Previous Page | Next Page

Authentication Mechanisms

Credential Management

Credential Management
Summary A supporting feature in which clients reuse cached credentials or retrieve stored credentials. Clients use authentication domain assignments to determine which credentials are valid for which servers. The target server validates the client-supplied credentials against its authentication provider.
Scope From clients that are already connected to the metadata server to third-party servers, the Scalable Performance Data Server, and, in some cases, the workspace server.
Benefits Provides access to servers using individual or shared accounts.
Limits
  • Involves passing user IDs and passwords across the network.

  • Can involve maintaining SAS copies of external passwords.

Use Always available

Credential management techniques populate an in-memory list of credentials for each connected user. Each list is called a user context and includes these entries:

Note:   Credentials from a user or group's Accounts tab are not included in the initial list that is created when a user logs on. Instead, such credentials are added to the list dynamically (when and if they are needed in the course of the user's session).  [cautionend]

The following table depicts an example of the contents of a user context:

Example: Contents of a User Context
User ID Password Authentication Domain
myWinID ******** DefaultAuth
GroupDBMSid ******** DBMSauth

Notice that each entry is assigned to an authentication domain. This enables pairing of credentials with the servers for which they are valid. The entries are created as follows:

When a user requests access to a server that requires credential-based authentication, the client completes these steps:

  1. Examine the server's metadata to determine which authentication domain the server belongs to. This information is on the Options tab of each of the server's connection objects [icon] in SAS Management Console.

  2. Examine the user's context to determine whether it includes any credentials that are assigned to the target server's authentication domain. The process is as follows:

    • If the context includes a cached entry for the target authentication domain, that entry is used.

    • If the user context contains a retrieved entry for that authentication domain, that entry is used. If there is more than one retrieved entry for an authentication domain, the entry that is closest to the user is used. See Identity Precedence.

    • If there is an identity precedence tie among retrieved entries (for example, if a user is a direct member of two groups and both groups have logins in the relevant authentication domain), the same login is used consistently, but you can't control which of the two logins is used.

    • If the user context contains no entries in the target authentication domain, desktop clients will prompt the user for credentials. Web applications can't prompt.

      Note:   SAS Web Report Studio has an interactive password management feature. See Providing DBMS Credentials Interactively in the SAS Intelligence Platform: Web Application Administration Guide.  [cautionend]

  3. Present the credentials to the target server for authentication against its provider.

Here are some additional tips:

Previous Page | Next Page | Top of Page