Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,

Published byCayden Heggs Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,"— Presentation transcript:

1 Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland, Mid-tier and Platform Integration R&D

2 Copyright © 2005, SAS Institute Inc. All rights reserved. Scene from a Spy Thriller Movie…

3 Copyright © 2005, SAS Institute Inc. All rights reserved. Scene from a Spy Thriller Movie…  User authentication  Request for a resource  Location and credentials for resource  User accesses resource

4 Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on

5 Copyright © 2005, SAS Institute Inc. All rights reserved. Multi-domain Customer Environments Web Servers Application Servers Database Servers

6 Copyright © 2005, SAS Institute Inc. All rights reserved. Multi-tier Customer Environments Web Browsers Web Applications: Portals, Reporting and Analytic Tools Web Servers Application Servers

7 Copyright © 2005, SAS Institute Inc. All rights reserved. SAS 9 Design Goals Integrate the Platform through Metadata  Infrastructure  Information resources  Business intelligence  Security framework

8 Copyright © 2005, SAS Institute Inc. All rights reserved. SAS 9 Security Framework Metadata Server provides  Central location for user authentication  Identity Management  Credential Management

9 Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign-On Access Web Servers Compute Servers Database Servers

10 Copyright © 2005, SAS Institute Inc. All rights reserved. Handout: Resources of Interest  Schedule of related SAS Presents  Demo area for Security: Area 17  SAS web resources  Question and Answer format – tight for time so please bring your questions to us at the Security demo area

11 Copyright © 2005, SAS Institute Inc. All rights reserved. From Concepts to Implementation  How applications use the Metadata server for User Authentication.  Credential management to support single sign- on.  Case Studies

12 Copyright © 2005, SAS Institute Inc. All rights reserved. What is a Metadata Server?  Secure access to your Enterprise business and technical information  What is modeled in Metadata? Configuration Physical Locations Business Intelligence Delivery User identities

13 Copyright © 2005, SAS Institute Inc. All rights reserved. Metadata Server Authenticates Connecting Clients  Verifying user ‘is who they claim to be’  Typical authentication providers: Host Operating System Directory Servers User ID and password databases  SAS 9 Metadata server supports: Host OS Authentication LDAP Microsoft Active Directory

14 Copyright © 2005, SAS Institute Inc. All rights reserved. Authenticating SAS 9 Application Users User User Logs On: User ID & Password Application Metadata Server

15 Copyright © 2005, SAS Institute Inc. All rights reserved. Authenticating SAS 9 Application Users User Application connects to Metadata Server using credentials Application Metadata Server

16 Copyright © 2005, SAS Institute Inc. All rights reserved. Authenticating SAS 9 Application Users User Metadata Server authenticates User with Host OS Host Authenticatio n Host Authenticatio n Application Metadata Server

17 Copyright © 2005, SAS Institute Inc. All rights reserved. Authenticating SAS 9 Application Users User Successful connection authenticates application user Application Metadata Server

18 Copyright © 2005, SAS Institute Inc. All rights reserved. Identity Management in Metadata  User and Group metadata objects  SAS Management Console User Manager  Benefits of Identities in Metadata: Role-based Security Personalization Shared user context between cooperating applications

19 Copyright © 2005, SAS Institute Inc. All rights reserved. Managing Identity Metadata with the SAS Management Console User Manager

20 Copyright © 2005, SAS Institute Inc. All rights reserved. Establishing Identity at the Metadata Server  Login object represents authentication credential  Associated with user identities  User ID must be unique for each user identity User IDPassword Authentication Domain User: Fred Smith Frsmith | secret | windomain Frsmith | secret | unixhost1

21 Copyright © 2005, SAS Institute Inc. All rights reserved. Logins and Authentication Domains Windows domain: windomain SAS MC User Manager Fred Smith

22 Copyright © 2005, SAS Institute Inc. All rights reserved. Using Login Objects to Establish Identity windomain\Frsmith + PW Application Metadata Server Host Authenticatio n Host Authenticatio n Host authenticates User ID Fred Smith

23 Copyright © 2005, SAS Institute Inc. All rights reserved. Using Login objects to establish identity ApplicationMetadata Server Users & Groups Logins are searched for a match to authenticated User ID windomain\Frsmith Fred Smith

24 Copyright © 2005, SAS Institute Inc. All rights reserved. Metadata identity established Metadata Server User ID matches Login windomain\Frsmith

25 Copyright © 2005, SAS Institute Inc. All rights reserved. Using Login objects to establish identity Authenticated identity returned to application Application Metadata Server Fred Smith

26 Copyright © 2005, SAS Institute Inc. All rights reserved. SAS Workspace Servers Database Servers Credential Management for Single Sign-On

27 Copyright © 2005, SAS Institute Inc. All rights reserved. Login Objects Provide Single Sign-On Credentials  Application users request resources from servers  Acquire credentials without prompting  User logins can provide credentials  Applications match credentials to server by Authentication Domain of the server. User IDPassword Authentication Domain

28 Copyright © 2005, SAS Institute Inc. All rights reserved. Providing a User with Logins UNIX zOS Windows Domain User Login Objects in Metadata User IDpasswordAuthentication Domain UnixusrSecretUnix WinuserSecretwindomain ZosUserSecretzOS

29 Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign-on and Credentials in Metadata User User selects a SAS Table to view. Application User Identity SAS Table

30 Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User Application queries metadata: SAS library, Workspace server, and Authentication Domain for Server. Application Metadata Server Workspace Server User Identity Table Auth Domain: windomain

31 Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User Application checks User’s logins for match with server’s Auth Domain: windomain ApplicationMetadata Server ? User Identity User’s Logins UnixusrSecretUnix WinuserSecretwindomain ZosUserSecretzOS

32 Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User login matching Auth Domain: windomain is found. Application Metadata Server Workspace Server Auth Domain: windomain Login Table WinuserSecretwindomain

33 Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User This logon credential is used for server connection. Application Workspace Server Auth Domain: windomain Table WinuserSecretwindomain

34 Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User User views Table. Application Table

35 Copyright © 2005, SAS Institute Inc. All rights reserved. Minimizing Credentials in Metadata UNIX zOS Windows Login Objects in Metadata User IDpasswordAuthentication Domain UnixusrSecretUnix WinuserSecretWindomain ZosUserSecretzOS

36 Copyright © 2005, SAS Institute Inc. All rights reserved. Reducing the presence of credentials in Metadata. Strategies  Caching Log-on credentials at the application Works when cached credentials are valid for the servers User needs to use.  Group logins Application checks for single sign credential in this pattern: Does User have a login that matches the auth domain? User a member of a Group with matching login?

37 Copyright © 2005, SAS Institute Inc. All rights reserved. Case Study One: Information Map Studio  Testing an information map that is based on a SAS dataset accessed through a SAS 9 Workspace Server  Strategies to reduce credentials stored in metadata repository: Caching of log on credentials by the application

38 Copyright © 2005, SAS Institute Inc. All rights reserved. Information Maps  User-friendly metadata definitions of physical data sources  Enable your business users to query a data with meaningful names  User presentation meets specific business needs  Created in Information Map Studio Map

39 Copyright © 2005, SAS Institute Inc. All rights reserved. User Groups and BI Workflow  ETL team builds data warehouse, mart, etc.  Information Architect determines business needs for accessing data and builds Information Maps with Information Map Studio  BI Analysts use Information Maps in Web Report Studio to build web-based reports  Business Users review reports for decision support

40 Copyright © 2005, SAS Institute Inc. All rights reserved. Server Topology and Authentication Domains Windows Network Domain Metadata Server SAS 9 Workspace Server Authentication Domain: DefaultAuth Information Map Studio Testing an Information Map Map

41 Copyright © 2005, SAS Institute Inc. All rights reserved. Case Study One: Information Map Studio Information Map Studio user

42 Copyright © 2005, SAS Institute Inc. All rights reserved. Credential Caching!

43 Copyright © 2005, SAS Institute Inc. All rights reserved. Case Study One: Information Map Studio Metadata Server sugi30023\sasdemo + pw Credentials sent to the metadata server for authentication Metadata server host authenticates the connecting client Metadata Repository Metadata server searches for sugi30023\sasdemo in all login objects Host Authentication Host Authentication

44 Copyright © 2005, SAS Institute Inc. All rights reserved. Your Identity

45 Copyright © 2005, SAS Institute Inc. All rights reserved.

46

47

48 The library “stuff” contains the table “class” which is defined in the server context “SASMain”

49 Copyright © 2005, SAS Institute Inc. All rights reserved. SASMain workspace server is registered in the DefaultAuth authentication domain.

50 Copyright © 2005, SAS Institute Inc. All rights reserved. Logins for sasdemo User One login is registered in the DefaultAuth authentication domain, but it has no password…

51 Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign-on to Workspace Server Information Map Studio “Run Test” sugi30023\sasdemo + pw Cached credentials sent to the Object Spawner for host authentication Object Spawner Workspace server launched as sugi30023\sasdemo Workspace server runs generated code, performs query and returns results Table Workspace Server

52 Copyright © 2005, SAS Institute Inc. All rights reserved.

53 Case Study Two: Information Map Studio  Testing an information map that is based on a table in a DB2 database server accessed through a SAS 9 Workspace Server  Strategies to reduce credentials stored in metadata repository: Caching of login credentials by the application Group login for DB2 server

54 Copyright © 2005, SAS Institute Inc. All rights reserved. Server Topology and Authentication Domains z/OS Windows Network Domain Metadata Server IBM DB2 ® Database Auth Domain: DefaultAuth Auth Domain: DB2Auth Information Map Studio Map Workspace Server

55 Copyright © 2005, SAS Institute Inc. All rights reserved. Case Study Two: Information Map Studio

56 Copyright © 2005, SAS Institute Inc. All rights reserved.

57

58 Logins for sasdemo User One login is registered and it is in the DefaultAuth authentication domain

59 Copyright © 2005, SAS Institute Inc. All rights reserved. Logins for sasdemo User Personal login for DB2 associated with the SAS Demo User

60 Copyright © 2005, SAS Institute Inc. All rights reserved.

61 Single Sign-on to Workspace Server Information Map Studio “Run Test” sugi30023\sasdemo + pw Object Spawner Workspace Server DB2 Server SAS code connects to DB2 using DB2 credentials Workspace server runs generated code, performs query and returns results

62 Copyright © 2005, SAS Institute Inc. All rights reserved. Additional Case Studies  Information map built against an OLAP cube  Web Report Studio using information maps generated in previous case studies  Web Report Studio configured for web authentication  Web Report Studio using pooled workspace servers  Metadata Server configured with an alternate authentication provider

63 Copyright © 2005, SAS Institute Inc. All rights reserved. Network Encryption  All connections to SAS 9 servers can be encrypted using industry standard encryption algorithms with the user of SAS/SECURE RC2, RC4, DES and 3DES currently supported  Three levels of encryption: None, Credentials and Everything  My laptop in the demo booth is set up and running with full encryption using RC4 – come over and see how it is set up

64 Copyright © 2005, SAS Institute Inc. All rights reserved. Alternate Authentication Providers  The Metadata server and OLAP server can authenticate to an LDAP server or an Active Directory server  Standard Workspace servers and the Stored Process server require host authentication though  My laptop in the demo area is running an LDAP server – come by and see how this setup works and what the ramifications are for credential usage and storage

65 Copyright © 2005, SAS Institute Inc. All rights reserved. Used to manage personal user logins

66 Copyright © 2005, SAS Institute Inc. All rights reserved. SAS Demo User cannot see the logins for SAS Demo User 2

67 Copyright © 2005, SAS Institute Inc. All rights reserved. But, SAS Demo User 2 does have a login

68 Copyright © 2005, SAS Institute Inc. All rights reserved. Concepts in our case studies  SAS 9 applications use the Metadata server for User authentication.  Credentials are managed in Metadata to support single sign-on.  Strategies to reduce credential storage in Metadata Credential Caching Group Logins

69 Copyright © 2005, SAS Institute Inc. All rights reserved. 69

Download ppt "Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,"

Similar presentations

Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Microsoft Learning Gateway for HE Rob Miles – Hull University, Lecturer Romola Ganguli – Microsoft Education Technology Advisor.

Microsoft Learning Gateway for HE Rob Miles – Hull University, Lecturer Romola Ganguli – Microsoft Education Technology Advisor.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Copyright © 2005, SAS Institute Inc. All rights reserved. Making the Transition from MDDB-based OLAP Applications to a SAS ® 9 OLAP Solution Ivy Parker.

Copyright © 2005, SAS Institute Inc. All rights reserved. Making the Transition from MDDB-based OLAP Applications to a SAS ® 9 OLAP Solution Ivy Parker.
Technical BI Project Lifecycle

Technical BI Project Lifecycle
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Copyright © 2007, SAS Institute Inc. All rights reserved. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks.

Copyright © 2007, SAS Institute Inc. All rights reserved. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks.
Toolbox Mirror -Overview Effective Distributed Learning.

Toolbox Mirror -Overview Effective Distributed Learning.
An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.

An Authorization Service using.NET Passport ™ as underlying Authentication Scheme Bar-Hen Ron Hochberger Daniel Winter 2002 Technion – Israel Institute.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
ORACLE APPLICATION SERVER BY PHANINDER SURAPANENI CIS 764.

ORACLE APPLICATION SERVER BY PHANINDER SURAPANENI CIS 764.
Chapter 5 Using SAS ® ETL Studio. Section 5.1 SAS ETL Studio Overview.

Chapter 5 Using SAS ® ETL Studio. Section 5.1 SAS ETL Studio Overview.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Copyright © 2007, SAS Institute Inc. All rights reserved. SAS Activity-Based Management Survey Kit (ASK): User Management & Security.

Copyright © 2007, SAS Institute Inc. All rights reserved. SAS Activity-Based Management Survey Kit (ASK): User Management & Security.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
Copyright © 2006, SAS Institute Inc. All rights reserved. Enterprise Guide 4.2 : A Primer SHRUG : Spring 2010 Presented by: Josée Ranger-Lacroix SAS Institute.

Copyright © 2006, SAS Institute Inc. All rights reserved. Enterprise Guide 4.2 : A Primer SHRUG : Spring 2010 Presented by: Josée Ranger-Lacroix SAS Institute.
Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.

Membership in ASP.Net...if only Presented by: Patrick Hynds President, CriticalSites Microsoft Regional Director.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Copyright © 2006, SAS Institute Inc. All rights reserved. What Is New in SAS Profitability Management (PrM) 2.1? Authors: Jack Zhang Solution & Version:

Copyright © 2006, SAS Institute Inc. All rights reserved. What Is New in SAS Profitability Management (PrM) 2.1? Authors: Jack Zhang Solution & Version:

Similar presentations

Ads by Google