How to Configure Web Authentication

Overview of Configuring Web Authentication
Vendor-Specific Instructions for Web Authentication
Logins for Users Who Participate in Web Authentication

Overview of Configuring Web Authentication

Note: Before you configure Web authentication, verify that this is an appropriate choice in your environment. See Web Authentication.
Configuring Web authentication consists of the following high-level tasks:
  1. Make configuration changes to SAS components (for example, edit the SAS login.config file to reference the web domain, add security information to the SAS Logon Manager application, and adjust the classpath for the Remote Services application).
  2. Make configuration changes to your Web environment (for example, add login modules and make SAS JAR files available).
  3. Rebuild and redeploy the SAS Web applications. Update and restart the Web application server.
  4. Verify or adjust user information in the SAS metadata so that each user who participates in Web authentication has an appropriate login in his or her metadata definition.

Vendor-Specific Instructions for Web Authentication

Many of the implementation details for Web authentication differ by product. For this reason, instructions for setting up Web authentication in each Web application server are available in separate documents from the third-party software support pages at http://support.sas.com/resources/thirdpartysupport/index.html.

Logins for Users Who Participate in Web Authentication

If you choose to configure Web authentication, make sure that user metadata definitions include logins as explained in this topic.
Someone who uses only Web applications should have a login in the web authentication domain. For example: 
web           | joe       | (no password)
Someone who uses both Web and desktop applications might need two logins. One login contains the user's authenticated ID after logging on to a desktop application, and the other login contains the user's authenticated ID after logging on to a Web application. For example: 
DefaultAuth   | WIN\joe   | (no password)
web           | joe       | (no password)
In the preceding example, two logins are needed because the format of the authenticated user ID differs in each context as follows:
  • When Joe logs on to a desktop application (as joe), SAS obtains his user ID in down-level format (WIN\joe), and that string is matched to the user ID in Joe's DefaultAuth login.
  • When Joe logs on to a Web application (as joe), SAS obtains his user ID in short format (joe), and that string is matched to the user ID in Joe's web login.
However, if the authenticated user ID is identical in both contexts, the web login is not needed. If SAS obtains both authenticated user IDs as joe, the web login is not needed. In the following example, the metadata server is not authenticating against Windows accounts and the web login is not needed. When Joe logs on to a Web application, the presence of his DefaultAuth login (which contains the correct user ID) is sufficient for the metadata server to successfully determine his metadata identity. 
DefaultAuth   | joe  | (no password)
web           | joe  | (no password)
Note: If your Web environment uses Integrated Windows authentication, you must pay careful attention to the format in which SAS obtains user IDs from the Web realm. If you find that users of Web applications have only the PUBLIC identity, it is likely that the user ID in each web login is not in the same format as the user ID that SAS obtains from the Web realm.
Note: This isn't a comprehensive discussion of logins; some users might have additional logins for other purposes.

See Also

How Logins Are Used
Authentication to the Metadata Server
Windows User ID Formats
Copyright © SAS Institute Inc. All rights reserved.