Implementing Authentication

You can implement authentication with one or more of the following authentication mechanisms:

• Host authentication provider (default): SAS Workspace Servers and SAS Stored Process Servers always authenticate against the host authentication provider. By default, SAS Metadata Servers and SAS OLAP Servers authenticate against the host authentication provider; however, you can set up trusted authentication mechanisms for the SAS Metadata Server or alternative authentication providers for either the SAS Metadata Server or SAS OLAP server. If the server authenticates against the host authentication provider, you must set up the appropriate accounts on the host authentication provider for the server's machine.

  Note: In some host configurations, the host authentication provider uses a back-end server to store user credentials. For example, Windows can use credentials from an Active Directory server to perform host authentication. These configurations are still considered to be host authentication, and are supported for all SAS IOM servers.

• Trusted authentication mechanisms (for connections to the SAS Metadata Server only): You can set up trusted user or trusted peer session connections for the SAS Metadata Server.

• Alternative authentication providers (for SAS Metadata Servers and SAS OLAP Servers only): You can set up your users to authenticate against an alternative authentication provider such as LDAP or Microsoft Active Directory.

The following table shows which types of authentication providers you can set up for each IOM server.

Host Authentication Provider

By default, all IOM servers are authenticated by the host environment's authentication provider.

You must set up host authentication for the following user and group credentials:

• For access to the servers, user or group credentials that connect to standard SAS Workspace Servers, SAS Stored Process Servers, or SAS OLAP Servers (that use host authentication). Users connect to the SAS Metadata Server and are initially authenticated against the SAS Metadata Server's authentication provider. To connect to the SAS Workspace, SAS Stored Process, or SAS OLAP Server, the appropriate credentials for the server are retrieved and returned. When the user (application) uses the appropriate credentials to connect to the SAS Workspace, SAS Stored Process Server, or SAS OLAP Server (if using host authentication), those user or group credentials are additionally authenticated by the host authentication provider for the SAS Workspace, SAS Stored Process, or SAS OLAP server's machine.

• For a load-balancing SAS Stored Process Server configuration, the user or group credentials for the multi-user login definition. The user or group credentials for the multi-user login definition are specified in the SAS Stored Process server definition. These credentials are authenticated against the host authentication provider for the SAS Stored Process Server's machine.

• For a pooled server configuration, the user or group credentials for the puddle login(s) used to connect to the SAS Workspace Server(s). The user or group credentials for the puddle login(s) are specified on the puddle definitions. These credentials are authenticated against the host authentication provider for the SAS Workspace Server's machine.

• For a load-balancing configuration that load balances across more than one spawner, the user or group credentials that are used for connections between the load balancing spawners. The user or group credentials are specified in the Logical Server Credentials field of the load balancing logical server definition. These credentials are authenticated against the host authentication provider for the server's machine.

• Implementing Host Authentication
• Specifying Default Host Domains
• How Hosts Handle Domains

Trusted Authentication Mechanisms

The SAS Metadata Server supports two types of trusted connections: trusted user and trusted peer. Both represent a way to bypass authentication by the authentication provider for the SAS Metadata Server. They are provided in support of multiple server-tier server environments where user IDs are authenticated by one server and must also be asserted on the metadata server.

• For SAS Metadata Servers, you can set up trusted user connections. The SAS Metadata Server views trusted users as already authenticated users. For details, see Trusted User Connections.
  
  
• For SAS Metadata Servers, you can set up trusted peer session connections in order to allow SAS Workspace Servers, SAS Stored Process Servers, or SAS sessions to connect to the metadata server as trusted peers. For details, see Trusted Peer Session Connections.

Alternate Authentication Providers

In addition, you can enable SAS Metadata Servers and SAS OLAP Servers to authenticate against alternative authentication providers (LDAP or Microsoft Active Directory). To set up users for authentication by an alternative authentication provider and to understand the authentication process, see the following sections:

• For details about setting up alternative authentication providers, see Implementing Alternative Authentication Providers.
• For details about associating default domains or authentication provider domains, see Specifying Authentication Provider and Default Domains.
• For details about how the server authenticates user credentials with or without authentication provider domains, see How Servers Determine the Authentication Provider.
• For a description of an alternative authentication provider scenario, see Scenario: Alternate Authentication Provider.