How to Facilitate Authentication

Identify or Create User Accounts

Each user must have an account that provides access to the metadata server, either directly or through a trust relationship. Determine which of the following situations applies to you and complete any tasks as indicated.
  • In the simplest case, users already have accounts that are known to the metadata server's host, so no action on your part is required. For example, the metadata server is on UNIX, and users have accounts in an LDAP provider that the UNIX host recognizes. Or the metadata server is on Windows, and users have Active Directory accounts.
  • In some cases, users have accounts that aren't currently recognized by the metadata server's host. Consider the examples in the following table.
    Incorporating Unrelated Accounts
    Scenario
    Possible Solution
    You have Active Directory accounts but the metadata server is on UNIX.
    Enable the UNIX host to recognize the accounts. See Pluggable Authentication Modules (PAM).
    You have accounts in an LDAP provider that isn't known to the metadata server's host.
    Enable the metadata server itself to recognize the LDAP provider. See Direct LDAP Authentication.
    You have accounts that are known at your Web perimeter but aren't known to the metadata server's host.
    Enable the metadata server to trust users who have authenticated at the Web perimeter. See Web Authentication.
    Note: This is only a partial solution, because users of desktop applications still need accounts that can be validated by the metadata server or its host.
  • In other cases, you must add accounts to your environment. Although it is technically possible to instead use SAS internal accounts for this purpose, those accounts aren't intended for regular users.
  • Anyone who directly connects to the OLAP server (without first connecting to the metadata server) needs an account with the OLAP server.
Note: Regardless of the location of your user accounts, you must also create corresponding user information in the SAS Metadata Repository. Without such information, users have only the generic PUBLIC identity in the SAS realm. By default, this identity has no access to metadata and can’t even log on to certain applications. See Authentication to the Metadata Server.

Coordinate the Workspace Server

Seamless access to the workspace server depends on coordination between that server and the metadata server. This coordination is necessary because authentication to the workspace server is, by default, performed by the workspace server's host. The following table provides general recommendations:
Coordinate the Workspace Server with the Metadata Server
Scenario
Recommendation
The servers run on Windows or UNIX.
Use host authentication (either credential-based or Integrated Windows authentication). See Host Authentication or Integrated Windows Authentication.
The servers run on z/OS.
Use credential-based host authentication for both servers.
The servers don't recognize the same accounts.
To minimize requirements for and exposure of host credentials, SAS provides several alternate configurations. See Mixed Providers.
Note: Similar coordination isn't necessary for OLAP servers and stored process servers, because they use SAS token authentication (instead of host authentication) for metadata-aware connections.