PhenixID

Step by Step – SAS Viya – MFA and SSO with PhenixID Authentication Services

Summary

This document will guide you through the steps to enable multi-factor authentication and SSO for SAS Viya.

System Requirements

  • PhenixID Authentication Server 2.7 or higher
  • SAS Environment Manager admin account

Instruction

Overview

This document will guide you through the steps to enable multi-factor authentication and SSO for Sas Viya.

Sas Viya integrates with PhenixID Authentication Services using OpenID Connect Authorization Code flow. For more info about OpenID Connect Authorization flow with PhenixID Authentication Services, please read this.

Configure PhenixID Authentication Services

  1. Login to Configuration Manager
  2. Setup PhenixID as an OpenID Connect Provider (OP), using (from version 3.0) a scenario or (prior to version 3.0) this guide.
    1. Set RP id (client_id) = sasviya
    2. Set RP password (client_password) to any value of your choice.
    3. Leave RP allowedRedirects empty (will add value later in this guide).
    4. Add tokenattribute “iss” to the CollectJWT pipe -> GenerateJWTTokenValve. Example:
      {
      "name": "GenerateJWTTokenVavle",
      "enabled": "true",
      "config": {
      "subjectattribute" : "{{session.user_id}}",
      "keystore" : "xx",
      "tokenattributes":[
      {
      "name":"iss",
      "value":"https://my_phenixid_op_server/oidc"
      }
      }]
      }
      }
    5. Fetch OP authorization endpoint URL
    6. Fetch OP token endpoint URL

Configure SAS Viya

  1. Open this PDF.
  2. Search for “Configure OpenID Connect”
  3. Follow the steps below “Configure OpenID Connect”
  4. Set these configuration values
    attributeMapping.user_name = sub
    authUrl = <The authorization URL of your PhenixID OP fetched in previous step>
    emailDomain = <Set to suite your environment>
    issuer = <The iss value from your PhenixID OP fetched in previous step>
    linkText = <Set to suite your environment>
    relyingPartyId = sasviya
    relyingPartySecret = <The RP password (client_password) value from your PhenixID OP fetched in previous step>
    scopes = openid
    tokenUrl = <The token URL of your PhenixID OP fetched in previous step>
    type=oauth2.0

Set allowedRedirects value

  1. From SAS, test the flow using a web browser.
  2. Once redirect to the PhenixID OP, pick the redirect_uri value from the current URL
  3. Login to Configuration Manager
  4. Advanced->OIDC RP
  5. Add the redirect_uri value as an allowed redirect. Example:
    {
    		"id": "sasviya",
    		"name": "SAS OpenID Connect RP",
    		"displayName": "SAS Relying Party",
    		"password": "xxx",
    		"allowedRedirects": [
    			"https://sas/whatever/x"
    		]
    	}
    
    

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se