You have already learned that SAS applications connect to Metadata Server. Here you can get to know about how actually this happens. As a user we know that we give our credentials and then boom we get connected. But admin should be aware how it happens behind the scene, so that he/she can diagonise in case of connectivity issue.
The above diagram shows the flow of how SAS client applications connect to Metadata Server. I will describe each step below.
1. Say, you are now login to SAS Management Console, you give user ID and the password. This happens in the first step.
2. The username and password is passed to Metadata Server. Metadata Server then passes it to Authentication Provider. The authentication provider may be the host machine or LDAP or Microsoft Active Directory. So the authentication is not done by Metadata Server. It just acts as a intermediate to SAS and authentication provider.
Note: SAS doesn't know about authentication provider. It every time passes the credentials to its host. If authentication provider such as LDAP or MS Active Directory is configured in host then authentication happens there, which is handled by OS.
3. Authentication provider checks whether the received username and password pair is correct. If it is correct then it will pass the username to Metadata Server, else authentication fails. Authentication provider won't send the password to Metadata Server.
4. With the received user id from Authentication provider, Metadata Server searches for that user id in Metadata Repository. The user id will be there if you (or admins) have added the user to metadata (using SAS Management Console). If the user id is present then he/she will be considered as sasuser or else he/she is a PUBLIC user. This step is called inbound login.
5. ACT (access control template) of the userid is passed to Metadata Server. From ACT, Metadata server will determine what access does that user has. It first checks the repository ACT, you can find it with the name default ACT in SAS Management Console. If the user id has ReadMetadata and WriteMetadata permission then connection gets established. User id must have WriteMetadata permission to connect to Metadata Server.
6. Metadata server then sends a unique id to client application. The client application will then passes that unique id whenever it requires information from metadata. In SAS the unique is called as credential handle. Whenever Metadata Server receives credential handle, it understands that the user id is already authenticated.
I know that the authentication provider part is bit tricky. Because that part is not uniform in all environment. Each organization use their own form of authentication depending on user base. You will eventually learn how the authentication provider works in your environment. But make sure that you learn the difference between authentication and authorization. In this article, what happens in second step is authentication and the fourth step is authorization.
See the flow 4 to 5 times and make sure you understand the process that happens in each steps. Sure you will be able troubleshoot the issues related to connectivity.
Connection to SAS Metadata Server
The above diagram shows the flow of how SAS client applications connect to Metadata Server. I will describe each step below.
1. Say, you are now login to SAS Management Console, you give user ID and the password. This happens in the first step.
2. The username and password is passed to Metadata Server. Metadata Server then passes it to Authentication Provider. The authentication provider may be the host machine or LDAP or Microsoft Active Directory. So the authentication is not done by Metadata Server. It just acts as a intermediate to SAS and authentication provider.
Note: SAS doesn't know about authentication provider. It every time passes the credentials to its host. If authentication provider such as LDAP or MS Active Directory is configured in host then authentication happens there, which is handled by OS.
3. Authentication provider checks whether the received username and password pair is correct. If it is correct then it will pass the username to Metadata Server, else authentication fails. Authentication provider won't send the password to Metadata Server.
4. With the received user id from Authentication provider, Metadata Server searches for that user id in Metadata Repository. The user id will be there if you (or admins) have added the user to metadata (using SAS Management Console). If the user id is present then he/she will be considered as sasuser or else he/she is a PUBLIC user. This step is called inbound login.
5. ACT (access control template) of the userid is passed to Metadata Server. From ACT, Metadata server will determine what access does that user has. It first checks the repository ACT, you can find it with the name default ACT in SAS Management Console. If the user id has ReadMetadata and WriteMetadata permission then connection gets established. User id must have WriteMetadata permission to connect to Metadata Server.
6. Metadata server then sends a unique id to client application. The client application will then passes that unique id whenever it requires information from metadata. In SAS the unique is called as credential handle. Whenever Metadata Server receives credential handle, it understands that the user id is already authenticated.
I know that the authentication provider part is bit tricky. Because that part is not uniform in all environment. Each organization use their own form of authentication depending on user base. You will eventually learn how the authentication provider works in your environment. But make sure that you learn the difference between authentication and authorization. In this article, what happens in second step is authentication and the fourth step is authorization.
See the flow 4 to 5 times and make sure you understand the process that happens in each steps. Sure you will be able troubleshoot the issues related to connectivity.
Comments
Post a Comment