copyright © 2005, sas institute inc. all rights reserved. user authentication and single sign-on...

Copyright © 2005, SAS Institute Inc. All rights reserved.

User Authentication and Single Sign-on Across the SAS®9 Platform Larry Noe and Scott Sweetland,Mid-tier and Platform Integration R&D


Scene from a Spy Thriller Movie…


Scene from a Spy Thriller Movie…

User authentication

Request for a resource

Location and credentials for resource

User accesses resource


User Authentication and Single Sign-on


Multi-domain Customer Environments

Web Servers

Application Servers

Database Servers


SAS 9 Design GoalsIntegrate the Platform through Metadata

Infrastructure

Information resources

Business intelligence

Security framework


SAS 9 Security Framework

Metadata Server provides

Central location for user authentication

Identity Management

Credential Management


Single Sign-On Access

Web Servers

Compute Servers

Database Servers


Handout: Resources of Interest Schedule of related SAS Presents

Demo area for Security: Area 17

SAS web resources

Question and Answer format – tight for time so please bring your questions to us at the Security demo area


From Concepts to Implementation

How applications use the Metadata server for User Authentication.

Credential management to support single sign-on.

Case Studies


What is a Metadata Server?

Secure access to your Enterprise business and technical information

What is modeled in Metadata?• Configuration

• Physical Locations

• Business Intelligence

• Delivery

• User identities


Metadata Server Authenticates Connecting Clients

Verifying user ‘is who they claim to be’

Typical authentication providers:• Host Operating System

• Directory Servers

• User ID and password databases

SAS 9 Metadata server supports: • Host OS Authentication

• LDAP

• Microsoft Active Directory


Authenticating SAS 9 Application Users

User

User Logs On:User ID & Password

Application

Metadata Server



User

Application connects to Metadata Server

using credentials

Application

Metadata Server



User

Metadata Serverauthenticates User

with Host OS HostAuthenticatio

n

HostAuthenticatio

n

Application

Metadata Server



User

Successful connection authenticates application

user

Application

Metadata Server


Identity Management in Metadata

User and Group metadata objects

SAS Management Console User Manager

Benefits of Identities in Metadata:

Role-based Security

Personalization

Shared user context between cooperating applications


Managing Identity Metadata with the SAS Management Console User Manager


Establishing Identity at the Metadata Server Login object represents authentication credential

Associated with user identities

User ID must be unique for each user identity

User ID Password Authentication Domain

User: Fred Smith

Frsmith | secret | windomain

Frsmith | secret | unixhost1


Logins and Authentication Domains

Windows domain: windomain

SAS MC User Manager

Fred Smith


Using Login Objects to Establish Identity

windomain\Frsmith + PW

ApplicationMetadata

Server

HostAuthenticatio

n

HostAuthenticatio

n

Host authenticates

User ID

Fred Smith


Using Login objects to establish identity

Application Metadata Server

Users &Groups

Logins are searched for a match to

authenticated User ID

windomain\Frsmith

Fred Smith


Metadata identity established Metadata Server

User ID matches Login

windomain\Frsmith


Using Login objects to establish identity

Authenticatedidentity returned

to application

Application

Metadata Server

Fred Smith

Fred Smith


SAS Workspace Servers

Database Servers

Credential Management for Single Sign-On


Login Objects Provide Single Sign-On Credentials

Application users request resources from servers

Acquire credentials without prompting

User logins can provide credentials

Applications match credentials to server by Authentication Domain of the server.

User ID Password Authentication Domain


Providing a User with Logins

UNIX

zOS

Windows Domain

User Login Objects

in Metadata

User ID password Authentication Domain

Unixusr Secret Unix

Winuser Secret windomain

ZosUser Secret zOS


Single Sign-on and Credentials in Metadata

User

User selects a SASTable to view.

Application

User Identity

SAS Table


Single Sign On and Credentials in Metadata

User

Application queries metadata: SAS library, Workspace server, and Authentication Domain

for Server.

Application

Metadata Server

Workspace Server

User Identity

Table

Auth Domain: windomain



User

Application checks

User’s logins

for match with server’s


Application Metadata Server

?

User Identity

User’s Logins

Unixusr Secret Unix

Winuser Secret windomain

ZosUser Secret zOS



User

login matching Auth Domain: windomain

is found.

Application

Metadata Server

Workspace Server


Login

TableWinuser Secret windomain



User

This logon credential is used for server connection.

Application

Workspace Server


TableWinuser Secret windomain



User

User views Table.

Application

Table

Table


Minimizing Credentials in Metadata

UNIX

zOS

Windows

Login Objects in Metadata

User ID password Authentication Domain

Unixusr Secret Unix

Winuser Secret Windomain

ZosUser Secret zOS


Reducing the presence of credentials in Metadata.

Strategies

Caching Log-on credentials at the application

Works when cached credentials are valid for the servers User needs to use.

Group logins

Application checks for single sign credential in this pattern:

Does User have a login that matches the auth domain?

User a member of a Group with matching login?


Case Study One: Information Map Studio

Testing an information map that is based on a SAS dataset accessed through a SAS 9 Workspace Server

Strategies to reduce credentials stored in metadata repository:• Caching of log on credentials by the application


Information Maps

User-friendly metadata definitions of physical data sources

Enable your business users to query a data with meaningful names

User presentation meets specific business needs

Created in Information Map Studio

Map


User Groups and BI Workflow

ETL team builds data warehouse, mart, etc.

Information Architect determines business needs for accessing data and builds Information Maps with Information Map Studio

BI Analysts use Information Maps in Web Report Studio to build web-based reports

Business Users review reports for decision support


Server Topology and Authentication Domains

Windows

Network

Domain

Metadata Server

SAS 9Workspace

Server

Authentication Domain:

DefaultAuth

Information Map

Studio

Testing an Information Map

Map



Information Map Studio user


Credential Caching!



Metadata Server

sugi30023\sasdemo + pw

Credentials sent tothe metadata server

for authentication

Metadata serverhost authenticates

the connecting client

MetadataRepository

Metadata serversearches for

sugi30023\sasdemoin all login objects

HostAuthentication

HostAuthentication


YourIdentity


The library “stuff” contains the table “class” which is defined in the server context “SASMain”


SASMain workspace server is registered in the DefaultAuth authentication domain.


Logins for sasdemo User

One login is registered in the DefaultAuth authentication domain, but it has no password…


Single Sign-on to Workspace Server

Information Map Studio

“Run Test”

sugi30023\sasdemo + pw

Cached credentials sent to the Object Spawner for host

authentication

Object Spawner

Workspace server launched as

sugi30023\sasdemo

Workspace serverruns generated code, performs

query and returns results

Table

WorkspaceServer


Case Study Two: Information Map Studio

Testing an information map that is based on a table in a DB2 database server accessed through a SAS 9 Workspace Server

Strategies to reduce credentials stored in metadata repository:• Caching of login credentials by the application

• Group login for DB2 server


Server Topology and Authentication Domains

z/OS

Windows

Network

Domain

Metadata Server

IBM DB2®

Database

Auth Domain: DefaultAuth

Auth Domain: DB2Auth

Information Map

Studio

Map

Workspace Server


Case Study Two: Information Map Studio



One login is registered and it is in the DefaultAuth authentication domain



Personal login for DB2 associated with the SAS Demo User


Single Sign-on to Workspace Server

Information Map Studio

“Run Test”

sugi30023\sasdemo + pw Object Spawner

WorkspaceServer

DB2

Server

SAS code connects to DB2

using DB2 credentials

Workspace serverruns generated code, performs

query and returns results


Additional Case Studies

Information map built against an OLAP cube

Web Report Studio using information maps generated in previous case studies

Web Report Studio configured for web authentication

Web Report Studio using pooled workspace servers

Metadata Server configured with an alternate authentication provider


Concepts in our case studies

SAS 9 applications use the Metadata server for User authentication.

Credentials are managed in Metadata to support single sign-on.

Strategies to reduce credential storage in Metadata

Credential Caching

Group Logins

copyright © 2005, sas institute inc. all rights reserved. user authentication and single sign-on...

Documents