Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

User Identity

User Authentication and
Single Sign-on Across the
SAS®9 Platform
Larry Noe and Scott Sweetland,
Mid-tier and Platform Integration R&D
Copyright © 2005, SAS Institute Inc. All rights reserved.
Scene from a Spy Thriller Movie…
Copyright © 2005, SAS Institute Inc. All rights reserved.
Scene from a Spy Thriller Movie…




User authentication
Request for a resource
Location and credentials for resource
User accesses resource
Copyright © 2005, SAS Institute Inc. All rights reserved.
User Authentication and Single Sign-on
Copyright © 2005, SAS Institute Inc. All rights reserved.
Multi-domain Customer Environments
Database Servers
Web Servers
Application Servers
Copyright © 2005, SAS Institute Inc. All rights reserved.
SAS 9 Design Goals
Integrate the Platform through Metadata




Infrastructure
Information resources
Business intelligence
Security framework
Copyright © 2005, SAS Institute Inc. All rights reserved.
SAS 9 Security Framework
Metadata Server provides
 Central location for user authentication
 Identity Management
 Credential Management
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign-On Access
Database Servers
Web Servers
Compute Servers
Copyright © 2005, SAS Institute Inc. All rights reserved.
Handout: Resources of Interest




Schedule of related SAS Presents
Demo area for Security: Area 17
SAS web resources
Question and Answer format – tight for time so please
bring your questions to us at the Security demo area
Copyright © 2005, SAS Institute Inc. All rights reserved.
From Concepts to Implementation
 How applications use the Metadata server for
User Authentication.
 Credential management to support single signon.
 Case Studies
Copyright © 2005, SAS Institute Inc. All rights reserved.
What is a Metadata Server?
 Secure access to your Enterprise business and
technical information
 What is modeled in Metadata?
• Configuration
• Physical Locations
• Business Intelligence
• Delivery
• User identities
Copyright © 2005, SAS Institute Inc. All rights reserved.
Metadata Server Authenticates Connecting Clients
 Verifying user ‘is who they claim to be’
 Typical authentication providers:
• Host Operating System
• Directory Servers
• User ID and password databases
 SAS 9 Metadata server supports:
• Host OS Authentication
• LDAP
• Microsoft Active Directory
Copyright © 2005, SAS Institute Inc. All rights reserved.
Authenticating SAS 9 Application Users
Metadata Server
User
Application
User Logs On:
User ID & Password
Copyright © 2005, SAS Institute Inc. All rights reserved.
Authenticating SAS 9 Application Users
Metadata Server
User
Application
Application connects
to Metadata Server
using credentials
Copyright © 2005, SAS Institute Inc. All rights reserved.
Authenticating SAS 9 Application Users
Metadata Server
User
Application
Metadata Server
authenticates User
with Host OS
Copyright © 2005, SAS Institute Inc. All rights reserved.
Host
Authenticatio
n
Authenticating SAS 9 Application Users
Metadata Server
User
Application
Successful connection
authenticates application
user
Copyright © 2005, SAS Institute Inc. All rights reserved.
Identity Management in Metadata
 User and Group metadata objects
 SAS Management Console User Manager
 Benefits of Identities in Metadata:
Role-based Security
Personalization
Shared user context between cooperating
applications
Copyright © 2005, SAS Institute Inc. All rights reserved.
Managing Identity Metadata with the SAS
Management Console User Manager
Copyright © 2005, SAS Institute Inc. All rights reserved.
Establishing Identity at the Metadata Server
 Login object represents authentication credential
User ID
Password
Authentication
Domain
 Associated with user identities
User: Fred Smith
Frsmith | secret | windomain
Frsmith | secret | unixhost1
 User ID must be unique for each user identity
Copyright © 2005, SAS Institute Inc. All rights reserved.
Logins and Authentication Domains
Windows domain: windomain
Fred Smith
Copyright © 2005, SAS Institute Inc. All rights reserved.
SAS MC User Manager
Using Login Objects to Establish Identity
Metadata
Server
Application
Fred Smith
windomain\Frsmith + PW
Host authenticates
User ID
Copyright © 2005, SAS Institute Inc. All rights reserved.
Host
Authenticatio
n
Using Login objects to establish identity
Application
Metadata Server
Fred Smith
windomain\Frsmith
Logins are searched
for a match to
authenticated User ID
Copyright © 2005, SAS Institute Inc. All rights reserved.
Users &
Groups
Metadata identity
established
Metadata Server
windomain\Frsmith
User ID
matches
Login
Copyright © 2005, SAS Institute Inc. All rights reserved.
Using Login objects to establish identity
Metadata Server
Fred Smith
Fred Smith
Application
Authenticated
identity returned
to application
Copyright © 2005, SAS Institute Inc. All rights reserved.
Credential Management for Single Sign-On
SAS Workspace
Servers
Database Servers
Copyright © 2005, SAS Institute Inc. All rights reserved.
Login Objects Provide Single Sign-On Credentials
User ID




Password
Authentication
Domain
Application users request resources from servers
Acquire credentials without prompting
User logins can provide credentials
Applications match credentials to server by
Authentication Domain of the server.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Providing a User with Logins
User Login Objects
in Metadata
User ID
password
Unixusr
Winuser
ZosUser
Secret
Secret
Secret
Authentication
Domain
Unix
windomain
zOS
UNIX
zOS
Copyright © 2005, SAS Institute Inc. All rights reserved.
Windows Domain
Single Sign-on and Credentials in Metadata
User
User Identity
Application
User selects a SAS
Table to view.
Copyright © 2005, SAS Institute Inc. All rights reserved.
SAS
Table
Single Sign On and Credentials in
Metadata
Metadata Server
User
User Identity
Application
Application queries
metadata: SAS library,
Workspace server, and
Authentication Domain
for Server.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Table
Workspace
Server
Auth Domain: windomain
Single Sign On and Credentials in Metadata
Application
Metadata Server
?
User
User Identity
Application checks
User’s logins
for match with server’s
Auth Domain: windomain
Copyright © 2005, SAS Institute Inc. All rights reserved.
User’s Logins
Unixusr Secret
Winuser Secret
ZosUser Secret
Unix
windomain
zOS
Single Sign On and Credentials in Metadata
Metadata Server
Login
User
Application
login matching
Auth Domain: windomain
is found.
Winuser Secret
Copyright © 2005, SAS Institute Inc. All rights reserved.
Table
Workspace
Server
windomain
Auth Domain: windomain
Single Sign On and Credentials in Metadata
User
Application
This logon credential is used
for server connection.
Winuser Secret
Copyright © 2005, SAS Institute Inc. All rights reserved.
windomain
Table
Workspace
Server
Auth Domain: windomain
Single Sign On and Credentials in Metadata
Table
User
Application
User views Table.
Table
Copyright © 2005, SAS Institute Inc. All rights reserved.
Minimizing Credentials in Metadata
Login Objects in Metadata
User ID
password
Unixusr
Winuser
ZosUser
Secret
Secret
Secret
Authentication
Domain
Unix
Windomain
zOS
UNIX
zOS
Windows
Copyright © 2005, SAS Institute Inc. All rights reserved.
Reducing the presence of credentials in Metadata.
Strategies
 Caching Log-on credentials at the application
Works when cached credentials are valid for the
servers User needs to use.
 Group logins
Application checks for single sign credential in this
pattern:
Does User have a login that matches the auth
domain?
User a member of a Group with matching login?
Copyright © 2005, SAS Institute Inc. All rights reserved.
Case Study One: Information Map Studio
 Testing an information map that is based on a
SAS dataset accessed through a SAS 9
Workspace Server
 Strategies to reduce credentials stored in
metadata repository:
• Caching of log on credentials by the application
Copyright © 2005, SAS Institute Inc. All rights reserved.
Information Maps
Map
 User-friendly metadata definitions of physical
data sources
 Enable your business users to query a data with
meaningful names
 User presentation meets specific business needs
 Created in Information Map Studio
Copyright © 2005, SAS Institute Inc. All rights reserved.
User Groups and BI Workflow
 ETL team builds data warehouse, mart, etc.
 Information Architect determines business needs
for accessing data and builds Information Maps
with Information Map Studio
 BI Analysts use Information Maps in Web Report
Studio to build web-based reports
 Business Users review reports for decision
support
Copyright © 2005, SAS Institute Inc. All rights reserved.
Server Topology and Authentication
Domains
Authentication
Metadata Server
Testing an
Information Map
Domain:
DefaultAuth
Windows
Network
Domain
Information Map
Studio
Map
Copyright © 2005, SAS Institute Inc. All rights reserved.
SAS 9
Workspace
Server
Case Study One: Information Map Studio
Information Map
Studio user
Copyright © 2005, SAS Institute Inc. All rights reserved.
Credential Caching!
Copyright © 2005, SAS Institute Inc. All rights reserved.
Case Study One: Information Map Studio
Metadata server
searches for
sugi30023\sasdemo
in all login objects
Metadata
Repository
Credentials sent to
the metadata server
for authentication
sugi30023\sasdemo + pw
Metadata
Server
Metadata server
host authenticates
the connecting client
Host
Authentication
Copyright © 2005, SAS Institute Inc. All rights reserved.
Your
Identity
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
The library “stuff” contains the table “class” which is defined in the server context “SASMain”
Copyright © 2005, SAS Institute Inc. All rights reserved.
SASMain workspace server is registered in the DefaultAuth authentication domain.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Logins for sasdemo User
One login is registered in the DefaultAuth authentication
domain, but it has no password…
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign-on to Workspace Server
Cached credentials
sent to the Object
Spawner for host
authentication
Object
Spawner
sugi30023\sasdemo + pw
Workspace server
launched as
sugi30023\sasdemo
Information Map
Studio
“Run Test”
Workspace server
runs generated code, performs
query and returns results
Workspace
Server
Table
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Case Study Two: Information Map Studio
 Testing an information map that is based on a
table in a DB2 database server accessed
through a SAS 9 Workspace Server
 Strategies to reduce credentials stored in
metadata repository:
• Caching of login credentials by the application
• Group login for DB2 server
Copyright © 2005, SAS Institute Inc. All rights reserved.
Server Topology and Authentication Domains
Metadata Server
Auth Domain:
DefaultAuth
Windows
Network
Domain
IBM DB2®
Database
Information Map
Studio
Map
Copyright © 2005, SAS Institute Inc. All rights reserved.
Workspace
Server
z/OS
Auth Domain:
DB2Auth
Case Study Two: Information Map Studio
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Logins for sasdemo User
One login is registered and it is in the DefaultAuth
authentication domain
Copyright © 2005, SAS Institute Inc. All rights reserved.
Logins for sasdemo User
Personal login for DB2 associated with the SAS Demo User
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
Single Sign-on to Workspace Server
Object
Spawner
sugi30023\sasdemo + pw
DB2
Server
Information Map
Studio
“Run Test”
Workspace server
runs generated code, performs
query and returns results
Copyright © 2005, SAS Institute Inc. All rights reserved.
Workspace
Server
SAS code
connects to DB2
using DB2
credentials
Additional Case Studies
 Information map built against an OLAP cube
 Web Report Studio using information maps
generated in previous case studies
 Web Report Studio configured for web
authentication
 Web Report Studio using pooled workspace
servers
 Metadata Server configured with an alternate
authentication provider
Copyright © 2005, SAS Institute Inc. All rights reserved.
Concepts in our case studies
 SAS 9 applications use the Metadata server for
User authentication.
 Credentials are managed in Metadata to support
single sign-on.
 Strategies to reduce credential storage in
Metadata
Credential Caching
Group Logins
Copyright © 2005, SAS Institute Inc. All rights reserved.
Copyright © 2005, SAS Institute Inc. All rights reserved.
69
Related documents
IET Virtual Computer Lab SAS 9.3
IET Virtual Computer Lab SAS 9.3
SAS Curriculum Pathways Instructional Guide
SAS Curriculum Pathways Instructional Guide
Using SAS and JMP to check if x and y ~ N
Using SAS and JMP to check if x and y ~ N
Senior / Principal Statistical Programmer
Senior / Principal Statistical Programmer
Download