i know who you are but you can t come in
play

I know who you are, but you can't come in Authentication and single - PowerPoint PPT Presentation

Jul 15, 2023 •296 likes •781 views

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

  1. I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

  2. Agenda • Authentication • Inbound authentication • Outbound authentication • Single Sign-on

  3. Definitions Stage Process Method Physical world Authentication Verifying a ID/Password ID card, passport person's identity Security Token Identification Matching identity Text - based Check person to a SAS comparison against a "guest metadata identity list" Authorisation Allowing actions Grant or deny of Door unlocked, based on identity an action gate opened A user will go through all three phases when using SAS We will only deal with authentication today

  4. Authentication

  5. Authentication Inbound Authentication: Initial Connection to a Metadata server

  6. SAS Internal Authentication Internally authenticated SAS accounts are special purpose accounts. They cannot launch OS processes such as Workspace servers under their own identity. Examples of internal accounts are sasadm@saspw - Used for SAS metadata administration sastrust@saspw -Used for SAS server to SAS server communication

  7. Inbound authentication Credential based

  8. Direct Authentication

  9. Authentication Outbound Authentication: Connecting to a resource in the SAS environment

  10. Outbound Authentication • Outbound authentication is establishing a connection to a server after initial authentication to the metadata server • Inbound authentication is a pre-requisite of outbound authentication.

  11. Recap: inbound authentication

  12. Outbound authentication to a standard workspace server

  13. Outbound authentication to a standard workspace server

  14. Outbound authentication to a standard workspace server

  15. What is a "standard" workspace server?

  16. Credential Management Method Re-use (credential caching) The credentials used to authenticate to the metadata server are presented to the new server Retrieve Credentials associated with - The user or a user's groups - The server's authentication domain Are retrieved from the metadata server and presented to the new server Request The user is presented with a prompt and asked to provide a user ID and password

  17. SAS Authentication domains

  18. SAS Authentication domains

  19. Credential Management

  20. SAS token authentication The metadata server generates and validates a single-use identity token for each authentication event. This has the effect of causing participating SAS servers to accept users who are connected to the metadata server.

  21. SAS token authentication Scope Primarily used for metadata-aware connections to the stored process server, the server-side pooled workspace server, the OLAP server, the content server, and (in a specialized configuration) the standard workspace server. Also used by launched servers to connect back to the metadata server (for example, from the workspace server to the metadata server for library pre-assignment). Benefits Preserves client identity for metadata layer access control and auditing purposes. No individual external accounts are required, no user passwords are stored in the metadata, and no reusable credentials are transmitted. Limits On the workspace server, reduces granularity of host access. Supported only for metadata-aware connections (in which the client learns about the target server by reading the server's metadata definition). Use Optional for the workspace server, otherwise mandatory in certain configurations

  22. Integrated Windows Authentication

  23. Web Authentication vs. SAS authentication

  24. Single Sign-on

  25. Single sign - on two definitions • 1. Challenged access, but one password which works everywhere • 2. Unchallenged access to resources * • Thick Client (Java, .Net) • Thin client (browser) • External data (Oracle, Teradata, Hadoop….) *This is the default definition used in a SAS architecture design

  26. Setup Effort Challenged sign on Unchallenged sign on using IWA (Provide user id / password) ("Single sign - on") Client type Customer SAS effort Customer effort SAS effort effort "FAT"(.NET, Configure None, SAS Configure Low Java) AD + PAM sees this as Kerberos HOST "THIN" Configure Moderate (Browser) Kerberos (requires Web Auth)

  27. Will the user have to type a password? "Challenged" "Challenged" IWA No credential Credentials stored in SAS storage profiles "FAT" (.NET, YES NO (if the user has stored NO Java) credentials in a default SAS connection profile) "THIN" Depends on browser credential caching NO (Browser) policy.

  28. Summary for Single Sign On Feature Notes Internal authentication An internal account cannot participate in IWA or web authentication and cannot launch any OS processes (e.g. standard workspace servers) SAS token Facilitates SSO to most SAS servers authentication IWA Facilitates silent launch of desktop applications. If not fully configured, prevents SSO to a standard workspace server. Requires a Kerberos implementation. Web authentication Facilitates silent launch of web applications. Prevents SSO to a standard workspace server (as the user is not required to have have an OS account on SAS servers). Direct LDAP Not compatible with silent launch. Prevents SSO to a standard workspace authentication server PAM Can help unify authentication Credential Management Facilitates SSO to third-party servers and (in some configurations) workspace servers.

  29. Why all these Metadata Levels?

  30. Content • What is a metadata level • How is a metadata level created • How are they separated • What metadata levels are for • What metadata levels aren't for • How to move content between levels • Where metadata levels can touch

  31. What is a metadata level? • A SAS environment separated physically or logically from other SAS environments

  32. How are metadata levels created? • Each metadata level is separately installed • Option of cloning and using the host name change utility?

  33. How are metadata levels separated? • For each process, the combination of port number and host name must be unique • Same host, different ports • Different host, same or different ports

  34. What metadata levels are for • Control changes to content in a rational manner • Isolate ad-hoc development work and testing • Minimise disruption to the production environment • Support the development lifecycle (route to live) • Typically 3 levels (Development > Test > Production) • Normally numbered sequentially Lev3 > Lev2 > Lev1 (production is level 1) • The level number is determined at installation • Final digit of port numbers will generally reflect the level number • e.g. metadata server in Lev1 uses port 8561, Lev2 uses 8562 etc. • Can be many more levels (Dev > Test > Unit Test > Prod > Patch Test) • May also have a "level zero" for real - time decisioning

  35. What metadata levels are not for • Separation of departments within an organisation • Applying security restrictions • High availability • Disaster recovery

  36. How to move content between levels - 1 • Export ("zip up") a package in the source level • Import ("unzip") a package in the target level • Packages can be moved to / from any level • System metadata - e.g. server definitions - can be packaged (SAS 9.3 or later) • Package contents can be filtered during import / export • Name • Type • Date created / Date modified • Select / Deselect individual items

  37. How to move content between levels - 2 • Values (e.g. physical names, port numbers) can be modified during import • Many other options e.g. • Include dependent items • Include physical data with table metadata • Include empty folders (use to create a template for folder structures) • Import new objects / Overwrite existing objects • Include Access Controls

  38. Example of dependent items • This Data Integration Studio job describes required processing • The processing depends on the tables but they are not "process" so are not packaged by default • Including dependent objects adds the table metadata to the package • Additionally, the data can now be included.

  39. Packaging a job

  40. Include Physical Table • Caution: This option can create huge package sizes

  41. Metadata levels can share resources via SAS grid SAS Grid

  42. "Level zero" - real - time decision Control Interact Design Explore / Exploit Decide Metadata RTDM Mid Tier & Client VA Head Server Runtime RTDM Design Load and Prepare RTDM Mid Tier & Client VA Worker Grid Node Runtime RTDM Design Grid Node RTDM Client VA Worker Runtime Grid Node

  43. Separate transactional metadata? No Yes • One place to maintain and • Independent for patching / monitor update / failure • Unified view of data lineage / • Analysts cannot impact BAU user activity transactions

  44. Separate Visual Analytics metadata? Yes No • Independent for patching / • One place to maintain and update / failure monitor • Analysts cannot impact BAU • Unified view of data lineage / transactions user activity • VA typically has faster cadence for updates / new features

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Minimal Rewiring: Efficient Live Expansion for Clos Data Center Networks Shizhen Zhao 1 2 ,

Minimal Rewiring: Efficient Live Expansion for Clos Data Center Networks Shizhen Zhao 1 2 ,

Minimal Rewiring: Efficient Live Expansion for Clos Data Center Networks Shizhen Zhao 1 2 , Rui Wang 1 , Junlan Zhou 1 , Joon Ong 1 ,Jeffrey C. Mogul 1 , Amin Vahdat 1 1. Google NetInfra; 2. Shanghai Jiao Tong University 1 Clos Topology for

536 views • 26 slides
Tensor Networks for Medical Image Classification Presented at MIDL, 2020 Raghav endra Selvan &

Tensor Networks for Medical Image Classification Presented at MIDL, 2020 Raghav endra Selvan &

university of copenhagen Tensor Networks for Medical Image Classification Presented at MIDL, 2020 Raghav endra Selvan & Erik B. Dam Dept. of Computer Science, University of Copenhagen raghav@di.ku.dk @SuperVoxel Code:

488 views • 26 slides
Measuring the impacts of the Preempt-RT patch maxime.chevallier@smile.fr October 25, 2017 RT

Measuring the impacts of the Preempt-RT patch maxime.chevallier@smile.fr October 25, 2017 RT

Measuring the impacts of the Preempt-RT patch maxime.chevallier@smile.fr October 25, 2017 RT Linux projects Simulation platform : bi-xeon, lots ot RAM 200 s wakeup latency, networking Test bench : Intel atom 1s max latency, I/O and networking

431 views • 25 slides
IP Log for tools.ajdt Version 2.1.0, June 2010 Licenses Eclipse Public License v1.0

IP Log for tools.ajdt Version 2.1.0, June 2010 Licenses Eclipse Public License v1.0

IP Log for tools.ajdt Version 2.1.0, June 2010 Licenses Eclipse Public License v1.0 Third-Party Code CQ Third-Party Code License Use (no third-party dependencies) No pre-req dependencies Committers Past and Present Active Name

434 views • 4 slides
Quality Assurance in PostgreSQL Anastasia Lubennikova Aleksander Alekseev Agenda

Quality Assurance in PostgreSQL Anastasia Lubennikova Aleksander Alekseev Agenda

Quality Assurance in PostgreSQL Anastasia Lubennikova Aleksander Alekseev Agenda Development Testing Benchmarking Tools Other Topics What is PostgreSQL? Open source object-relational database system

429 views • 25 slides
La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong Zhang 1 , Chenguang Zhu 2 , Yi Li 3 , Jianmei Guo 1 , Lihua Liu 1 , and Haobo Gu 1 1. Alibaba Group 2. University of Texas at Austin 3. Nanyang

462 views • 7 slides
COMP 204 Functions II Mathieu Blanchette based on material from Yue Li and Carlos Oliver

COMP 204 Functions II Mathieu Blanchette based on material from Yue Li and Carlos Oliver

COMP 204 Functions II Mathieu Blanchette based on material from Yue Li and Carlos Oliver Gonzalez 1 / 13 Quiz 11 password 2 / 13 Example: Hydrophobic patches Protein sequences are made of amino acids. Some amino acids (G, A, V, L, I,

651 views • 13 slides
Wireless data transfer with mm-waves for future tracking detectors Daniel Pelikan Uppsala

Wireless data transfer with mm-waves for future tracking detectors Daniel Pelikan Uppsala

Wireless data transfer with mm-waves for future tracking detectors Daniel Pelikan Uppsala University 14-16 May 2014 Author(s): PELIKAN, Daniel ; BRENNER, Richard; DANCILA, Dragos; GUSTAFSSON, Leif ; BINGEFORS, Nils Uppsala

744 views • 25 slides
Auxiliary Processing swak4Foam and PyFoam Bruno Santos and Nelson Marques BlueCAPE,

Auxiliary Processing swak4Foam and PyFoam Bruno Santos and Nelson Marques BlueCAPE,

Auxiliary Processing swak4Foam and PyFoam Bruno Santos and Nelson Marques BlueCAPE, http://joomla.bluecape.com.pt/ bruno.santos@bluecape.com.pt nelson.marques@bluecape.com.pt Unin Europea FEDER 0682_CLOUDPYME2_1_E Invertimos en su

540 views • 50 slides
General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th

General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th

General-Purpose Image Forensics Using Patch Likelihood under Image Statistical Models The 7th IEEE International Workshop on Information Forensics and Security Wei Fan, Kai Wang, and Franc ois Cayre GIPSA-lab, Grenoble, France 18-11-2015

513 views • 19 slides
August 4, 1997: Skynet goes online August 29, 1997, 2:14am ET: Skynet gains consciousness

August 4, 1997: Skynet goes online August 29, 1997, 2:14am ET: Skynet gains consciousness

August 4, 1997: Skynet goes online August 29, 1997, 2:14am ET: Skynet gains consciousness August 29, 1997: Judgement Day Terminator (1984) What features does T-800 have? What features does T-800 have? Vision/Perception

674 views • 56 slides
Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks Bolun Wang*,

Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks Bolun Wang*,

Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks Bolun Wang*, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath , Haitao Zheng, Ben Y. Zhao University of Chicago, *UC Santa Barbara, Virginia Tech

770 views • 17 slides
XenRT XenSource XenSources Xen testing infrastructure Xen testing infrastructure James

XenRT XenSource XenSources Xen testing infrastructure Xen testing infrastructure James

Infrastructure Technology Product of the Year XenRT XenSource XenSources Xen testing infrastructure Xen testing infrastructure James Bulpin, XenSource Inc. james@xensource.com Xen Summit 8/Sep/2006 www.xensource.com What i is XenRT?

665 views • 31 slides
Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * ,

Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * ,

Automated Repair of Layout Cross Browser Issues Using Search-Based Techniques Sonal Mahajan * , Abdulmajeed Alameer * , Phil McMinn + , William G. J. Halfond * * University of Southern California, USA + University of Sheffield, UK Work supported

989 views • 62 slides
Art Build: Unit Tests and CMake Tools Ben Morgan LBNE Code LArSoft LArCore LArFoo LArBar ...

Art Build: Unit Tests and CMake Tools Ben Morgan LBNE Code LArSoft LArCore LArFoo LArBar ...

Art Build: Unit Tests and CMake Tools Ben Morgan LBNE Code LArSoft LArCore LArFoo LArBar ... FNAL SDK : art + (fhicl, ..., cpp0x) FNAL UPS : ups, gcc, ROOT, etc Linux/BSD OS LBNE Software Stack Working on FNAL SDK, Patrick on LArSoft

445 views • 17 slides
Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to

Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to

NW Ministries Conference 2019 Impacting Kids Who are Angry, Withdrawn, or Superficial Every kid needs someone to run to that wont run away Me Romans 12:2 (NIV) 2 Do not conform to the pattern of this world, but be transformed by the

446 views • 28 slides
Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS DURING PENETRATION TESTING Deral Heiland Pete Arzamendi deral_heiland@rapid7.com peter_arzamendi@rapid7.com @Percent_x @TheBokojan

750 views • 64 slides
Electronic Systems Center I n t e g r i t y - S e r v i c e - E x c e l l e n c e Electronics

Electronic Systems Center I n t e g r i t y - S e r v i c e - E x c e l l e n c e Electronics

Electronic Systems Center I n t e g r i t y - S e r v i c e - E x c e l l e n c e Electronics Systems Center, Engineering and Integration Division Montgomery Information Technology Summit (MITS) Steve Wright Chief, ESC/ENI 25 May 2011 1

446 views • 11 slides
Improving NAMD Performance on Multi-GPU Platforms David J. Hardy Theoretical and Computational

Improving NAMD Performance on Multi-GPU Platforms David J. Hardy Theoretical and Computational

Improving NAMD Performance on Multi-GPU Platforms David J. Hardy Theoretical and Computational Biophysics Group Beckman Institute for Advanced Science and Technology University of Illinois at Urbana-Champaign http://www.ks.uiuc.edu/~dhardy/

572 views • 33 slides
Principles of Information Filtering in Metric Spaces Paolo Ciaccia and Marco Patella DEIS,

Principles of Information Filtering in Metric Spaces Paolo Ciaccia and Marco Patella DEIS,

Principles of Information Filtering in Metric Spaces Paolo Ciaccia and Marco Patella DEIS, Universit di Bologna Italy SISAP 2009 August 29-30 2009, Prague I nform ation Filtering The IF problem: Deliver to users only the

236 views • 21 slides
New proposals for the space-like experimental measurements of HVP and the lattice QCD data Marina

New proposals for the space-like experimental measurements of HVP and the lattice QCD data Marina

New proposals for the space-like experimental measurements of HVP and the lattice QCD data Marina Krsti Marinkovi First Workshop of the Muon g 2 Theory Initiative Fermilab, 2017, June 3-6 a HV P Proposals

368 views • 7 slides
Impact of Incentive Plans on New Jersey s Economy Paul Ceppi Director, Business Banking and

Impact of Incentive Plans on New Jersey s Economy Paul Ceppi Director, Business Banking and

Impact of Incentive Plans on New Jersey s Economy Paul Ceppi Director, Business Banking and Community Development New Jerseys Tax Incentive Tool Kit Employers/Tenants Development and Construc2on Grow New

362 views • 9 slides
162 163 Si Sit/St t/Stand and Assessm Assessmen ent 5x sit/stand test 60 69 y/o 11.4 sec

162 163 Si Sit/St t/Stand and Assessm Assessmen ent 5x sit/stand test 60 69 y/o 11.4 sec

162 163 Si Sit/St t/Stand and Assessm Assessmen ent 5x sit/stand test 60 69 y/o 11.4 sec 70 79 y/o 12.6 sec 80 89 y/o 14.8 sec 164 Tw Two Mi Minute te St Step ep in in Place Place Te Test Ri Rikl kli RE, E, Jones Jones CJ

429 views • 7 slides
Workshop on anatomical models My Corporis Fabrica: Ontology for anatomical modeling Olivier

Workshop on anatomical models My Corporis Fabrica: Ontology for anatomical modeling Olivier

Workshop on anatomical models My Corporis Fabrica: Ontology for anatomical modeling Olivier Palombi (MD,PhD) Guillaume Bousquet Sahar Hassan David Jospin Benjamin Gilles Lionel Revret Franck Hetroy Franois Faure EVASION, INRIA, LJK

416 views • 15 slides

More recommend