BookmarkSubscribeRSS Feed

SAS Viya accessing Azure resources (ADLS) with Single Sign-On

Started ‎09-07-2022 by
Modified ‎09-07-2022 by
Views 3,454

SAS Viya has supported Single Sign-On (SSO) access to Azure resources(services) since the Stable 2020.1.3 release. This functionality enables SAS Viya users to access Azure resources (services) seamlessly without using the cumbersome device code authentication method. This feature further helps the Azure resource (tenant) administrator to manage the individual user access to Azure resources.

 

My colleague @StuartRogers recently posted a post ( SAS Viya Azure AD Single Sign-On to Other Azure Services ) discussing the required steps at Azure Active Directory to configure SAS Viya with OpenID Connect login. The post also features a list of supported Azure resources/services with Viya releases. Please go through the post for more detail.

 

In this post, I discuss accessing (Azure Data Lake Storage 2) ADLS2 from SPRE and CAS once Single Sign-On(SSO) (OpenID Connect Login) is configured in the Viya environment with Azure Active Directory.

 

How do I know if the SAS Viya environment is configured with SSO/OIDC ?

 

When you open the SAS Viya application, the login manager page will have another sign-in option e.g. “Log-in with Open ID”.

 

uk_1_SASViya_Accessing_ADLS2_With_SSO_1.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

Once opted to login with “Log-in with OpenID” it opens the Microsoft login page to sign in with valid domain user-id and password. The domain user id is from Azure Active directory synced to the SAS Viya user identity.

 

uk_2_SASViya_Accessing_ADLS2_With_SSO_2.png

 

The SAS user ID identity under SAS Environment Manager shall have the domain name and not just a plain user id name from local LDAP.

 

uk_3_SASViya_Accessing_ADLS2_With_SSO_3.png

 

 

 

Do I have access ( R/W) to Storage Account for data access?

 

Now that the SAS Viya environment is configured to use SSO (OIDC). The user also needs additional permissions on Azure resources apart from Azure API permission given during OIDC configuration. If a user is accessing a specific Storage Account Blob storage, the user must have “Storage Blob Data Contributor” role assigned to it.

 

uk_4_SASViya_Accessing_ADLS2_With_SSO_7.png

 

SAS Compute server (SPRE) access to ADLS2 with SSO

 

With user configuration at SAS Viya identity manager and access to Azure Storage, the following ORC LIBNAME statement can be used to access the .orc file located at ADLS2 storage.

 

Notice the code, there is no Azure application Id parameter in the LIBNAME statement. The SAS Logon manager service requests the Azure access key and maintains it.

 

Code:

 

%let MYSTRGACC="XXXXX0327viya4adls2";
%let MYSTRGFS="fsdata";
%let MYDNSSUFF="dfs.core.windows.net";
%let MYTNTID="a708fb09-XXXXXXXXXXXXXXXX";

libname orclib ORC "sample_data/"
      storage_account_name =&MYSTRGACC
      storage_file_system =&MYSTRGFS
      storage_dns_suffix = &MYDNSSUFF
      storage_tenant_id=&MYTNTID
      DIRECTORIES_AS_DATA=YES
      FILE_NAME_EXTENSION=(orc ORC)
;

data orclib.fish_orc;
   set sashelp.fish;
run;

 

Log:

 

86   libname orclib ORC "sample_data/"
87         storage_account_name =&MYSTRGACC
88         storage_file_system =&MYSTRGFS
89         storage_dns_suffix = &MYDNSSUFF
90         storage_tenant_id=&MYTNTID
91         DIRECTORIES_AS_DATA=YES
92         FILE_NAME_EXTENSION=(orc ORC)
93   ;
NOTE: Libref ORCLIB was successfully assigned as follows:
      Engine:        ORC
      Physical Name: sample_data
94
95
96   data orclib.fish_orc;
97      set sashelp.fish;
98   run;
NOTE: There were 159 observations read from the data set SASHELP.FISH.
NOTE: The data set ORCLIB.fish_orc has 159 observations and 7 variables.
NOTE: DATA statement used (Total process time):
      real time           1.02 seconds
      cpu time            0.17 seconds

99

 

Data file created at ADL2 location :

 

uk_5_SASViya_Accessing_ADLS2_With_SSO_4.png

 

CAS access ADLS2 with SSO

 

With user configuration at SAS Viya identity manager and access to Azure Storage, the following statement can be used to access the ADLS2 storage.

 

Notice the code, there is no Azure application Id parameter in the CASLIB statement. The SAS Logon manager service requests the Azure access key and maintains it.

 

The parquet data file read and write to ADLS2 is also supported with SSO access.

 

Code:

 

%let MYSTRGACC="XXXXXX0327viya4adls2";

%let MYSTRGFS="fsdata";
%let MYDNSSUFF="dfs.core.windows.net";
%let MYTNTID="a708fb09-XXXXXXXXXX";

CAS mySession  SESSOPTS=(CASLIB=casuser TIMEOUT=99 LOCALE="en_US" metrics=true);

caslib ADLS2 datasource=(
      srctype="adls",
      accountname=&MYSTRGACC,
      filesystem=&MYSTRGFS,
      dnsSuffix=&MYDNSSUFF,
      timeout=50000,
      tenantid=&MYTNTID
   ) path="sample_data/"  subdirs;

proc casutil incaslib="ADLS2";
   list files ;
run;
quit;

/* Save CAS Data to ADLS2 storage data file (orc, csv, parquet) */
proc casutil incaslib="ADLS2" outcaslib="ADLS2" ;
load data=sashelp.air casout="air" replace;
save casdata="air" casout="air.orc"  replace;
save casdata="air" casout="air.csv"  replace;
save casdata="air" casout="air.parquet"  replace;
list files;
run;quit;

/* CAS load from ADLS2 storage data file */
proc casutil  incaslib="ADLS2"  outcaslib="ADLS2";
  load casdata="air.orc" casout="air_orc" replace ;
  load casdata="air.csv" casout="air_csv" replace ;
  load casdata="air.parquet" casout="air_parquet" replace ;
  list tables ;
run;quit;

cas mysession terminate;

 

Log:

 

NOTE: The CAS statement request to update one or more session options for session MYSESSION completed.
87   
88   caslib ADLS2 datasource=(
89         srctype="adls",
90         accountname=&MYSTRGACC,
91         filesystem=&MYSTRGFS,
92         dnsSuffix=&MYDNSSUFF,
93         timeout=50000,
94         tenantid=&MYTNTID
95      ) path="sample_data/"  subdirs;
NOTE: Executing action 'table.addCaslib'.
NOTE: 'ADLS2' is now the active caslib.
NOTE: Cloud Analytic Services added the caslib 'ADLS2'.

…………….
……………………….
102  /* Save CAS Data to ADLS2 storage data file (orc, csv, parquet) */
103  proc casutil incaslib="ADLS2" outcaslib="ADLS2" ;
NOTE: The UUID 'ae569d06-e263-1d44-bbab-48d6da04ba5a' is connected using session MYSESSION.
104  load data=sashelp.air casout="air" replace;
NOTE: The INCASLIB= option is ignored when using the DATA= option in the LOAD statement.
NOTE: Executing action 'table.addTable'.
NOTE: Action 'table.addTable' used (Total process time):
NOTE: SASHELP.AIR was successfully added to the "ADLS2" caslib as "AIR".
105  save casdata="air" casout="air.orc"  replace;
NOTE: Executing action 'table.save'.
NOTE: Cloud Analytic Services saved the file air.orc in caslib ADLS2.
NOTE: Action 'table.save' used (Total process time):
NOTE: The Cloud Analytic Services server processed the request in 1.01474 seconds.
106  save casdata="air" casout="air.csv"  replace;
NOTE: Executing action 'table.save'.
NOTE: Cloud Analytic Services saved the file air.csv in caslib ADLS2.
NOTE: Action 'table.save' used (Total process time):
NOTE: The Cloud Analytic Services server processed the request in 0.321823 seconds.
107  save casdata="air" casout="air.parquet"  replace;
NOTE: Executing action 'table.save'.
NOTE: Cloud Analytic Services saved the file air.parquet in caslib ADLS2.
NOTE: Action 'table.save' used (Total process time):
NOTE: The Cloud Analytic Services server processed the request in 0.675216 seconds.
…….
…………………
111  /* CAS load from ADLS2 storage data file */
112  proc casutil  incaslib="ADLS2"  outcaslib="ADLS2";
NOTE: The UUID 'ae569d06-e263-1d44-bbab-48d6da04ba5a' is connected using session MYSESSION.
113    load casdata="air.orc" casout="air_orc" replace ;
NOTE: Executing action 'table.loadTable'.
NOTE: Cloud Analytic Services made the external data from air.orc available as table AIR_ORC in caslib ADLS2.
NOTE: Action 'table.loadTable' used (Total process time):
NOTE: The Cloud Analytic Services server processed the request in 0.348314 seconds.
114    load casdata="air.csv" casout="air_csv" replace ;
NOTE: Executing action 'table.loadTable'.
NOTE: Cloud Analytic Services made the external data from air.csv available as table AIR_CSV in caslib ADLS2.
NOTE: Action 'table.loadTable' used (Total process time):
NOTE:       bytes moved             3.45K
NOTE: The Cloud Analytic Services server processed the request in 0.370762 seconds.
115    load casdata="air.parquet" casout="air_parquet" replace ;
NOTE: Executing action 'table.loadTable'.
NOTE: Cloud Analytic Services made the external data from air.parquet available as table AIR_PARQUET in caslib ADLS2.
NOTE: Action 'table.loadTable' used (Total process time):
………..
…………….

 

Data file created at ADL2 location :

 

uk_6_SASViya_Accessing_ADLS2_With_SSO_6.png

 

   

Important Link:

Authentication: OIDC with Azure AD Scenario

 

Post: SAS Viya Azure AD Single Sign-On to Other Azure Services  

 

Find more articles from SAS Global Enablement and Learning here.

Version history
Last update:
‎09-07-2022 03:54 PM
Updated by:
Contributors

SAS Innovate 2025: Register Now

Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags