SAS Viya Workbench requires an OpenID Connect compliant Identity Provider to authenticate users.

 

This article shows how to create a Microsoft Entra ID (formerly Azure Active Directory) App registration, and how to configure SAS Viya Workbench to use it.

 

The steps below can be performed after the tasks described in Starting with SAS Viya Workbench are completed, and an Administrator can access the SAS Viya Workbench Organization Administration page.

 

1) Create an App Registration.

• In the Azure Portal, navigate to Microsoft Entra ID -> App Registrations.
• Click New Registration.
• Provide a name for the application.
• Keep the default of Accounts in this organizational directory only for Supported Account Types. This will allow logins only from the current tenant.

 

• Click Register.

 

2) Add API permissions to the App.

• In the Service Menu in the left, click Manage -> API Permissions.

 

• Click Add a Permission and add the following delegated Microsoft Graph API permissions to the App: email, offline_access, openid and profile.

 

• Click Add permissions:

 

3) Start creating the SSO connection.

• In the SAS Viya Workbench Organization Administration page, switch to the Administration tab and click New SSO Connection.

 

 

4) Give the connection a meaningful name.

 

5) Configure the App for authentication.

• Click the copy button for the Login redirect URI:

• In the Azure Portal, navigate to your App registration -> Authentication.
• Click Add a platform -> Web and paste the Redirect URI you copied above.

 

• Click Configure.

 

6) Configure credentials

• Client Id.

Azure Portal	Workbench Organization Admin
Navigate to your App registration -> Overview and copy the Application (client) ID value.	Paste it under Credentials -> Client id in the SAS Viya Workbench SSO connection configuration.

 

• Client Secret.

Azure Portal	Workbench Organization Admin
Navigate to your App registration -> Manage -> Certificates and Secrets -> Client Secrets. Click + New client secret, add a description, click Add and copy the secret's value.	Paste it under Credentials -> Client secret in the SAS Viya Workbench SSO connection configuration.

 

 

7) Import the App configuration.

• Click Import from URL next to Configuration in the SAS Viya Workbench SSO connection configuration.

 

• Provide the OpenID Connect metadata document URL.

Azure Portal	Workbench Organization Admin
Navigate to your App registration -> Overview and click Endpoints. Copy the OpenID Connect metadata document URL.	Paste the URL and click Import.
This is also known as the OpenID Connect Well-Known configuration endpoint.

 

8 ) Save the configuration.

• This is what your New SSO Connection dialog should look like. Click OK.

 

9) Configure a Domain

• The last step is to add one or more domains so that users can be directed to the Identity Provider configured above based on their email address.
• In the SAS Viya Workbench Organization Administration page, click New Domain.

 

• Add a domain for your organization so that SAS Viya Workbench can properly direct users to your Identity Provider based on the user's email address.

Important: The domain above is just an example. Add only domains you control for this configuration.

 

• Click OK.

 

10) Login as an Idp user.

• Logoff as the Organization Administrator user: Click the top right icon and then Sign out.
• Login as a user that exists in the App registration tenant.

 

• You will be redirected to Entra ID for authentication (if you are not already authenticated).
• The user must allow SAS Viya Workbench to access the account information in the first login. Click Accept in the prompt below to do so.

 

• Depending on your Tenant configuration, Entra ID Admin consent for API access might be required. If that's the case, this is what users might see when attempting to login

If this happens, ask your Entra ID Tenant admin to grant admin consent by navigating to the App Registration -> Manage -> API Permissions -> Grant admin consent for <your tenant>.

 

• The user will be presented the SAS Viya Workbench home page. This indicates a successful login.

 

That's it. Now users can start Using SAS Viya Workbench.

 

NOTE: The configuration above will allow logins from any user in the organization (tenant). If you want to restrict the App to allow logins only from assigned users, continue to step 11 below.

 

11) (Optionally) require users to be assigned to the App.

• In the Azure Portal, navigate to Microsoft Entra ID -> Enterprise Applications.
• Find the App you just created, open it and select Manage -> Properties.
• Change Assignment Required to Yes, and Save.

 

• From this point on, only users assigned to the app will be able to login.
• To assign a user to the app, click Manage -> Users and groups and then + Add user/group.