Exploring, predicting and reporting with SAS Visual Analytics and SAS Visual Statistics

How to config Web Application for URL authentication

Accepted Solution Solved
Reply
Contributor
Posts: 28
Accepted Solution

How to config Web Application for URL authentication

Hi,

Our client don't want the sign-in page to be shown every time, and for some reasons we can't use IWA or other SSO mechanism.

They want to access the site by putting username and password into URL, something like:

http://myserverSmiley Tongueort/SASVisualAnalyticsViewer?ux=sasdemo&px=xxxxx

 

To enable this , I was told that web application should be configured (xml file) and some parameters should be added in SMC, but there is no document  I can find to do this.

 

Anyone knows is this possible? If so, how to do the configuration?

 

(SAS version: 9.4 , VA version: 7.3)

 

Thanks in advance.

Shen


Accepted Solutions
Solution
‎01-28-2016 10:37 PM
PROC Star
Posts: 402

Re: How to config Web Application for URL authentication

I would suggest explaining to the client that, if you were able to configure it like that, what it would mean from a risk perspective. Having the userid and password (I'm assuming ones they use for access to other secured resources) exposed via a HTTP GET request in plain text over a non SSL connection means the userid and password would be insecure in transport. Additionally this mechanism would also mean they would get captured and stored in plain text in all intermediate proxy and web server logs for anyone with access to those logs to find. Essentially a nice way of harvesting credentials Smiley Happy

 

Seriously, I would ask why it is that they don't want to see a login page? Is it because the server is only accessible internally to trusted staff and the reports are unprotected content that should be accessible to all staff without access controls or audit requirements? If so then perhaps they just want guest access? Have a look at the Configuring Guest Access section of the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide and the SAS Visual Analytics administration documentation too.

 

Otherwise, if the content requires access control or audit then the inconvenience of a login page is probably small compared to the risk of credential or content exposure. If they still don't want to see a login page then it would probably be worth more investigation of single sign on possibilities. Since the SAS Web Server is based on Apache Web Server there are lots of authentication options to choose from. Additionally, this SAS Global Forum 2014 paper An Advanced Fallback Authentication Framework for SAS® 9.4 and SAS® Visual Analytics by Zhiyong Li & Mike Roda from SAS Institute is a great resource on providing flexible authentication options. I also wrote a blog post last year on SAS Visual Analytics Guest Access with IWA Fallback.

 

I hope this helps.

View solution in original post


All Replies
Solution
‎01-28-2016 10:37 PM
PROC Star
Posts: 402

Re: How to config Web Application for URL authentication

I would suggest explaining to the client that, if you were able to configure it like that, what it would mean from a risk perspective. Having the userid and password (I'm assuming ones they use for access to other secured resources) exposed via a HTTP GET request in plain text over a non SSL connection means the userid and password would be insecure in transport. Additionally this mechanism would also mean they would get captured and stored in plain text in all intermediate proxy and web server logs for anyone with access to those logs to find. Essentially a nice way of harvesting credentials Smiley Happy

 

Seriously, I would ask why it is that they don't want to see a login page? Is it because the server is only accessible internally to trusted staff and the reports are unprotected content that should be accessible to all staff without access controls or audit requirements? If so then perhaps they just want guest access? Have a look at the Configuring Guest Access section of the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide and the SAS Visual Analytics administration documentation too.

 

Otherwise, if the content requires access control or audit then the inconvenience of a login page is probably small compared to the risk of credential or content exposure. If they still don't want to see a login page then it would probably be worth more investigation of single sign on possibilities. Since the SAS Web Server is based on Apache Web Server there are lots of authentication options to choose from. Additionally, this SAS Global Forum 2014 paper An Advanced Fallback Authentication Framework for SAS® 9.4 and SAS® Visual Analytics by Zhiyong Li & Mike Roda from SAS Institute is a great resource on providing flexible authentication options. I also wrote a blog post last year on SAS Visual Analytics Guest Access with IWA Fallback.

 

I hope this helps.

Contributor
Posts: 28

Re: How to config Web Application for URL authentication

Thanks Paul,

 

Our client will reconsider which sso mechanism they should use.

 

Shen

☑ This topic is solved.

Need further help from the community? Please ask a new question.

Discussion stats
  • 2 replies
  • 696 views
  • 3 likes
  • 2 in conversation