Is it somehow possible to connect with saspy using Kerberos?

[giwdul86]

I'd like to connect SSO with saspy with Kerberos as authentication mechanism, like in the swat-package

[tomweber-sas]

Hey @giwdul86 sorry it took so long to respond, I've been out of the office this week and not able to respond. I see in the swat doc that it can use kerberos to authenticate if using the binary protocol when connecting to CAS. That seems to be there since Viya 3. I also found doc for viya 4 about configuring the viya deployment to use kerberos as it's SSO scheme. I haven't ever heard of this here, or have ever seen a deployment being set up that way. So, I'm going to have to research this more on my end. So far, what I'm reading is only about all of the configuration you have to do to the whole viya deployment, and the only client side info is about configuring web browsers to work with this. Can you tell me what version of viya you're using? I don't know if this is all the same between viya 3 and 4 or not, yet. So, in case it matters. I will look into this more and see what I can figure out. Thanks, Tom

[giwdul86]

Hi Tom, thanks for looking into it. We are using Sas Viya 3. Kind regards

[tomweber-sas]

It is 3.5, thanks. Are you just using kerberos to connect to CAS over the binary interface, or is all of viya set up to use kerberos and you're also authenticating to viya with kerberos too (for any connection, like Studio)? Thanks, Tom

[giwdul86]

Yes, 3.5. With swat I use the binary interface (cas protocol) to connect. I don’t know how the whole setup is configured, except from the fact it is all SSO. I can ask next week.

[tomweber-sas]

ok, thanks! The more I read and try to understand what things support kerberos and in what way, the more I believe the answer is that I can't use that. As far as swat goes, it is a proprietary client of CAS; they were both created together and what they call the 'binary' interface is really a bunch of the actual SAS deployment (C code compiled and linked), executables, that have to be deployed on the client side. It's this proprietary client/server interface that is what supports connecting directly to CAS (not authenticating to Viya) and supporting kerberos for it's authentication. If you use the HTTP interface of SWAT, then it cant' work w/ kerberos; I believe that's because the HTTP interface uses the public REST API to connect and authenticate to Viya, and then connect to CAS via the public API. That's the same as SASPy, I use the public API (saspy isn't a proprietary client; I have no SAS executables in my deployment) and that requires authenticating to Viya and using the public API to request a SAS session. There is no way to directly connect to a SAS session in Viya, like you can with SWAT to CAS using the binary method, because there is no such interface to SAS w/in Viya.

The doc that I've been trying to figure out is about configuring SAS Logon (the Viya authentication service) to use kerberos on the backend to authenticate, and use kerberos for other proprietary web clients, where after configuring all of Viya, you then have to configure your web browser to enable support for kerberos. That whole bunch of doc is clear as mud, and it's different between Viya 3.x and 4.x, and it also only supports certain scenarios. But it doesn't seem to have anything to do with being able to authenticate to Viya (over the public API) using kerberos (from the client) like the proprietary clients can do for certain things in Viya (like CAS).

SASLogon (the public api authentication service) only supports user/pw or an authcode (2 factor single use token) for authenticating to Viya. There is no 'use kerberose' as a third option.

I will also look into this some more next week. I don't want to say 'no' before I fully understand this. But it certainly seems like a no.

I'm gonna put some of the links here, as much for me as anything. These are what I've been reading.

Viya 3 authentication: https://go.documentation.sas.com/doc/en/calcdc/3.5/calauthmdl/n1pkgyrtk8bp4zn1d0v1ln4869og.htm Viya 4 authentication: https://go.documentation.sas.com/doc/en/sasadmincdc/v_038/calauthmdl/n1iyx40th7exrqn1ej8t12gfhm88.htm Public REST API: https://developer.sas.com/apis/rest/CoreServices/?python#sas-logon-authorization

[tomweber-sas]

Hey @giwdul86 I have some possibly good news. I've talked w/ one of our folks who supports this area and there is a way that you can authenticate with kerberos to viya via the rest API. But, I don't think it's the same as how it works for directly connecting to CAS from SWAT via the binary interface. The doc here https://sassoftware.github.io/python-swat/getting-started.html#kerberos doesn't have say anything to do with how this is able to work via rest, so I'm not really sure.

It's the question I asked before about if your viya system is configured for using kerberos or if it was just CAS. The SASLogon service I mentioned above has 2 ways to authenticate (which SASPy supports), user/pw or authcode. The authcode is what you get when you go to the SASLogon page and provide your credentials (or some other SSO thing) and it gives you back a one time use token to provide for then authenticating from the client (saspy in this case with authcode= see # 2 at this link: https://sassoftware.github.io/saspy/configuration.html#http)

So, if your viya system is configured to use kerberos as it's authentication mechanism, then you should be able to get an authcode from the SASLogon page (which would use kerberos to authenticate you, supposedly), then with that authcode, saspy can connect.

So, can you try that and see if it works? Don't provide user/pw (or authkey for authinfo file) and you should be prompted with whether you want to use userid/pw or authcode (default), then (hit enter) and you should be provided the url to SASLogon to get the token from; copy the url and paste in a browser. then enter that authcode you got and it should connect.

BTW, the url will be the same all the time, so you can go to it before trying to connect (one you know it) and get the code then just do sas = saspy.SASsession(authcode='xyz123') # whatever the code you got was

fingers crossed :) Tom

Of course, if you already connect with user/pw, which you should have in the authinfo file, then this will be more cumbersome, as with that way, you just connect with no extra steps. But, I'm not sure how you have it now.

[giwdul86]

Hi Tom, This (using authcode from the login-page, of which I’m not sure if it uses Kerberos or some Integrated Windows Authentication) is the way I connect at the moment. This works (after Issue #503) but indeed is a little bit cumbersome compared to the mechanism used by swat). So I was hoping it might be possible using that mechanism, but from what I read in your previous posts, will be difficult to realize. For now I’m trying to figure out how to programmatically get the authcode, which is probably more realistic.

[tomweber-sas]

Oh, ok. Yeah, I don't believe there is a programmatic way to get an authcode, which is a pain and makes that way of authenticating cumbersome. SWAT also can't use kerberos when you use the REST (http) API, only the binary API which uses our proprietary C libraries. So the rest api can only support user/pw or the authcode, which can only be gotten manually via the web page. SASPy has no C libraries (out TK executables) to interface to viya with, and SAS (the compute server in Viya) doesn't support anything like that anyway; CAS is different in that way. So rest is the only way to connect to SAS in viya and you can only authenticate via user/pw or authcode. Does user/pw not work for your deployment? I guess not since that would be easy and not require any intervention on your part to connect (if user/pw were in the authinfo file). Tom

[giwdul86]

Correct, we cannot use username/pw. With the Sas-cli I can login using kerberos. Then the token needed for saspy is generated in a .sas/credentials.json file. This means I do not need to use the browser-solution and can access the token programmatically. Problem solved :)

[tomweber-sas]

Ah, then you just pass that in to SASsession with authtoken= and I don't even need to authenticate cuz you already did. That's great! I didn't know of that path. Though I've never seen a kerberos configured deployment here to even play with. I'm glad you figured a programmatic way, that's way better than the whole web page, hand typing scenario!

Sounds like you're good? Anything else or do you want to close this?

Thanks! Tom

[giwdul86]

Yes, thanks for your help.