This tip details how to go about removing an unwanted Authentication Domain and all associated Login objects from SAS metadata. A need for this can arise when you have been temporarily (or accidentally/unnecessarily) added a second set of inbound logins for all of your SAS users and you decide you no longer need those extra logins (perhaps you are migrating between authentication mechanisms).
If you are using the Metacoda Identity Sync Plug-in then the first step is to edit the Identity Sync Profile (IDSP file) using the Identity Sync Profile Wizard and untick the checkbox that configures the 2nd login. If you don’t do this, then the auth domain, and all the logins, will simply be re-added next time you run a sync! You can see a sample screenshot of the wizard page where you can unconfigure the 2nd login below:
After updating, and saving, the Identity Sync Profile you are almost ready to remove the unwanted auth domain and associated logins. Before removing the metadata it is a good idea to do the following:
- Check that all the logins currently associated with the auth domain, the ones that are going to be removed, have no passwords (and so may be outbound instead of inbound). This can be done using the Metacoda Login Reviewer (or the SAS Management Console User Manager plug-in).
- Check that there are no servers currently associated with the auth domain. This can be done using the Metacoda Metadata Explorer Plug-in (or the SAS Management Console Server Manager plug-in).
- Perform a SAS Metadata Server or platform backup so that you have a recovery point.
Once you are ready to delete the unwanted auth domain (and all associated logins) you can do this very easily using the standard SAS Management Console User Manager plug-in. You wont be able to use the re-configured Metacoda Identity Sync Profile to do this because it will now just ignore the 2nd auth domain and associated logins and will not attempt to remove them.
As shown in this screenshot, right click over the SAS Management Console User Manager plug-in and select the Authentication Domains… entry from the context menu:
In the Authentication Domains dialog window you should select the unwanted auth domain (1), click the Delete button (2), review the warning/confirmation message about removing the auth domain and all associated logins and, when you are ready, click the Yes button (3) to go ahead and remove them.
Finally, you can confirm the logins have been removed with the Metacoda Login Reviewer (or by selecting some candidate users in the SAS Management Console User Manager plug-in and checking their Accounts tab contents).
Thanks, Paul. A very useful tip :-). I wasn’t aware that the SMC manual deletion of Auth. domains entailed automatically the removal of corresponding logins . I presume this ensures that no orphans are left behind after the Auth domain has been removed.
Hi Ronan,
I was pleasantly surprised when I found out too. I initially wondered if it might block the delete based on the fact there were still logins associated with it, so it was nice to find out that it cascaded to the logins (of course that also means it needs to be used with care). From testing it works this way with the latest SAS 9.4 M5 as well as the much older SAS 9.2 M3.
The next release of the Metacoda Identity Sync Plug-in will support removing logins for a second no-longer-used auth domain but for the current and earlier releases this is the method that needs to be used.
Cheers
Paul