User Authentication and Single Sign-on Across the SAS9 Platform

quicksandwalleyeInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

74 εμφανίσεις

Copyright © 2005, SAS Institute Inc. All rights reserved.

User Authentication and
Single Sign
-
on Across the
SAS
®
9 Platform

Larry Noe and Scott Sweetland,

Mid
-
tier and Platform Integration R&D

Copyright © 2005, SAS Institute Inc. All rights reserved.

Scene from a Spy Thriller Movie…

Copyright © 2005, SAS Institute Inc. All rights reserved.

Scene from a Spy Thriller Movie…


User authentication


Request for a resource


Location and credentials for resource


User accesses resource


Copyright © 2005, SAS Institute Inc. All rights reserved.

User Authentication and Single Sign
-
on

Copyright © 2005, SAS Institute Inc. All rights reserved.

Multi
-
domain Customer Environments

Web Servers

Application Servers

Database Servers

Copyright © 2005, SAS Institute Inc. All rights reserved.

SAS 9 Design Goals

Integrate the Platform through Metadata


Infrastructure


Information resources


Business intelligence


Security framework


Copyright © 2005, SAS Institute Inc. All rights reserved.

SAS 9 Security Framework

Metadata Server provides


Central location for user authentication


Identity Management


Credential Management

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign
-
On Access

Web Servers

Compute Servers

Database Servers

Copyright © 2005, SAS Institute Inc. All rights reserved.

Handout: Resources of Interest


Schedule of related
SAS Presents


Demo area for Security: Area 17


SAS web resources


Question and Answer format


tight for time so please
bring your questions to us at the Security demo area


Copyright © 2005, SAS Institute Inc. All rights reserved.

From Concepts to Implementation


How applications use the Metadata server for
User Authentication.


Credential management to support single sign
-
on.


Case Studies

Copyright © 2005, SAS Institute Inc. All rights reserved.

What is a Metadata Server?


Secure access to your Enterprise business and
technical information


What is modeled in Metadata?


Configuration


Physical Locations


Business Intelligence


Delivery


User identities

Copyright © 2005, SAS Institute Inc. All rights reserved.

Metadata Server Authenticates Connecting Clients


Verifying user ‘is who they claim to be’


Typical authentication providers:


Host Operating System


Directory Servers


User ID and password databases


SAS 9 Metadata server supports:


Host OS Authentication


LDAP


Microsoft Active Directory


Copyright © 2005, SAS Institute Inc. All rights reserved.

Authenticating SAS 9 Application Users

User


User Logs On:

User ID & Password

Application

Metadata Server

Copyright © 2005, SAS Institute Inc. All rights reserved.

Authenticating SAS 9 Application Users

User


Application connects


to Metadata Server

using credentials

Application

Metadata Server

Copyright © 2005, SAS Institute Inc. All rights reserved.

Authenticating SAS 9 Application Users

User


Metadata Server

authenticates User

with Host OS


Host

Authenticatio
n

Application

Metadata Server

Copyright © 2005, SAS Institute Inc. All rights reserved.

Authenticating SAS 9 Application Users

User


Successful connection

authenticates application


user

Application

Metadata Server

Copyright © 2005, SAS Institute Inc. All rights reserved.

Identity Management in Metadata


User and Group metadata objects


SAS Management Console
User Manager



Benefits

of Identities in Metadata:



Role
-
based Security



Personalization



Shared user context between cooperating

applications

Copyright © 2005, SAS Institute Inc. All rights reserved.

Managing Identity Metadata with the SAS
Management Console User Manager

Copyright © 2005, SAS Institute Inc. All rights reserved.

Establishing Identity at the Metadata Server


Login object represents authentication credential





Associated with user identities






User ID must be unique for each user identity



User ID

Password

Authentication
Domain

User: Fred Smith

Frsmith | secret | windomain

Frsmith | secret | unixhost1

Copyright © 2005, SAS Institute Inc. All rights reserved.

Logins and Authentication Domains

Windows domain: windomain

SAS MC User Manager


Fred Smith

Copyright © 2005, SAS Institute Inc. All rights reserved.

Using Login Objects to Establish Identity

windomain
\
Frsmith + PW

Application

Metadata

Server


Host

Authenticatio
n

Host authenticates

User ID


Fred Smith

Copyright © 2005, SAS Institute Inc. All rights reserved.

Using Login objects to establish identity

Application

Metadata Server

Users &


Groups

Logins are searched

for a match to

authenticated User ID

windomain
\
Frsmith


Fred Smith

Copyright © 2005, SAS Institute Inc. All rights reserved.




Metadata identity

established

Metadata Server

User ID



matches



Login

windomain
\
Frsmith

Copyright © 2005, SAS Institute Inc. All rights reserved.

Using Login objects to establish identity


Authenticated

identity returned

to application

Application

Metadata Server

Fred Smith


Fred Smith

Copyright © 2005, SAS Institute Inc. All rights reserved.

SAS Workspace
Servers

Database Servers

Credential Management for Single Sign
-
On

Copyright © 2005, SAS Institute Inc. All rights reserved.

Login Objects Provide Single Sign
-
On Credentials



Application users request resources from servers


Acquire credentials
without prompting


User logins can provide credentials


Applications match credentials to server by
Authentication Domain of the server.

User ID

Password

Authentication
Domain

Copyright © 2005, SAS Institute Inc. All rights reserved.

Providing a User with Logins

UNIX

zOS

Windows Domain

User Login Objects

in Metadata

User ID

password

Authentication
Domain

Unixusr

Secret

Unix

Winuser

Secret

windomain

ZosUser

Secret

zOS

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign
-
on and Credentials in Metadata

User

User selects a SAS

Table to view.

Application

User Identity



SAS

Table

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign On and Credentials in
Metadata

User

Application queries
metadata: SAS library,
Workspace server, and
Authentication Domain
for Server.

Application

Metadata Server

Workspace
Server

User Identity



Table


Auth Domain: windomain

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign On and Credentials in Metadata

User


Application checks

User’s logins


for match with server’s

Auth Domain: windomain

Application

Metadata Server

?

User Identity

User’s Logins

Unixusr

Secret

Unix

Winuser

Secret

windomain

ZosUser

Secret

zOS

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign On and Credentials in Metadata

User


login matching

Auth Domain: windomain

is found.

Application

Metadata Server

Workspace
Server


Auth Domain: windomain

Login



Table

Winuser

Secret

windomain

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign On and Credentials in Metadata

User


This logon credential is used

for server connection.

Application

Workspace
Server


Auth Domain: windomain



Table

Winuser

Secret

windomain

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign On and Credentials in Metadata

User

User views Table.


Application



Table



Table

Copyright © 2005, SAS Institute Inc. All rights reserved.

Minimizing Credentials in Metadata

UNIX

zOS

Windows

Login Objects in Metadata

User ID

password

Authentication
Domain

Unixusr

Secret

Unix

Winuser

Secret

Windomain

ZosUser

Secret

zOS

Copyright © 2005, SAS Institute Inc. All rights reserved.

Reducing the presence of credentials in Metadata.

Strategies


Caching Log
-
on credentials at the application


Works when cached credentials are valid for the
servers User needs to use.


Group logins


Application checks for single sign credential in this
pattern:



Does User have a login that matches the auth

domain?



User a member of a Group with matching login?



Copyright © 2005, SAS Institute Inc. All rights reserved.

Case Study One: Information Map Studio


Testing an information map that is based on a
SAS dataset accessed through a SAS 9
Workspace Server


Strategies to reduce credentials stored in
metadata repository:


Caching of log on credentials by the application

Copyright © 2005, SAS Institute Inc. All rights reserved.

Information Maps


User
-
friendly metadata definitions of physical
data sources


Enable your business users to query a data with
meaningful names


User presentation meets specific business needs


Created in Information Map Studio

Map

Copyright © 2005, SAS Institute Inc. All rights reserved.

User Groups and BI Workflow


ETL team builds data warehouse, mart, etc.


Information Architect determines business needs
for accessing data and builds Information Maps
with Information Map Studio


BI Analysts use Information Maps in Web Report
Studio to build web
-
based reports


Business Users review reports for decision
support

Copyright © 2005, SAS Institute Inc. All rights reserved.

Server Topology and Authentication
Domains

Windows

Network


Domain

Metadata Server

SAS 9

Workspace

Server

Authentication
Domain:


DefaultAuth

Information Map

Studio


Testing an


Information Map

Map

Copyright © 2005, SAS Institute Inc. All rights reserved.

Case Study One: Information Map Studio

Information Map
Studio user

Copyright © 2005, SAS Institute Inc. All rights reserved.

Credential Caching!

Copyright © 2005, SAS Institute Inc. All rights reserved.

Case Study One: Information Map Studio

Metadata

Server

sugi30023
\
sasdemo + pw

Credentials sent to

the metadata server

for authentication

Metadata server

host authenticates

the connecting client

Metadata

Repository

Metadata server

searches for

sugi30023
\
sasdemo

in all login objects

Host

Authentication

Copyright © 2005, SAS Institute Inc. All rights reserved.

Your

Identity

Copyright © 2005, SAS Institute Inc. All rights reserved.

Copyright © 2005, SAS Institute Inc. All rights reserved.

Copyright © 2005, SAS Institute Inc. All rights reserved.

The library “stuff” contains the table “class” which is defined in the server context “SASMain”


Copyright © 2005, SAS Institute Inc. All rights reserved.

SASMain workspace server is registered in the DefaultAuth authentication domain.

Copyright © 2005, SAS Institute Inc. All rights reserved.

Logins for sasdemo User

One login is registered in the DefaultAuth authentication
domain, but it has no password…

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign
-
on to Workspace Server

Information Map

Studio

“Run Test”

sugi30023
\
sasdemo + pw

Cached credentials
sent to the Object
Spawner for host
authentication

Object

Spawner

Workspace server
launched as

sugi30023
\
sasdemo

Workspace server

runs generated code, performs

query and returns results



Table

Workspace

Server

Copyright © 2005, SAS Institute Inc. All rights reserved.

Copyright © 2005, SAS Institute Inc. All rights reserved.

Case Study Two: Information Map Studio


Testing an information map that is based on a
table in a DB2 database server accessed
through a SAS 9 Workspace Server


Strategies to reduce credentials stored in
metadata repository:


Caching of login credentials by the application


Group login for DB2 server

Copyright © 2005, SAS Institute Inc. All rights reserved.

Server Topology and Authentication Domains

z/OS

Windows

Network


Domain

Metadata Server

IBM DB2
®

Database

Auth Domain:


DefaultAuth

Auth Domain:


DB2Auth

Information Map

Studio

Map

Workspace
Server

Copyright © 2005, SAS Institute Inc. All rights reserved.

Case Study Two: Information Map Studio

Copyright © 2005, SAS Institute Inc. All rights reserved.

Copyright © 2005, SAS Institute Inc. All rights reserved.

Copyright © 2005, SAS Institute Inc. All rights reserved.

Logins for sasdemo User

One login is registered and it is in the DefaultAuth
authentication domain

Copyright © 2005, SAS Institute Inc. All rights reserved.

Logins for sasdemo User

Personal login for DB2 associated with the SAS Demo User

Copyright © 2005, SAS Institute Inc. All rights reserved.

Copyright © 2005, SAS Institute Inc. All rights reserved.

Single Sign
-
on to Workspace Server

Information Map

Studio

“Run Test”

sugi30023
\
sasdemo + pw

Object

Spawner

Workspace

Server

DB2

Server

SAS code
connects to DB2
using DB2
credentials

Workspace server

runs generated code, performs

query and returns results

Copyright © 2005, SAS Institute Inc. All rights reserved.

Additional Case Studies


Information map built against an OLAP cube


Web Report Studio using information maps
generated in previous case studies


Web Report Studio configured for web
authentication


Web Report Studio using pooled workspace
servers


Metadata Server configured with an alternate
authentication provider

Copyright © 2005, SAS Institute Inc. All rights reserved.

Concepts in our case studies


SAS 9 applications use the Metadata server for
User authentication.


Credentials are managed in Metadata to support
single sign
-
on.


Strategies to reduce credential storage in
Metadata



Credential Caching



Group Logins

Copyright © 2005, SAS Institute Inc. All rights reserved.

Copyright © 2005, SAS Institute Inc. All rights reserved.

69