copyright © 2005, sas institute inc. all rights reserved. user authentication and single sign-on...
TRANSCRIPT
Copyright © 2005, SAS Institute Inc. All rights reserved.
User Authentication and Single Sign-on Across the SAS®9 Platform Larry Noe and Scott Sweetland,Mid-tier and Platform Integration R&D
Copyright © 2005, SAS Institute Inc. All rights reserved.
Scene from a Spy Thriller Movie…
Copyright © 2005, SAS Institute Inc. All rights reserved.
Scene from a Spy Thriller Movie…
User authentication
Request for a resource
Location and credentials for resource
User accesses resource
Copyright © 2005, SAS Institute Inc. All rights reserved.
User Authentication and Single Sign-on
Copyright © 2005, SAS Institute Inc. All rights reserved.
Multi-domain Customer Environments
Web Servers
Application Servers
Database Servers
Copyright © 2005, SAS Institute Inc. All rights reserved.
SAS 9 Design GoalsIntegrate the Platform through Metadata
Infrastructure
Information resources
Business intelligence
Security framework
Copyright © 2005, SAS Institute Inc. All rights reserved.
SAS 9 Security Framework
Metadata Server provides
Central location for user authentication
Identity Management
Credential Management
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign-On Access
Web Servers
Compute Servers
Database Servers
Copyright © 2005, SAS Institute Inc. All rights reserved.
Handout: Resources of Interest Schedule of related SAS Presents
Demo area for Security: Area 17
SAS web resources
Question and Answer format – tight for time so please bring your questions to us at the Security demo area
Copyright © 2005, SAS Institute Inc. All rights reserved.
From Concepts to Implementation
How applications use the Metadata server for User Authentication.
Credential management to support single sign-on.
Case Studies
Copyright © 2005, SAS Institute Inc. All rights reserved.
What is a Metadata Server?
Secure access to your Enterprise business and technical information
What is modeled in Metadata?• Configuration
• Physical Locations
• Business Intelligence
• Delivery
• User identities
Copyright © 2005, SAS Institute Inc. All rights reserved.
Metadata Server Authenticates Connecting Clients
Verifying user ‘is who they claim to be’
Typical authentication providers:• Host Operating System
• Directory Servers
• User ID and password databases
SAS 9 Metadata server supports: • Host OS Authentication
• LDAP
• Microsoft Active Directory
Copyright © 2005, SAS Institute Inc. All rights reserved.
Authenticating SAS 9 Application Users
User
User Logs On:User ID & Password
Application
Metadata Server
Copyright © 2005, SAS Institute Inc. All rights reserved.
Authenticating SAS 9 Application Users
User
Application connects to Metadata Server
using credentials
Application
Metadata Server
Copyright © 2005, SAS Institute Inc. All rights reserved.
Authenticating SAS 9 Application Users
User
Metadata Serverauthenticates User
with Host OS HostAuthenticatio
n
HostAuthenticatio
n
Application
Metadata Server
Copyright © 2005, SAS Institute Inc. All rights reserved.
Authenticating SAS 9 Application Users
User
Successful connection authenticates application
user
Application
Metadata Server
Copyright © 2005, SAS Institute Inc. All rights reserved.
Identity Management in Metadata
User and Group metadata objects
SAS Management Console User Manager
Benefits of Identities in Metadata:
Role-based Security
Personalization
Shared user context between cooperating applications
Copyright © 2005, SAS Institute Inc. All rights reserved.
Managing Identity Metadata with the SAS Management Console User Manager
Copyright © 2005, SAS Institute Inc. All rights reserved.
Establishing Identity at the Metadata Server Login object represents authentication credential
Associated with user identities
User ID must be unique for each user identity
User ID Password Authentication Domain
User: Fred Smith
Frsmith | secret | windomain
Frsmith | secret | unixhost1
Copyright © 2005, SAS Institute Inc. All rights reserved.
Logins and Authentication Domains
Windows domain: windomain
SAS MC User Manager
Fred Smith
Copyright © 2005, SAS Institute Inc. All rights reserved.
Using Login Objects to Establish Identity
windomain\Frsmith + PW
ApplicationMetadata
Server
HostAuthenticatio
n
HostAuthenticatio
n
Host authenticates
User ID
Fred Smith
Copyright © 2005, SAS Institute Inc. All rights reserved.
Using Login objects to establish identity
Application Metadata Server
Users &Groups
Logins are searched for a match to
authenticated User ID
windomain\Frsmith
Fred Smith
Copyright © 2005, SAS Institute Inc. All rights reserved.
Metadata identity established Metadata Server
User ID matches Login
windomain\Frsmith
Copyright © 2005, SAS Institute Inc. All rights reserved.
Using Login objects to establish identity
Authenticatedidentity returned
to application
Application
Metadata Server
Fred Smith
Fred Smith
Copyright © 2005, SAS Institute Inc. All rights reserved.
SAS Workspace Servers
Database Servers
Credential Management for Single Sign-On
Copyright © 2005, SAS Institute Inc. All rights reserved.
Login Objects Provide Single Sign-On Credentials
Application users request resources from servers
Acquire credentials without prompting
User logins can provide credentials
Applications match credentials to server by Authentication Domain of the server.
User ID Password Authentication Domain
Copyright © 2005, SAS Institute Inc. All rights reserved.
Providing a User with Logins
UNIX
zOS
Windows Domain
User Login Objects
in Metadata
User ID password Authentication Domain
Unixusr Secret Unix
Winuser Secret windomain
ZosUser Secret zOS
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign-on and Credentials in Metadata
User
User selects a SASTable to view.
Application
User Identity
SAS Table
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign On and Credentials in Metadata
User
Application queries metadata: SAS library, Workspace server, and Authentication Domain
for Server.
Application
Metadata Server
Workspace Server
User Identity
Table
Auth Domain: windomain
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign On and Credentials in Metadata
User
Application checks
User’s logins
for match with server’s
Auth Domain: windomain
Application Metadata Server
?
User Identity
User’s Logins
Unixusr Secret Unix
Winuser Secret windomain
ZosUser Secret zOS
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign On and Credentials in Metadata
User
login matching Auth Domain: windomain
is found.
Application
Metadata Server
Workspace Server
Auth Domain: windomain
Login
TableWinuser Secret windomain
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign On and Credentials in Metadata
User
This logon credential is used for server connection.
Application
Workspace Server
Auth Domain: windomain
TableWinuser Secret windomain
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign On and Credentials in Metadata
User
User views Table.
Application
Table
Table
Copyright © 2005, SAS Institute Inc. All rights reserved.
Minimizing Credentials in Metadata
UNIX
zOS
Windows
Login Objects in Metadata
User ID password Authentication Domain
Unixusr Secret Unix
Winuser Secret Windomain
ZosUser Secret zOS
Copyright © 2005, SAS Institute Inc. All rights reserved.
Reducing the presence of credentials in Metadata.
Strategies
Caching Log-on credentials at the application
Works when cached credentials are valid for the servers User needs to use.
Group logins
Application checks for single sign credential in this pattern:
Does User have a login that matches the auth domain?
User a member of a Group with matching login?
Copyright © 2005, SAS Institute Inc. All rights reserved.
Case Study One: Information Map Studio
Testing an information map that is based on a SAS dataset accessed through a SAS 9 Workspace Server
Strategies to reduce credentials stored in metadata repository:• Caching of log on credentials by the application
Copyright © 2005, SAS Institute Inc. All rights reserved.
Information Maps
User-friendly metadata definitions of physical data sources
Enable your business users to query a data with meaningful names
User presentation meets specific business needs
Created in Information Map Studio
Map
Copyright © 2005, SAS Institute Inc. All rights reserved.
User Groups and BI Workflow
ETL team builds data warehouse, mart, etc.
Information Architect determines business needs for accessing data and builds Information Maps with Information Map Studio
BI Analysts use Information Maps in Web Report Studio to build web-based reports
Business Users review reports for decision support
Copyright © 2005, SAS Institute Inc. All rights reserved.
Server Topology and Authentication Domains
Windows
Network
Domain
Metadata Server
SAS 9Workspace
Server
Authentication Domain:
DefaultAuth
Information Map
Studio
Testing an Information Map
Map
Copyright © 2005, SAS Institute Inc. All rights reserved.
Case Study One: Information Map Studio
Information Map Studio user
Copyright © 2005, SAS Institute Inc. All rights reserved.
Credential Caching!
Copyright © 2005, SAS Institute Inc. All rights reserved.
Case Study One: Information Map Studio
Metadata Server
sugi30023\sasdemo + pw
Credentials sent tothe metadata server
for authentication
Metadata serverhost authenticates
the connecting client
MetadataRepository
Metadata serversearches for
sugi30023\sasdemoin all login objects
HostAuthentication
HostAuthentication
Copyright © 2005, SAS Institute Inc. All rights reserved.
YourIdentity
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
The library “stuff” contains the table “class” which is defined in the server context “SASMain”
Copyright © 2005, SAS Institute Inc. All rights reserved.
SASMain workspace server is registered in the DefaultAuth authentication domain.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Logins for sasdemo User
One login is registered in the DefaultAuth authentication domain, but it has no password…
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign-on to Workspace Server
Information Map Studio
“Run Test”
sugi30023\sasdemo + pw
Cached credentials sent to the Object Spawner for host
authentication
Object Spawner
Workspace server launched as
sugi30023\sasdemo
Workspace serverruns generated code, performs
query and returns results
Table
WorkspaceServer
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Case Study Two: Information Map Studio
Testing an information map that is based on a table in a DB2 database server accessed through a SAS 9 Workspace Server
Strategies to reduce credentials stored in metadata repository:• Caching of login credentials by the application
• Group login for DB2 server
Copyright © 2005, SAS Institute Inc. All rights reserved.
Server Topology and Authentication Domains
z/OS
Windows
Network
Domain
Metadata Server
IBM DB2®
Database
Auth Domain: DefaultAuth
Auth Domain: DB2Auth
Information Map
Studio
Map
Workspace Server
Copyright © 2005, SAS Institute Inc. All rights reserved.
Case Study Two: Information Map Studio
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Logins for sasdemo User
One login is registered and it is in the DefaultAuth authentication domain
Copyright © 2005, SAS Institute Inc. All rights reserved.
Logins for sasdemo User
Personal login for DB2 associated with the SAS Demo User
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign-on to Workspace Server
Information Map Studio
“Run Test”
sugi30023\sasdemo + pw Object Spawner
WorkspaceServer
DB2
Server
SAS code connects to DB2
using DB2 credentials
Workspace serverruns generated code, performs
query and returns results
Copyright © 2005, SAS Institute Inc. All rights reserved.
Additional Case Studies
Information map built against an OLAP cube
Web Report Studio using information maps generated in previous case studies
Web Report Studio configured for web authentication
Web Report Studio using pooled workspace servers
Metadata Server configured with an alternate authentication provider
Copyright © 2005, SAS Institute Inc. All rights reserved.
Concepts in our case studies
SAS 9 applications use the Metadata server for User authentication.
Credentials are managed in Metadata to support single sign-on.
Strategies to reduce credential storage in Metadata
Credential Caching
Group Logins
Copyright © 2005, SAS Institute Inc. All rights reserved.Copyright © 2005, SAS Institute Inc. All rights reserved. 69