SAS Visual Analytics Guest Access with IWA Fallback

Yesterday I wrote a post about configuring a SAS® 9.4 M2 installation on Linux for Integrated Windows Authentication (IWA) with mid-tier fallback form-based authentication to handle situations where IWA was not available or was disabled. I also repeated this configuration with a SAS Visual Analytics 7.1 installation (based on SAS 9.4 M2). This means that domain users within an organisation, who can participate in IWA, can simply open a browser, navigate to SAS Visual Analytics, and be logged in automatically using their Windows login. Other users without a domain account, on a machine that is not in the domain, or who have deliberately disabled IWA in their browser, will see the familiar SAS Logon Manager login form where they can manually provide a user id and password.

One of the other reasons I built this configuration was to find out what happened with SAS Visual Analytics Guest Access in an IWA fallback configuration like this. Essentially, I wanted to find out if I could get maximum flexibility by supporting IWA users, form-based authentication users, and guest/anonymous access all at the same time.

One of the reasons I wanted to test this was a reference I remembered seeing in the SAS documentation. The Web Authentication section of the SAS 9.4 Intelligence Platform: Security Administration Guide, Second Edition, lists one of the limits of Web Authentication as “Not compatible with anonymous access”. This is also repeated in the PUBLIC Access and Anonymous Access section too.

It makes sense that anonymous access is not compatible with web authentication in a standard non-fallback configuration. If authentication is automatic and it fails then access is denied. An IWA fallback configuration is slightly different though – you have a choice whether to do web authentication or SAS authentication (e.g. IWA or non-IWA). If you choose SAS authentication then perhaps anonymous access might still be available as an option. I decided to test it out.

I ran 4 test scenarios to see how they were handled in an IWA with fallback configuration:

IWA available and enabled (i.e. automatic web authentication):

  1. IWA: Access the standard SAS Visual Analytics URL: http://host/SASVisualAnalyticsHub/
  2. IWA: Access the SAS Visual Analytics Guest Access URL: http://host/SASVisualAnalyticsHub/guest.jsp

IWA unavailable or disabled (i.e. manual SAS authentication):

  1. non-IWA: Access the standard SAS Visual Analytics URL: http://host/SASVisualAnalyticsHub/
  2. non-IWA: Access the SAS Visual Analytics Guest Access URL: http://host/SASVisualAnalyticsHub/guest.jsp

The results are summarized in the table below:

IWA available and enabled
(automatic web authentication)
IWA unavailable or disabled
(manual SAS authentication)
SAS Visual Analytics Automatic login (for the Windows user). Form-based manual login
SAS Visual Analytics Guest Access Unauthenticated anonymous/guest access available.1 Unauthenticated anonymous/guest access available.1
    NOTE: 1 Using the SAS Visual Analytics Guest Access URL when you already have an active authenticated session seems to provide non-guest authenticated access (since it already knows who you are). Guest access is provided for unauthenticated users e.g. after an explicit sign-out, new browser instance etc.

I was very happy to see that anonymous access was available when non-IWA fallback authentication was active. This provides a great deal of flexibility in supporting the full range of automatic logins for IWA users, form-based logins for non-IWA users, and the option of guest/anonymous access for non-IWA users.

2 thoughts on “SAS Visual Analytics Guest Access with IWA Fallback”

  1. Thank you Paul for this great article.

    I want to ask if you tried to access SASVisualAnalyticsViewer using webanon when you configured IWA with fallback.

    For example can I still be able to authenticate to SASVisualAnalyticsViewer using webanon with the fallback setup if the environment is configured with IWA.

    currently we have an environment integrated with AD and the external users are able to access SASVisualAnalyticsViewer using webanon (an embbeded link in the default page as an iframe that calls SASVisualAnalyticsViewer and authenticate using webanon)

    we are planning to do SSO internall but we still want the SASVisualAnalyticsViewer to be accessed as it is right now using webanon in case the SSO didn’t find a supported IWA browser with our external users then they will be authenticated on the fly with the embbeded SASVisualAnalyticsViewer URL we have which uses Guest Account webanon.

    Thank you.

  2. Hi Ahmad,

    Thanks for the feedback. I’m glad you found it useful.

    That was how it worked when I tested this configuration with SAS VA 7.1 at the beginning of the year – automatic login with IWA authenticated users, form-based login when IWA was not used, and guest access when using the guest access URL (assuming no current logged-in session). Unfortunately, I haven’t had an opportunity to try it with the latest SAS VA 7.3 release as yet, but if I do get an opportunity in future I’ll try it out and report back as a comment in this post. I’d also be keen to hear how you go with your implementation.

    Cheers
    Paul

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.