BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
ShenQicheng
Obsidian | Level 7

Hi,

Our client don't want the sign-in page to be shown every time, and for some reasons we can't use IWA or other SSO mechanism.

They want to access the site by putting username and password into URL, something like:

http://myserver:port/SASVisualAnalyticsViewer?ux=sasdemo&px=xxxxx

 

To enable this , I was told that web application should be configured (xml file) and some parameters should be added in SMC, but there is no document  I can find to do this.

 

Anyone knows is this possible? If so, how to do the configuration?

 

(SAS version: 9.4 , VA version: 7.3)

 

Thanks in advance.

Shen

1 ACCEPTED SOLUTION

Accepted Solutions
PaulHomes
Rhodochrosite | Level 12

I would suggest explaining to the client that, if you were able to configure it like that, what it would mean from a risk perspective. Having the userid and password (I'm assuming ones they use for access to other secured resources) exposed via a HTTP GET request in plain text over a non SSL connection means the userid and password would be insecure in transport. Additionally this mechanism would also mean they would get captured and stored in plain text in all intermediate proxy and web server logs for anyone with access to those logs to find. Essentially a nice way of harvesting credentials 🙂

 

Seriously, I would ask why it is that they don't want to see a login page? Is it because the server is only accessible internally to trusted staff and the reports are unprotected content that should be accessible to all staff without access controls or audit requirements? If so then perhaps they just want guest access? Have a look at the Configuring Guest Access section of the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide and the SAS Visual Analytics administration documentation too.

 

Otherwise, if the content requires access control or audit then the inconvenience of a login page is probably small compared to the risk of credential or content exposure. If they still don't want to see a login page then it would probably be worth more investigation of single sign on possibilities. Since the SAS Web Server is based on Apache Web Server there are lots of authentication options to choose from. Additionally, this SAS Global Forum 2014 paper An Advanced Fallback Authentication Framework for SAS® 9.4 and SAS® Visual Analytics by Zhiyong Li & Mike Roda from SAS Institute is a great resource on providing flexible authentication options. I also wrote a blog post last year on SAS Visual Analytics Guest Access with IWA Fallback.

 

I hope this helps.

View solution in original post

2 REPLIES 2
PaulHomes
Rhodochrosite | Level 12

I would suggest explaining to the client that, if you were able to configure it like that, what it would mean from a risk perspective. Having the userid and password (I'm assuming ones they use for access to other secured resources) exposed via a HTTP GET request in plain text over a non SSL connection means the userid and password would be insecure in transport. Additionally this mechanism would also mean they would get captured and stored in plain text in all intermediate proxy and web server logs for anyone with access to those logs to find. Essentially a nice way of harvesting credentials 🙂

 

Seriously, I would ask why it is that they don't want to see a login page? Is it because the server is only accessible internally to trusted staff and the reports are unprotected content that should be accessible to all staff without access controls or audit requirements? If so then perhaps they just want guest access? Have a look at the Configuring Guest Access section of the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide and the SAS Visual Analytics administration documentation too.

 

Otherwise, if the content requires access control or audit then the inconvenience of a login page is probably small compared to the risk of credential or content exposure. If they still don't want to see a login page then it would probably be worth more investigation of single sign on possibilities. Since the SAS Web Server is based on Apache Web Server there are lots of authentication options to choose from. Additionally, this SAS Global Forum 2014 paper An Advanced Fallback Authentication Framework for SAS® 9.4 and SAS® Visual Analytics by Zhiyong Li & Mike Roda from SAS Institute is a great resource on providing flexible authentication options. I also wrote a blog post last year on SAS Visual Analytics Guest Access with IWA Fallback.

 

I hope this helps.

ShenQicheng
Obsidian | Level 7

Thanks Paul,

 

Our client will reconsider which sso mechanism they should use.

 

Shen

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

Tips for filtering data sources in SAS Visual Analytics

See how to use one filter for multiple data sources by mapping your data from SAS’ Alexandria McCall.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 2 replies
  • 2301 views
  • 3 likes
  • 2 in conversation