Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland, Mid-tier and Platform Integration R&D

Copyright © 2005, SAS Institute Inc. All rights reserved. Scene from a Spy Thriller Movie…

Copyright © 2005, SAS Institute Inc. All rights reserved. Scene from a Spy Thriller Movie…  User authentication  Request for a resource  Location and credentials for resource  User accesses resource

Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on

Copyright © 2005, SAS Institute Inc. All rights reserved. Multi-domain Customer Environments Web Servers Application Servers Database Servers

Copyright © 2005, SAS Institute Inc. All rights reserved. Multi-tier Customer Environments Web Browsers Web Applications: Portals, Reporting and Analytic Tools Web Servers Application Servers

Copyright © 2005, SAS Institute Inc. All rights reserved. SAS 9 Design Goals Integrate the Platform through Metadata  Infrastructure  Information resources  Business intelligence  Security framework

Copyright © 2005, SAS Institute Inc. All rights reserved. SAS 9 Security Framework Metadata Server provides  Central location for user authentication  Identity Management  Credential Management

Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign-On Access Web Servers Compute Servers Database Servers

Copyright © 2005, SAS Institute Inc. All rights reserved. Handout: Resources of Interest  Schedule of related SAS Presents  Demo area for Security: Area 17  SAS web resources  Question and Answer format – tight for time so please bring your questions to us at the Security demo area

Copyright © 2005, SAS Institute Inc. All rights reserved. From Concepts to Implementation  How applications use the Metadata server for User Authentication.  Credential management to support single sign- on.  Case Studies

Copyright © 2005, SAS Institute Inc. All rights reserved. What is a Metadata Server?  Secure access to your Enterprise business and technical information  What is modeled in Metadata? Configuration Physical Locations Business Intelligence Delivery User identities

Copyright © 2005, SAS Institute Inc. All rights reserved. Metadata Server Authenticates Connecting Clients  Verifying user ‘is who they claim to be’  Typical authentication providers: Host Operating System Directory Servers User ID and password databases  SAS 9 Metadata server supports: Host OS Authentication LDAP Microsoft Active Directory

Copyright © 2005, SAS Institute Inc. All rights reserved. Authenticating SAS 9 Application Users User User Logs On: User ID & Password Application Metadata Server

Copyright © 2005, SAS Institute Inc. All rights reserved. Authenticating SAS 9 Application Users User Application connects to Metadata Server using credentials Application Metadata Server

Copyright © 2005, SAS Institute Inc. All rights reserved. Authenticating SAS 9 Application Users User Metadata Server authenticates User with Host OS Host Authenticatio n Host Authenticatio n Application Metadata Server

Copyright © 2005, SAS Institute Inc. All rights reserved. Authenticating SAS 9 Application Users User Successful connection authenticates application user Application Metadata Server

Copyright © 2005, SAS Institute Inc. All rights reserved. Identity Management in Metadata  User and Group metadata objects  SAS Management Console User Manager  Benefits of Identities in Metadata: Role-based Security Personalization Shared user context between cooperating applications

Copyright © 2005, SAS Institute Inc. All rights reserved. Managing Identity Metadata with the SAS Management Console User Manager

Copyright © 2005, SAS Institute Inc. All rights reserved. Establishing Identity at the Metadata Server  Login object represents authentication credential  Associated with user identities  User ID must be unique for each user identity User IDPassword Authentication Domain User: Fred Smith Frsmith | secret | windomain Frsmith | secret | unixhost1

Copyright © 2005, SAS Institute Inc. All rights reserved. Logins and Authentication Domains Windows domain: windomain SAS MC User Manager Fred Smith

Copyright © 2005, SAS Institute Inc. All rights reserved. Using Login Objects to Establish Identity windomain\Frsmith + PW Application Metadata Server Host Authenticatio n Host Authenticatio n Host authenticates User ID Fred Smith

Copyright © 2005, SAS Institute Inc. All rights reserved. Using Login objects to establish identity ApplicationMetadata Server Users & Groups Logins are searched for a match to authenticated User ID windomain\Frsmith Fred Smith

Copyright © 2005, SAS Institute Inc. All rights reserved. Metadata identity established Metadata Server User ID matches Login windomain\Frsmith

Copyright © 2005, SAS Institute Inc. All rights reserved. Using Login objects to establish identity Authenticated identity returned to application Application Metadata Server Fred Smith

Copyright © 2005, SAS Institute Inc. All rights reserved. SAS Workspace Servers Database Servers Credential Management for Single Sign-On

Copyright © 2005, SAS Institute Inc. All rights reserved. Login Objects Provide Single Sign-On Credentials  Application users request resources from servers  Acquire credentials without prompting  User logins can provide credentials  Applications match credentials to server by Authentication Domain of the server. User IDPassword Authentication Domain

Copyright © 2005, SAS Institute Inc. All rights reserved. Providing a User with Logins UNIX zOS Windows Domain User Login Objects in Metadata User IDpasswordAuthentication Domain UnixusrSecretUnix WinuserSecretwindomain ZosUserSecretzOS

Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign-on and Credentials in Metadata User User selects a SAS Table to view. Application User Identity SAS Table

Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User Application queries metadata: SAS library, Workspace server, and Authentication Domain for Server. Application Metadata Server Workspace Server User Identity Table Auth Domain: windomain

Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User Application checks User’s logins for match with server’s Auth Domain: windomain ApplicationMetadata Server ? User Identity User’s Logins UnixusrSecretUnix WinuserSecretwindomain ZosUserSecretzOS

Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User login matching Auth Domain: windomain is found. Application Metadata Server Workspace Server Auth Domain: windomain Login Table WinuserSecretwindomain

Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User This logon credential is used for server connection. Application Workspace Server Auth Domain: windomain Table WinuserSecretwindomain

Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign On and Credentials in Metadata User User views Table. Application Table

Copyright © 2005, SAS Institute Inc. All rights reserved. Minimizing Credentials in Metadata UNIX zOS Windows Login Objects in Metadata User IDpasswordAuthentication Domain UnixusrSecretUnix WinuserSecretWindomain ZosUserSecretzOS

Copyright © 2005, SAS Institute Inc. All rights reserved. Reducing the presence of credentials in Metadata. Strategies  Caching Log-on credentials at the application Works when cached credentials are valid for the servers User needs to use.  Group logins Application checks for single sign credential in this pattern: Does User have a login that matches the auth domain? User a member of a Group with matching login?

Copyright © 2005, SAS Institute Inc. All rights reserved. Case Study One: Information Map Studio  Testing an information map that is based on a SAS dataset accessed through a SAS 9 Workspace Server  Strategies to reduce credentials stored in metadata repository: Caching of log on credentials by the application

Copyright © 2005, SAS Institute Inc. All rights reserved. Information Maps  User-friendly metadata definitions of physical data sources  Enable your business users to query a data with meaningful names  User presentation meets specific business needs  Created in Information Map Studio Map

Copyright © 2005, SAS Institute Inc. All rights reserved. User Groups and BI Workflow  ETL team builds data warehouse, mart, etc.  Information Architect determines business needs for accessing data and builds Information Maps with Information Map Studio  BI Analysts use Information Maps in Web Report Studio to build web-based reports  Business Users review reports for decision support

Copyright © 2005, SAS Institute Inc. All rights reserved. Server Topology and Authentication Domains Windows Network Domain Metadata Server SAS 9 Workspace Server Authentication Domain: DefaultAuth Information Map Studio Testing an Information Map Map

Copyright © 2005, SAS Institute Inc. All rights reserved. Case Study One: Information Map Studio Information Map Studio user

Copyright © 2005, SAS Institute Inc. All rights reserved. Credential Caching!

Copyright © 2005, SAS Institute Inc. All rights reserved. Case Study One: Information Map Studio Metadata Server sugi30023\sasdemo + pw Credentials sent to the metadata server for authentication Metadata server host authenticates the connecting client Metadata Repository Metadata server searches for sugi30023\sasdemo in all login objects Host Authentication Host Authentication

Copyright © 2005, SAS Institute Inc. All rights reserved. Your Identity

Copyright © 2005, SAS Institute Inc. All rights reserved.

The library “stuff” contains the table “class” which is defined in the server context “SASMain”

Copyright © 2005, SAS Institute Inc. All rights reserved. SASMain workspace server is registered in the DefaultAuth authentication domain.

Copyright © 2005, SAS Institute Inc. All rights reserved. Logins for sasdemo User One login is registered in the DefaultAuth authentication domain, but it has no password…

Copyright © 2005, SAS Institute Inc. All rights reserved. Single Sign-on to Workspace Server Information Map Studio “Run Test” sugi30023\sasdemo + pw Cached credentials sent to the Object Spawner for host authentication Object Spawner Workspace server launched as sugi30023\sasdemo Workspace server runs generated code, performs query and returns results Table Workspace Server

Copyright © 2005, SAS Institute Inc. All rights reserved.

Case Study Two: Information Map Studio  Testing an information map that is based on a table in a DB2 database server accessed through a SAS 9 Workspace Server  Strategies to reduce credentials stored in metadata repository: Caching of login credentials by the application Group login for DB2 server

Copyright © 2005, SAS Institute Inc. All rights reserved. Server Topology and Authentication Domains z/OS Windows Network Domain Metadata Server IBM DB2 ® Database Auth Domain: DefaultAuth Auth Domain: DB2Auth Information Map Studio Map Workspace Server

Copyright © 2005, SAS Institute Inc. All rights reserved. Case Study Two: Information Map Studio

Copyright © 2005, SAS Institute Inc. All rights reserved.

Logins for sasdemo User One login is registered and it is in the DefaultAuth authentication domain

Copyright © 2005, SAS Institute Inc. All rights reserved. Logins for sasdemo User Personal login for DB2 associated with the SAS Demo User

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign-on to Workspace Server Information Map Studio “Run Test” sugi30023\sasdemo + pw Object Spawner Workspace Server DB2 Server SAS code connects to DB2 using DB2 credentials Workspace server runs generated code, performs query and returns results

Copyright © 2005, SAS Institute Inc. All rights reserved. Additional Case Studies  Information map built against an OLAP cube  Web Report Studio using information maps generated in previous case studies  Web Report Studio configured for web authentication  Web Report Studio using pooled workspace servers  Metadata Server configured with an alternate authentication provider

Copyright © 2005, SAS Institute Inc. All rights reserved. Network Encryption  All connections to SAS 9 servers can be encrypted using industry standard encryption algorithms with the user of SAS/SECURE RC2, RC4, DES and 3DES currently supported  Three levels of encryption: None, Credentials and Everything  My laptop in the demo booth is set up and running with full encryption using RC4 – come over and see how it is set up

Copyright © 2005, SAS Institute Inc. All rights reserved. Alternate Authentication Providers  The Metadata server and OLAP server can authenticate to an LDAP server or an Active Directory server  Standard Workspace servers and the Stored Process server require host authentication though  My laptop in the demo area is running an LDAP server – come by and see how this setup works and what the ramifications are for credential usage and storage

Copyright © 2005, SAS Institute Inc. All rights reserved. Used to manage personal user logins

Copyright © 2005, SAS Institute Inc. All rights reserved. SAS Demo User cannot see the logins for SAS Demo User 2

Copyright © 2005, SAS Institute Inc. All rights reserved. But, SAS Demo User 2 does have a login

Copyright © 2005, SAS Institute Inc. All rights reserved. Concepts in our case studies  SAS 9 applications use the Metadata server for User authentication.  Credentials are managed in Metadata to support single sign-on.  Strategies to reduce credential storage in Metadata Credential Caching Group Logins

Copyright © 2005, SAS Institute Inc. All rights reserved. 69