Solved: Re: How to config Web Application for URL authentication

ShenQicheng · Posted 01-28-2016 01:00 AM

Hi,

Our client don't want the sign-in page to be shown every time, and for some reasons we can't use IWA or other SSO mechanism.

They want to access the site by putting username and password into URL, something like:

http://myserver:port/SASVisualAnalyticsViewer?ux=sasdemo&px=xxxxx

To enable this , I was told that web application should be configured (xml file) and some parameters should be added in SMC, but there is no document I can find to do this.

Anyone knows is this possible? If so, how to do the configuration?

(SAS version: 9.4 , VA version: 7.3)

Thanks in advance.

Shen

PaulHomes · Posted 01-28-2016 01:59 AM

I would suggest explaining to the client that, if you were able to configure it like that, what it would mean from a risk perspective. Having the userid and password (I'm assuming ones they use for access to other secured resources) exposed via a HTTP GET request in plain text over a non SSL connection means the userid and password would be insecure in transport. Additionally this mechanism would also mean they would get captured and stored in plain text in all intermediate proxy and web server logs for anyone with access to those logs to find. Essentially a nice way of harvesting credentials 🙂

Seriously, I would ask why it is that they don't want to see a login page? Is it because the server is only accessible internally to trusted staff and the reports are unprotected content that should be accessible to all staff without access controls or audit requirements? If so then perhaps they just want guest access? Have a look at the Configuring Guest Access section of the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide and the SAS Visual Analytics administration documentation too.

Otherwise, if the content requires access control or audit then the inconvenience of a login page is probably small compared to the risk of credential or content exposure. If they still don't want to see a login page then it would probably be worth more investigation of single sign on possibilities. Since the SAS Web Server is based on Apache Web Server there are lots of authentication options to choose from. Additionally, this SAS Global Forum 2014 paper An Advanced Fallback Authentication Framework for SAS® 9.4 and SAS® Visual Analytics by Zhiyong Li & Mike Roda from SAS Institute is a great resource on providing flexible authentication options. I also wrote a blog post last year on SAS Visual Analytics Guest Access with IWA Fallback.

I hope this helps.

View solution in original post

PaulHomes · Posted 01-28-2016 01:59 AM

I would suggest explaining to the client that, if you were able to configure it like that, what it would mean from a risk perspective. Having the userid and password (I'm assuming ones they use for access to other secured resources) exposed via a HTTP GET request in plain text over a non SSL connection means the userid and password would be insecure in transport. Additionally this mechanism would also mean they would get captured and stored in plain text in all intermediate proxy and web server logs for anyone with access to those logs to find. Essentially a nice way of harvesting credentials 🙂

Seriously, I would ask why it is that they don't want to see a login page? Is it because the server is only accessible internally to trusted staff and the reports are unprotected content that should be accessible to all staff without access controls or audit requirements? If so then perhaps they just want guest access? Have a look at the Configuring Guest Access section of the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide and the SAS Visual Analytics administration documentation too.

Otherwise, if the content requires access control or audit then the inconvenience of a login page is probably small compared to the risk of credential or content exposure. If they still don't want to see a login page then it would probably be worth more investigation of single sign on possibilities. Since the SAS Web Server is based on Apache Web Server there are lots of authentication options to choose from. Additionally, this SAS Global Forum 2014 paper An Advanced Fallback Authentication Framework for SAS® 9.4 and SAS® Visual Analytics by Zhiyong Li & Mike Roda from SAS Institute is a great resource on providing flexible authentication options. I also wrote a blog post last year on SAS Visual Analytics Guest Access with IWA Fallback.

I hope this helps.

ShenQicheng · Posted 01-28-2016 10:44 PM

Thanks Paul,

Our client will reconsider which sso mechanism they should use.

Shen