Summary for Single Sign-On

There is no individual mechanism that provides end-to-end single sign-on (SSO). The following authentication processes are transparent:
  • Integrated Windows authentication (IWA) is based on previous authentication to your desktop and provides silent launch for SAS desktop applications (and, sometimes, silent access to the workspace server).
  • Web authentication is based on previous authentication to your Web realm and provides silent launch for SAS Web applications.
  • SAS token authentication requires a connection to the metadata server and provides silent access to most SAS servers.
  • Credential reuse and retrieval requires a connection to the metadata server and can provide silent access to any server.
Some configurations can interfere with SSO to back-end servers. This table summarizes the considerations:
SSO Considerations for Selected Authentication Mechanisms
Feature
Front-end SSO
Back-end SSO
Notes
Internal authentication
caution icon
caution icon
An internal account can't participate in IWA or Web authentication.
SAS token authentication
checkmark icon
Facilitates SSO to most SAS servers.
IWA
checkmark icon
caution icon
Facilitates silent launch of desktop applications. If not fully configured, prevents SSO to a standard workspace server.1
Web authentication
checkmark icon
caution icon
Facilitates silent launch of Web applications. Prevents SSO to a standard workspace server.1
Direct LDAP authentication
caution icon
caution icon
Not compatible with silent launch. Prevents SSO to a standard workspace server.1
PAM
checkmark icon
Can help unify authentication.
Credential Management
checkmark icon
Facilitates SSO to third-party servers and (in some configurations) workspace servers.
1Unless the server is configured for SAS token authentication or accessed using stored credentials.