|
Security
Implementing Authentication
You can implement authentication with one or more of the following authentication
mechanisms:
Host authentication provider (default): SAS Workspace Servers and SAS Stored Process Servers
always authenticate against the host authentication provider. By default, SAS Metadata Servers
and SAS OLAP Servers authenticate against the host authentication provider; however, you can set
up trusted authentication mechanisms for the SAS Metadata Server
or alternative authentication providers for either the SAS Metadata Server or SAS OLAP server.
If the server authenticates against the host authentication provider, you must
set up the appropriate accounts on the host authentication provider for the server's machine.
Note: In some host configurations, the host authentication provider uses a back-end server to store user credentials. For example, Windows can use credentials from an Active Directory server to perform host authentication. These configurations are still considered to be host authentication, and are supported for all SAS IOM servers.
Trusted authentication mechanisms (for connections to the SAS Metadata Server only):
You can set up trusted user or trusted peer session connections for the SAS Metadata Server.
Alternative authentication providers (for SAS Metadata Servers and SAS OLAP Servers only):
You can set up your users to authenticate against an alternative
authentication provider such as LDAP or Microsoft Active Directory.
The following table shows which types of authentication providers you can set up for each IOM server.
Authentication Providers
for IOM Servers |
Type of Server |
Host Authentication |
Trusted Peer Authentication |
Trusted User Authentication |
LDAP Directory Server Authentication |
Microsoft Active Directory Server Authentication |
SAS Metadata Server |
X |
X |
X |
X |
X |
SAS OLAP Server |
X |
|
|
X |
X |
SAS Stored Process Server |
X |
|
|
|
|
SAS Workspace Server |
X |
|
|
|
|
Host Authentication Provider
By default, all IOM servers are authenticated by the host environment's authentication provider.
You must set up host authentication for the following user and group credentials:
- For access to the servers, user or group credentials that connect to standard SAS Workspace Servers, SAS Stored Process Servers,
or SAS OLAP Servers (that use host authentication).
Users connect to the SAS Metadata Server and
are initially authenticated against the SAS Metadata Server's authentication provider. To connect
to the SAS Workspace, SAS Stored Process, or SAS OLAP Server, the appropriate
credentials for the server are retrieved and returned.
When the user (application) uses the appropriate credentials to connect to the SAS Workspace, SAS Stored Process
Server, or SAS OLAP Server (if using host authentication), those user or group credentials
are additionally authenticated by the host authentication provider for the
SAS Workspace, SAS Stored Process, or SAS OLAP server's machine.
For a load-balancing SAS Stored Process Server configuration, the user or group credentials for the multi-user login definition. The user or group credentials for the multi-user login definition are specified in the SAS Stored Process server definition. These credentials
are authenticated against the host authentication provider for the SAS Stored Process Server's machine.
For a pooled server configuration, the user or group credentials for the puddle login(s) used to connect to the SAS Workspace Server(s).
The user or group credentials for the puddle login(s) are specified on the puddle definitions.
These credentials
are authenticated against the host authentication provider for the SAS Workspace Server's machine.
For a load-balancing configuration that load balances across more than one spawner, the user or group credentials that are used for connections between the load balancing spawners.
The user or group credentials are specified in the Logical Server Credentials field of the load balancing logical server definition.
These credentials
are authenticated against the host authentication provider for the server's machine.
To set up users for host authentication and to understand the host authentication process,
see the following sections:
Trusted Authentication Mechanisms
The SAS Metadata Server supports two types of trusted connections: trusted user and trusted peer.
Both represent a way to bypass authentication by the authentication provider for the SAS Metadata Server.
They are provided in support of multiple server-tier server environments
where user IDs are authenticated by one server and must also be asserted on the metadata server.
- For SAS Metadata Servers, you can set up trusted user connections. The SAS Metadata Server
views trusted users as already authenticated users. For details, see
Trusted User Connections.
- For SAS Metadata Servers, you can set up
trusted peer session connections in order to allow SAS Workspace Servers, SAS Stored Process
Servers, or SAS sessions to connect to the metadata server as trusted peers. For details, see
Trusted Peer Session Connections.
Alternate Authentication Providers
In addition, you can enable SAS Metadata Servers and SAS OLAP Servers
to authenticate against alternative authentication
providers (LDAP or Microsoft Active Directory). To set up users for authentication by an alternative authentication
provider and to understand the authentication process,
see the following sections:
|