copyright © 2005, sas institute inc. all rights reserved. user authentication and single sign-on...

User Authentication and Single Sign-on Across the SAS®9 Platform Larry Noe and Scott Sweetland,Mid-tier and Platform Integration R&D

Scene from a Spy Thriller Movie…

User authentication

Request for a resource

Location and credentials for resource

User accesses resource

User Authentication and Single Sign-on

Multi-domain Customer Environments

Web Servers

Application Servers

Database Servers

SAS 9 Design GoalsIntegrate the Platform through Metadata

Infrastructure

Information resources

Business intelligence

Security framework

SAS 9 Security Framework

Metadata Server provides

Central location for user authentication

Identity Management

Credential Management

Single Sign-On Access

Web Servers

Compute Servers

Database Servers

Handout: Resources of Interest Schedule of related SAS Presents

Demo area for Security: Area 17

SAS web resources

Question and Answer format – tight for time so please bring your questions to us at the Security demo area

From Concepts to Implementation

How applications use the Metadata server for User Authentication.

Credential management to support single sign-on.

Case Studies

What is a Metadata Server?

Secure access to your Enterprise business and technical information

What is modeled in Metadata?• Configuration

• Physical Locations

• Business Intelligence

• Delivery

• User identities

Metadata Server Authenticates Connecting Clients

Verifying user ‘is who they claim to be’

Typical authentication providers:• Host Operating System

• Directory Servers

• User ID and password databases

SAS 9 Metadata server supports: • Host OS Authentication

• LDAP

• Microsoft Active Directory

Authenticating SAS 9 Application Users

User Logs On:User ID & Password

Application

Metadata Server

Application connects to Metadata Server

using credentials

Application

Metadata Server

Metadata Serverauthenticates User

with Host OS HostAuthenticatio

HostAuthenticatio

Application

Metadata Server

Successful connection authenticates application

Application

Metadata Server

Identity Management in Metadata

User and Group metadata objects

SAS Management Console User Manager

Benefits of Identities in Metadata:

Role-based Security

Personalization

Shared user context between cooperating applications

Managing Identity Metadata with the SAS Management Console User Manager

Establishing Identity at the Metadata Server Login object represents authentication credential

Associated with user identities

User ID must be unique for each user identity

User ID Password Authentication Domain

User: Fred Smith

Frsmith | secret | windomain

Frsmith | secret | unixhost1

Logins and Authentication Domains

Windows domain: windomain

SAS MC User Manager

Fred Smith

Using Login Objects to Establish Identity

windomain\Frsmith + PW

ApplicationMetadata

Server

HostAuthenticatio

Host authenticates

User ID

Fred Smith

Using Login objects to establish identity

Application Metadata Server

Users &Groups

Logins are searched for a match to

authenticated User ID

windomain\Frsmith

Fred Smith

Metadata identity established Metadata Server

User ID matches Login

windomain\Frsmith

Using Login objects to establish identity

Authenticatedidentity returned

to application

Application

Metadata Server

Fred Smith

SAS Workspace Servers

Database Servers

Credential Management for Single Sign-On

Login Objects Provide Single Sign-On Credentials

Application users request resources from servers

Acquire credentials without prompting

User logins can provide credentials

Applications match credentials to server by Authentication Domain of the server.

User ID Password Authentication Domain

Providing a User with Logins

Windows Domain

User Login Objects

in Metadata

User ID password Authentication Domain

Unixusr Secret Unix

Winuser Secret windomain

ZosUser Secret zOS

Single Sign-on and Credentials in Metadata

User selects a SASTable to view.

Application

User Identity

SAS Table

Single Sign On and Credentials in Metadata

Application queries metadata: SAS library, Workspace server, and Authentication Domain

for Server.

Application

Metadata Server

Workspace Server

User Identity

Auth Domain: windomain

Application checks

User’s logins

for match with server’s

Application Metadata Server

User Identity

User’s Logins

Unixusr Secret Unix

Winuser Secret windomain

ZosUser Secret zOS

login matching Auth Domain: windomain

is found.

Application

Metadata Server

Workspace Server

TableWinuser Secret windomain

This logon credential is used for server connection.

Application

Workspace Server

TableWinuser Secret windomain

User views Table.

Application

Minimizing Credentials in Metadata

Windows

Login Objects in Metadata

User ID password Authentication Domain

Unixusr Secret Unix

Winuser Secret Windomain

ZosUser Secret zOS

Reducing the presence of credentials in Metadata.

Strategies

Caching Log-on credentials at the application

Works when cached credentials are valid for the servers User needs to use.

Group logins

Application checks for single sign credential in this pattern:

Does User have a login that matches the auth domain?

User a member of a Group with matching login?

Case Study One: Information Map Studio

Testing an information map that is based on a SAS dataset accessed through a SAS 9 Workspace Server

Strategies to reduce credentials stored in metadata repository:• Caching of log on credentials by the application

Information Maps

User-friendly metadata definitions of physical data sources

Enable your business users to query a data with meaningful names

User presentation meets specific business needs

Created in Information Map Studio

User Groups and BI Workflow

ETL team builds data warehouse, mart, etc.

Information Architect determines business needs for accessing data and builds Information Maps with Information Map Studio

BI Analysts use Information Maps in Web Report Studio to build web-based reports

Business Users review reports for decision support

Server Topology and Authentication Domains

Windows

Network

Domain

Metadata Server

SAS 9Workspace

Server

Authentication Domain:

DefaultAuth

Information Map

Studio

Testing an Information Map

Information Map Studio user

Credential Caching!

Metadata Server

sugi30023\sasdemo + pw

Credentials sent tothe metadata server

for authentication

Metadata serverhost authenticates

the connecting client

MetadataRepository

Metadata serversearches for

sugi30023\sasdemoin all login objects

HostAuthentication

YourIdentity

The library “stuff” contains the table “class” which is defined in the server context “SASMain”

SASMain workspace server is registered in the DefaultAuth authentication domain.

Logins for sasdemo User

One login is registered in the DefaultAuth authentication domain, but it has no password…

Single Sign-on to Workspace Server

Information Map Studio

“Run Test”

sugi30023\sasdemo + pw

Cached credentials sent to the Object Spawner for host

authentication

Object Spawner

Workspace server launched as

sugi30023\sasdemo

Workspace serverruns generated code, performs

query and returns results

WorkspaceServer

Case Study Two: Information Map Studio

Testing an information map that is based on a table in a DB2 database server accessed through a SAS 9 Workspace Server

Strategies to reduce credentials stored in metadata repository:• Caching of login credentials by the application

• Group login for DB2 server

Server Topology and Authentication Domains

Windows

Network

Domain

Metadata Server

IBM DB2®

Database

Auth Domain: DefaultAuth

Auth Domain: DB2Auth

Information Map

Studio

Workspace Server

Case Study Two: Information Map Studio

One login is registered and it is in the DefaultAuth authentication domain

Personal login for DB2 associated with the SAS Demo User

Single Sign-on to Workspace Server

Information Map Studio

“Run Test”

sugi30023\sasdemo + pw Object Spawner

WorkspaceServer

Server

SAS code connects to DB2

using DB2 credentials

Workspace serverruns generated code, performs

query and returns results

Additional Case Studies

Information map built against an OLAP cube

Web Report Studio using information maps generated in previous case studies

Web Report Studio configured for web authentication

Web Report Studio using pooled workspace servers

Metadata Server configured with an alternate authentication provider

Concepts in our case studies

SAS 9 applications use the Metadata server for User authentication.

Credentials are managed in Metadata to support single sign-on.

Strategies to reduce credential storage in Metadata

Credential Caching

Group Logins

copyright © 2005, sas institute inc. all rights reserved. user authentication and single sign-on...

Documents

noe - granicus

copilul lui noe - eric emmanuel schmitt lui noe - eric...

sweetland wind farm project...sweetland wind farm draft ea...

astrid & noe

arca lui noe - nicolae manolescu - cdn4.libris.ro lui noe -...

t e t noe valley t -...

four-dimensional noe-noe spectroscopy of sars-cov-2 main

noe - lumenwerx

sweetland wind farm

presentación1 noe

8power noe

noe torres, “mexico’s roswell” -...

koormuziek.nlarr.: cam floria ned. t.kst: paul 00 noe noe...

sweetland/swetland lore #74 summer 2015$1,061.55 scholarship...

planificación noe

Årsrapport - noe

statistics jo sweetland research occupational therapist

noe degrees

noe villavicencio

presentación noe