps below to create your own Okta developer account for testing purposes. If you are going to use Okta developer account then your viya applications need to be available on a public IP address and accessible over the internet. If you are using an internal Okta instance, then obviously your viya apps can be internal only and be accessible to your internal Okta instance.

Creating a Okta developer account (Optional)

Go to https://developer.okta.com
Click 'Sign Up'
Enter your work email to sign up
Or sign up using Google OpenId Connect. You are using Google OIDC to sign in to Okta to test a user sign in to Viya using Okta's OIDC.. poof! Mind Blown!!!
An admin account will be created for you and you will land on the 'Get started with Okta' page.
In your Okta home page, Click 'Customize Goals'
- What's your role? : select an appropriate option for you
- What's the first thing you want to build? : Partner integration
- What type of integration? : Single Sign-On (SAML or OIDC)
- Click Save

Configure Okta OIDC

After you customize your goals, you will see that 'Create an app integration' is unlocked on the main page. Click 'Add App'
Click 'Create New App'

In create a new app integration page
- Sign-in method : OIDC - OpenID Connect
- Application type : Web Application
- Click Next
In the New Web App Integration page
- App integration name : My SAS Viya Web App
- Grant type : Client acting on behalf of a user > Authorization Code
- Sign-in redirect URIs : https://<viyahost>/SASLogon/login/callback/okta_oidc
- Sign-out redirect URIs : Delete any default urls. We will not be using sign out url in this tutorial.
- Assignments : Skip group assignment for now
- Click Save
You will be directed to Application settings page. In 'Assignments' tab, Click 'Assign'

Select the people or groups you want to assign access to your Viya applications. If you are using a developer account, you can create a user in Directory > People > Add person.
Note: This user/group must also be present in the LDAP that Viya is integrated with. Otherwise, the claims returned by Okta cannot be matched with a user/group in LDAP and you will get 'Unable to map claim to a username' error message on SASLogon page during login.
Click Assign
Click Save and Go Back
Now its time to add a claim required by Viya in Okta. Claims are at a high level user information sent back by Okta to Viya. Viya can then use this user information to get group info from its LDAP. See steps#11-14 in the authentication flow diagram above for more information.
Go to Security > API and edit your authorization server you choose to use for Viya. Here I am using default authorization server.

Go to Claims tab and Click Add Claim
In Add Claim page
- Name : sub_sas_viya
- Include in token type : ID Token ; Always
- Value type : Expression => if you assigned 'Persons' to access application above. See Okta documentation if you want to include 'Groups' in claims.
- Value : user.firstName => this is because the uid in viya's ldap matches with the First Name of the user in Okta. Choose the expression that is appropriate for your environment. See Okta's Expression Language Reference for other options.
- Include in : The following scopes: openid Or choose Any scope if preferred.
That is it. We are done configuring Okta OIDC for user access to our SAS Viya web application. Next we configure SAS Viya with information about Okta OIDC we just created.

SAS Viya Configuration

You can either use sas-viya cli tool or SAS Environment Manager web application to configure SAS Viya. In this tutorial, I am going to show how to configure OIDC in Viya using SAS Environment Manager.

Logon to your SAS Environment Manager web app using an account with admin privileges.
Assume administration privileges
Go to Configuration > select 'Definitions' under view drop down > filter 'sas.logon.oauth.providers'
Edit sas.logon.oauth.providers definition and enter the following values based on your Okta config
- addShadowUserOnLogin : enable
- attributeMappings.user_name : sub_sas_viya => this was what we configured above in Okta.
- authUrl : https://<okta-organization>/oauth2/<authorization-server>/v1/authorize => authorization-server is 'default' if you are using default authorization server in Okta.
- clientAuthInBody : enable => okta requires credentials to be sent in the body or header only not both in the header and body which would happen if you disable this property.
- discoveryUrl : https://<okta-organization>/oauth2/<authorization-server>/.well-known/openid-configuration
- emailDomain : Optional; enter comma separated list of email domains of users in your Okta configuration.
- issuer : https://<okta-organization>/oauth2/<authorization-server>
- linkText : Logon using Okta => this what is displayed to user on SASLogon page for Okta SSO logon
- name : okta_oidc => this is exactly what we entered at the end of 'Sign-in redirect URIs' in Okta configuration above.
- relyingPartyId : <client ID of viya web app from okta> => you can get this from your Okta dashboard > Applications > Applications > {your viya web app} > Client ID
- relyingPartySecret : <client secret of viya web app from okta> => you can get this from your Okta dashboard > Applications > Applications > {your viya web app} > Client Secrets
- responseType : code
- scopes : openid
- showLinkText : enable
- tokenUrl : https://<okta-organization>/oauth2/<authorization-server>/v1/token
- Click Save
That is it. We are done with configuration of SAS Viya integration with Okta OIDC. Next we will demo user logon with Okta SSO.

Demonstration of User Logon with SAS Viya using Okta OIDC

Now that we have done all the OIDC configuration in Okta and SAS Viya, let's see if the user we assigned access to Viya app in Okta can actually logon to SAS Viya.

Open your SAS Viya SASDrive web app on your browser
You will see 'Logon using Okta' on your SASLogon Page as configured with 'linkText' in Viya configuration above
Click on 'Logon using Okta'. You will be redirected to Okta logon page.
Logon with "user" credentials. This will be the user we assigned to Viya web app in Okta.
All the authentication flow explained in the auth flow diagram above happens in the background and user successfully logs into SASDrive web app.

Conclusion

In this article, we have seen the overall authentication flow when using Okta as OIDC authorization server for SAS Viya and the steps to configure Okta and SAS Viya to achieve SSO authentication for users.