SAS Token Authentication
|
The metadata server
generates and validates a single-use identity token for each authentication
event. This has the effect of causing participating SAS servers to
accept users who are connected to the metadata server.
|
|
-
Primarily used for metadata-aware
connections to the stored process server, the server-side pooled workspace
server, the OLAP server, the content server, and (in a specialized
configuration) the standard workspace server.
-
Also used by launched servers to
connect back to the metadata server (for example, from the workspace
server to the metadata server for library pre-assignment).
|
|
-
Preserves client identity for metadata
layer access control and auditing purposes.
-
No individual external accounts
are required, no user passwords are stored in the metadata, and no
reusable credentials are transmitted.
|
|
-
On the workspace server, reduces
granularity of host access.
-
Supported only for metadata-aware
connections (in which the client learns about the target server by
reading the server's metadata definition).
|
|
Optional for the workspace
server, otherwise mandatory within its scope.
|
The following figure is an abstraction of how this mechanism
works.
The numbers in the figure
correspond to these actions:
-
Over the user's existing
connection to the metadata server, the client requests an identity
token for the target server. This step is initiated by a user request
that requires access to the target server (for example, by a request
in SAS Enterprise Guide for a cube that is associated with the OLAP
server).
-
The metadata server
generates the token and sends it to the client.
-
The client provides
the token to the target server.
-
The target server sends
the token to the metadata server for validation.
-
The metadata server
validates the token and returns an acceptance message and a representation
of the user to the target server.
-
The target server accepts
the connection.