i know who you are, but you can't come in - sas · i know who you are, but you can't come...
TRANSCRIPT
![Page 1: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/1.jpg)
I know who you are, but you can't come in
Authentication and single sign-on in the SAS platform
![Page 2: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/2.jpg)
Agenda
• Authentication
• Inbound authentication
• Outbound authentication
• Single Sign-on
![Page 3: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/3.jpg)
Definitions
Stage Process Method Physical world
Authentication Verifying a
person's identity
ID/Password
Security Token
ID card, passport
Identification Matching identity
to a SAS
metadata identity
Text - based
comparison
Check person
against a "guest
list"
Authorisation Allowing actions
based on identity
Grant or deny of
an action
Door unlocked,
gate opened
A user will go through all three phases when using SAS
We will only deal with authentication today
![Page 4: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/4.jpg)
Authentication
![Page 5: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/5.jpg)
Authentication
Inbound Authentication:
Initial Connection to a Metadata server
![Page 6: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/6.jpg)
SAS Internal Authentication
Internally authenticated SAS accounts are special purpose accounts. They cannot launch OS
processes such as Workspace servers under their own identity. Examples of internal accounts are
sasadm@saspw - Used for SAS metadata administration
sastrust@saspw -Used for SAS server to SAS server communication
![Page 7: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/7.jpg)
Inbound authentication
Credential based
![Page 8: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/8.jpg)
Direct Authentication
![Page 9: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/9.jpg)
Authentication
Outbound Authentication:
Connecting to a resource in the SAS
environment
![Page 10: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/10.jpg)
Outbound Authentication
• Outbound authentication is establishing a
connection to a server after initial authentication
to the metadata server
• Inbound authentication is a pre-requisite of
outbound authentication.
![Page 11: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/11.jpg)
Recap: inbound authentication
![Page 12: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/12.jpg)
Outbound authentication to a standard
workspace server
![Page 13: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/13.jpg)
Outbound authentication to a standard
workspace server
![Page 14: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/14.jpg)
Outbound authentication to a standard
workspace server
![Page 15: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/15.jpg)
What is a "standard" workspace server?
![Page 16: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/16.jpg)
Credential Management
Method
Re-use (credential caching) The credentials used to authenticate
to the metadata server are presented
to the new server
Retrieve Credentials associated with
- The user or a user's groups
- The server's authentication domain
Are retrieved from the metadata server
and presented to the new server
Request The user is presented with a prompt
and asked to provide a user ID and
password
![Page 17: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/17.jpg)
SAS Authentication domains
![Page 18: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/18.jpg)
SAS Authentication domains
![Page 19: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/19.jpg)
Credential Management
![Page 20: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/20.jpg)
SAS token authentication
The metadata server generates and validates a single-use identity token for each authentication event.
This has the effect of causing participating SAS servers to accept users who are connected to the
metadata server.
![Page 21: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/21.jpg)
SAS token authentication
Scope Primarily used for metadata-aware connections to the stored process server, the
server-side pooled workspace server, the OLAP server, the content server, and (in a
specialized configuration) the standard workspace server.
Also used by launched servers to connect back to the metadata server (for example,
from the workspace server to the metadata server for library pre-assignment).
Benefits Preserves client identity for metadata layer access control and auditing purposes.
No individual external accounts are required, no user passwords are stored in the
metadata, and no reusable credentials are transmitted.
Limits On the workspace server, reduces granularity of host access.
Supported only for metadata-aware connections (in which the client learns about the
target server by reading the server's metadata definition).
Use Optional for the workspace server, otherwise mandatory in certain configurations
![Page 22: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/22.jpg)
Integrated Windows Authentication
![Page 23: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/23.jpg)
Web Authentication vs. SAS authentication
![Page 24: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/24.jpg)
Single Sign-on
![Page 25: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/25.jpg)
Single sign - on two definitions
• 1. Challenged access, but one password which
works everywhere
• 2. Unchallenged access to resources *
• Thick Client (Java, .Net)
• Thin client (browser)
• External data (Oracle, Teradata, Hadoop….)
*This is the default definition used in a SAS architecture design
![Page 26: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/26.jpg)
Setup Effort
Challenged sign on
(Provide user id / password)
Unchallenged sign on usingIWA ("Single sign - on")
Client type Customer effort
SAS effort Customer effort SAS effort
"FAT"(.NET, Java)
Configure AD + PAM
None, SAS sees this as HOST
Configure Kerberos
Low
"THIN" (Browser)
Configure Kerberos
Moderate (requires Web Auth)
![Page 27: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/27.jpg)
Will the user have to type a password?
"Challenged"No credential storage
"Challenged"Credentials stored in SAS profiles
IWA
"FAT" (.NET, Java)
YES NO (if the user has stored credentials in a default SAS connection profile)
NO
"THIN"(Browser)
Depends on browser credential caching policy.
NO
![Page 28: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/28.jpg)
Summary for Single Sign On
Feature Notes
Internal authentication An internal account cannot participate in IWA or web authentication and cannot
launch any OS processes (e.g. standard workspace servers)
SAS token
authentication
Facilitates SSO to most SAS servers
IWA Facilitates silent launch of desktop applications. If not fully configured, prevents
SSO to a standard workspace server. Requires a Kerberos implementation.
Web authentication Facilitates silent launch of web applications. Prevents SSO to a standard
workspace server (as the user is not required to have have an OS account on
SAS servers).
Direct LDAP
authentication
Not compatible with silent launch. Prevents SSO to a standard workspace
server
PAM Can help unify authentication
Credential Management Facilitates SSO to third-party servers and (in some configurations) workspace
servers.
![Page 29: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/29.jpg)
Why all these Metadata Levels?
![Page 30: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/30.jpg)
Content
• What is a metadata level
• How is a metadata level created
• How are they separated
• What metadata levels are for
• What metadata levels aren't for
• How to move content between levels
• Where metadata levels can touch
![Page 31: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/31.jpg)
What is a metadata level?
• A SAS environment separated physically or
logically from other SAS environments
![Page 32: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/32.jpg)
How are metadata levels created?
• Each metadata level is separately installed
• Option of cloning and using the host name
change utility?
![Page 33: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/33.jpg)
How are metadata levels separated?
• For each process, the combination of port
number and host name must be unique
• Same host, different ports
• Different host, same or different ports
![Page 34: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/34.jpg)
What metadata levels are for
• Control changes to content in a rational manner
• Isolate ad-hoc development work and testing
• Minimise disruption to the production environment
• Support the development lifecycle (route to live)
• Typically 3 levels (Development > Test > Production)
• Normally numbered sequentially Lev3 > Lev2 > Lev1 (production is level 1)
• The level number is determined at installation
• Final digit of port numbers will generally reflect the level number
• e.g. metadata server in Lev1 uses port 8561, Lev2 uses 8562 etc.
• Can be many more levels (Dev > Test > Unit Test > Prod > Patch Test)
• May also have a "level zero" for real - time decisioning
![Page 35: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/35.jpg)
What metadata levels are not for
• Separation of departments within an organisation
• Applying security restrictions
• High availability
• Disaster recovery
![Page 36: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/36.jpg)
How to move content between levels - 1
• Export ("zip up") a package in the source level
• Import ("unzip") a package in the target level
• Packages can be moved to / from any level
• System metadata - e.g. server definitions - can be packaged (SAS 9.3 or later)
• Package contents can be filtered during import / export
• Name
• Type
• Date created / Date modified
• Select / Deselect individual items
![Page 37: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/37.jpg)
How to move content between levels - 2
• Values (e.g. physical names, port numbers) can be modified during import
• Many other options e.g.
• Include dependent items
• Include physical data with table metadata
• Include empty folders (use to create a template for folder structures)
• Import new objects / Overwrite existing objects
• Include Access Controls
![Page 38: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/38.jpg)
Example of dependent items
• This Data Integration Studio job describes required processing
• The processing depends on the tables but they are not "process" so
are not packaged by default
• Including dependent objects adds the table metadata to the package
• Additionally, the data can now be included.
![Page 39: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/39.jpg)
Packaging a job
![Page 40: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/40.jpg)
Include Physical Table
• Caution: This option
can create huge
package sizes
![Page 41: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/41.jpg)
Metadata levels can share resources via SAS grid
SAS Grid
![Page 42: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/42.jpg)
"Level zero" - real - time decision
Design Decide
Load and Prepare
Control
Mid Tier &
RTDM Design
RTDM
Runtime
Mid Tier &
RTDM Design
RTDM
Runtime
RTDM
Runtime
Metadata
Server
Explore / Exploit
VA Head
VA Worker
VA WorkerGrid Node
Interact
Client
Client
Client
Grid Node
Grid Node
![Page 43: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/43.jpg)
Separate transactional metadata?
No
• One place to maintain and
monitor
• Unified view of data lineage /
user activity
Yes
• Independent for patching /
update / failure
• Analysts cannot impact BAU
transactions
![Page 44: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/44.jpg)
Separate Visual Analytics metadata?
No
• One place to maintain and
monitor
• Unified view of data lineage /
user activity
Yes
• Independent for patching /
update / failure
• Analysts cannot impact BAU
transactions
• VA typically has faster cadence
for updates / new features
![Page 45: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/45.jpg)
What happens where
Lev3
Dev
Lev2
Test
Lev1
Prod
Lev0
Real Time
ETL Flows Create Test Use
OLAP Cubes Create Test Use
Stored Processes Create Test Create/Test/Use
Statistical Models Create/Test/Use/Manage
Reports / Explorations Create/Test/Use
Real Time Decisioning Create/Test Use
Patch testing Test Deploy Deploy Deploy
![Page 46: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/46.jpg)
Questions
![Page 47: I know who you are, but you can't come in - SAS · I know who you are, but you can't come in Authentication and single sign-on in the SAS platform. Agenda ... •Inbound authentication](https://reader033.vdocuments.us/reader033/viewer/2022042402/5f12945eba8e8027ac5b0bf7/html5/thumbnails/47.jpg)