Authentication Domains

What is an Authentication Domain?

An authentication domain is a name that facilitates the matching of logins with the servers for which they are valid.
Note: This matching is not important when you launch a client, but it is important when you access certain secondary servers such as a third-party DBMS or, in some configurations, a standard workspace server.
Each user ID and password is valid within a specific scope. For example, the user ID and password that you use to log on to your computer at work are probably not the same as the user ID and password that you use to log on to a personal computer at home. It is also common for database servers and Web servers to have their own authentication mechanisms, which require yet another, different, user ID and password.
An enterprise application that provides access to many different resources might require that a user have several sets of credentials. Each time a user requests access to a resource, the software must determine which credentials to use to provide access. The software could challenge the user with an interactive prompt for user ID and password, but that quickly becomes an annoyance that interrupts the user experience. The software could randomly try different credentials until it finds a set that works, but authentication attempts can be expensive in terms of performance. In the SAS Intelligence Platform, the software attempts to use only the credentials that it expects to be valid for a particular resource or system.
The software’s knowledge of which credentials are likely to be valid is based entirely on authentication domain assignments. For this reason, you must correctly assign an authentication domain to each set of resources that uses a particular authentication provider, and also assign that same authentication domain to any stored credentials that are valid for that provider.

How Many Authentication Domains Do I Need?

In the simplest case, all logins and SAS servers are associated with one authentication domain (DefaultAuth). This list describes the most common reasons for using more authentication domains:
  • If you use Web authentication, you might need a second authentication domain for the logins that contain Web realm user IDs.
  • If you have a third-party server (such as a DBMS server) that has its own user registry, you need a separate authentication domain for that server and its logins.
  • If both of the following criteria are met, you need a separate authentication domain for the standard workspace server and its logins:
    • The standard workspace server doesn't share an authentication provider with the metadata server (and can't be configured to do so).
    • You want to provide seamless individualized access to the standard workspace server.