SAS Token Authentication

SAS Token Authentication
Summary
The metadata server generates and validates a single-use identity token for each authentication event. This has the effect of causing participating SAS servers to accept users who are connected to the metadata server.
Scope
  • Primarily used for metadata-aware connections to the stored process server, the server-side pooled workspace server, the OLAP server, the content server, and (in a specialized configuration) the standard workspace server.
  • Also used by launched servers to connect back to the metadata server (for example, from the workspace server to the metadata server for library pre-assignment).
Benefits
  • Preserves client identity for metadata layer access control and auditing purposes.
  • No individual external accounts are required, no user passwords are stored in the metadata, and no reusable credentials are transmitted.
Limits
  • On the workspace server, reduces granularity of host access.
  • Supported only for metadata-aware connections (in which the client learns about the target server by reading the server's metadata definition).
Use
Optional for the workspace server, otherwise mandatory within its scope.
The following figure is an abstraction of how this mechanism works.
SAS Token Authentication
SAS Token Authentication
The numbers in the figure correspond to these actions:
  1. Over the user's existing connection to the metadata server, the client requests an identity token for the target server. This step is initiated by a user request that requires access to the target server (for example, by a request in SAS Enterprise Guide for a cube that is associated with the OLAP server).
  2. The metadata server generates the token and sends it to the client.
  3. The client provides the token to the target server.
  4. The target server sends the token to the metadata server for validation.
  5. The metadata server validates the token and returns an acceptance message and a representation of the user to the target server.
  6. The target server accepts the connection.