The CData Sync App provides a straightforward way to continuously pipeline your SAS Xpt data to any database, data lake, or data warehouse, making it easily available for Analytics, Reporting, AI, and Machine Learning.
The SAS Xpt connector can be used from the CData Sync application to pull data from SAS Xpt and move it to any of the supported destinations.
The Sync App supports connections to v5 SAS Transport Files (.xpt) by directly parsing data from XPT files. leverages the SAS Xpt API to enable bidirectional access to SAS Xpt.
For required properties, see the Settings tab.
For connection properties that are not typically required, see the Advanced tab.
The CData Sync App allows connecting to local and remote SASXpt resources. Set the URI property to the SASXpt resource location, in addition to any other properties necessary to connect to your data source.
Set the ConnectionType to Local. Local files support SELECT.
Set the URI to a folder containing SASXpt files: C:\folder1.
If you need INSERT/UPDATE/DELETE cloud files, you can download the corresponding CData Sync App for that cloud host (supported via stored procedures), make changes with the local file's corresponding Sync App, then upload the file using the cloud source's stored procedures.
As an example, if you wanted to update a file stored on SharePoint, you could use the CData SharePoint Sync App's DownloadDocument procedure to download the SAS Xpt file, update the local SAS Xpt file with the CData SAS Xpt Sync App, then use the SharePoint Sync App's UploadDocument procedure to upload the changed file to SharePoint.
A unique prefix at the beginning of the URI connection property is used to identify the cloud data store being targed by the Sync App and the remainder of the path is a relative path to the desired folder (one table per file) or single file (a single table).
Set the following to identify your SAS Xpt resources stored on Amazon S3:
See Connecting to Amazon S3 for more information regarding how to connect and authenticate to SASXpt files hosted on Amazon S3.
Set the following to identify your SAS Xpt resources stored on Azure Blob Storage:
See Connecting to Azure Blob Storage for more information regarding how to connect and authenticate to SASXpt files hosted on Amazon Blob Storage.
Set the following to identify your SAS Xpt resources stored on Azure Data Lake Storage:
See Connecting to Azure Data Lake Storage for more information regarding how to connect and authenticate to SASXpt files hosted on Azure Data Lake Storage.
Set the following properties to connect:
You can authenticate either an Azure access key or an Azure shared access signature. Set one of the following:
Set the following to identify your SAS Xpt resources stored on Box:
See Connecting to Box for more information regarding how to connect and authenticate to SASXpt files hosted on Box.
Set the following to identify your SAS Xpt resources stored on Dropbox:
See Connecting to Dropbox for more information regarding how to connect and authenticate to SASXpt files hosted on Dropbox.
The Sync App supports both plaintext and SSL/TLS connections to FTP servers.
Set the following connection properties to connect:
Set the following to identify your SAS Xpt resources stored on Google Cloud Storage:
See Connecting to Google Cloud Storage for more information regarding how to connect and authenticate to SASXpt files hosted on Google Cloud Storage.
Set the following to identify your SAS Xpt resources stored on Google Drive:
See Connecting to Google Drive for more information regarding how to connect and authenticate to SASXpt files hosted on Google Drive.
Set the following to identify your SAS Xpt resources stored on HDFS:
There are two authentication methods available for connecting to HDFS data source, Anonymous Authentication and Negotiate (Kerberos) Authentication.
Anonymous Authentication
In some situations, you can connect to HDFS without any authentication connection properties. To do so, set the AuthScheme property to None (default).
Authenticate using Kerberos
When authentication credentials are required, you can use Kerberos for authentication. See Using Kerberos for details on how to authenticate with Kerberos.
Set the following to identify your SAS Xpt resources stored on HTTP streams:
See Connecting to HTTP Streams for more information regarding how to connect and authenticate to SASXpt files hosted on HTTP Streams.
Set the following to identify your SAS Xpt resources stored on IBM Cloud Object Storage:
See Connecting to IBM Object Storage for more information regarding how to connect and authenticate to SASXpt files hosted on IBM Cloud Object Storage.
Set the following to identify your SAS Xpt resources stored on OneDrive:
See Connecting to OneDrive for more information regarding how to connect and authenticate to SASXpt files hosted on OneDrive.
Set the following to identify your SAS Xpt resources stored on OneLake:
See Connecting to OneLake for more information regarding how to connect and authenticate to SASXpt files hosted on OneLake.
Set the following properties to authenticate with HMAC:
Set the following to identify your SAS Xpt resources stored on SFTP:
See Connecting to SFTP for more information regarding how to connect and authenticate to SASXpt files hosted on SFTP.
Set the following to identify your SAS Xpt resources stored on SharePoint Online:
See Connecting to SharePoint Online for more information regarding how to connect and authenticate to SASXpt files hosted on SharePoint Online.
Specify the following to connect to data:
There are several authentication methods available for connecting to SAS Xpt including:
To authenticate using account root credentials, set these configuration parameters:
Note: Use of this authentication scheme is discouraged by Amazon for anything but simple tests. The account root credentials have the full permissions of the user, making this the least secure authentication method.
If multi-factor authentication is required, specify the following:
Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).
Set AuthScheme to AwsEC2Roles.
If you are using the Sync App from an EC2 Instance and have an IAM Role assigned to the instance, you can use the IAM Role to authenticate. Since the Sync App automatically obtains your IAM Role credentials and authenticates with them, it is not necessary to specify AWSAccessKey and AWSSecretKey.
If you are also using an IAM role to authenticate, you must additionally specify the following:
The SAS Xpt Sync App now supports IMDSv2. Unlike IMDSv1, the new version requires an authentication token. Endpoints and response are the same in both versions.
In IMDSv2, the SAS Xpt Sync App first attempts to retrieve the IMDSv2 metadata token and then uses it to call AWS metadata endpoints. If it is unable to retrieve the token, the Sync App reverts to IMDSv1.
Set AuthScheme to AwsWebIdentity.
If you are using the Sync App from a container configured to assume role with web identity (such as a Pod in an EKS cluster with an OpenID Provider) or have obtained an identity token by authenticating with a web identity provider associated with an IAM role, you can exchange the web identity token and IAM role information for temporary security credentials to authenticate and access AWS services. The Sync App automatically obtains the credentials if the container has AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE specified in the environment variables. Alternatively, you can specify both AWSRoleARN and AWSWebIdentityToken to execute the AssumeRoleWithWebIdentity API operation and authenticate.
Set AuthScheme to AwsIAMRoles.
In many situations, it may be preferable to use an IAM role for authentication instead of the direct security credentials of an AWS root user. If you are specifying the AWSAccessKey and AWSSecretKey of an AWS root user, you may not use roles.
To authenticate as an AWS role, set these properties:
If multi-factor authentication is required, specify the following:
Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).
To connect to ADFS, set the AuthScheme to ADFS, and set these properties:
To authenticate to ADFS, set these SSOProperties:
Example connection string:
AuthScheme=ADFS;User=username;Password=password;SSOLoginURL='https://sts.company.com';SSOProperties='RelyingParty=https://saml.salesforce.com';
The ADFS Integrated flow indicates you are connecting with the currently logged in Windows user credentials. To use the ADFS Integrated flow, do not specify the User and Password, but otherwise follow the same steps in the ADFS guide above.
To connect to Okta, set the AuthScheme to Okta, and set these properties:
If you are using a trusted application or proxy that overrides the Okta client request OR configuring MFA, you must use combinations of SSOProperties to authenticate using Okta. Set any of the following, as applicable:
Example connection string:
AuthScheme=Okta;SSOLoginURL='https://example.okta.com/home/appType/0bg4ivz6cJRZgCz5d6/46';User=oktaUserName;Password=oktaPassword;
To connect to PingFederate, set AuthScheme to PingFederate, and set these properties:
To enable mutual SSL authentication for SSOLoginURL, the WS-Trust STS endpoint, configure these SSOProperties:
Example connection string:
authScheme=pingfederate;SSOLoginURL=https://mycustomserver.com:9033/idp/sts.wst;SSOExchangeUrl=https://us-east-1.signin.aws.amazon.com/platform/saml/acs/764ef411-xxxxxx;user=admin;password=PassValue;AWSPrincipalARN=arn:aws:iam::215338515180:saml-provider/pingFederate;AWSRoleArn=arn:aws:iam::215338515180:role/SSOTest2;
To authenticate using temporary credentials, specify the following:
The Sync App can now request resources using the same permissions provided by long-term credentials (such as IAM user credentials) for the lifespan of the temporary credentials.
To authenticate using both temporary credentials and an IAM role, set all the parameters described above, and specify these additional parameters:
If multi-factor authentication is required, specify the following:
Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).
You can use a credentials file to authenticate. Any configurations related to AccessKey/SecretKey authentication, temporary credentials, role authentication, or MFA can be used. To do so, set the following properties to authenticate:
This configuration requires two separate Azure AD applications:
To connect to Azure AD, set the AuthScheme to AzureAD, and set these properties:
To authenticate to Azure AD, set these SSOProperties:
Example connection string:
AuthScheme=AzureAD;OAuthClientId=3ea1c786-d527-4399-8c3b-2e3696ae4b48;OauthClientSecret=xxx;CallbackUrl=https://localhost:33333;SSOProperties='Resource=https://signin.aws.amazon.com/saml;AzureTenant=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx';
To obtain the credentials for an AzureBlob user, follow the steps below:
Set AzureStorageAccount to your Azure Blob Storage account name.
You can authenticate to Azure Blob Storage via Access Key, Shared Access Signatures (SAS), AzureAD user, Azure MSI, or Azure Service Principal.
Set the following to authenticate with an Azure Access Key:
AuthScheme must be set to AzureAD in all user account flows.
The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the app are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
Create an AzureAD App and an Azure Service Principal
When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Azure AD Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application.
Client Secret
Set these connection properties:
Certificate
Set these connection properties:
You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.
If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.
If you would like to authenticate with a service principal instead of a client secret, it is also possible to authenticate with a client certificate. Set the following to authenticate:
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
You may choose to use your own AzureAD Application Credentials when you want to
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Follow the steps below to obtain the AzureAD values for your application.
Set AzureStorageAccount to your Azure Data Lake Storage account name.
You can authenticate to Azure Data Lake Storage via Access Key, Shared Access Signature (SAS), AzureAD user, Azure MSI, or Azure Service Principal.
Set the following to authenticate with an Azure Access Key:
AuthScheme must be set to AzureAD in all user account flows.
The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the app are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
Create an AzureAD App and an Azure Service Principal
When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Azure AD Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application.
Client Secret
Set these connection properties:
Certificate
Set these connection properties:
You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.
If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.
If you would like to authenticate with a service principal instead of a client secret, it is also possible to authenticate with a client certificate. Set the following to authenticate:
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
You may choose to use your own AzureAD Application Credentials when you want to
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Follow the steps below to obtain the AzureAD values for your application.
Use the OAuth authentication standard to connect to Box. You can authenticate with a user account or with a service account. A service account is required to grant organization-wide access scopes to the Sync App. The Sync App facilitates these authentication flows as described below.
AuthScheme must be set to OAuth in all user account flows.
Set the AuthScheme to OAuthJWT to authenticate with this method.
Service accounts have silent authentication, without user authentication in the browser. You can also use a service account to delegate enterprise-wide access scopes to the Sync App.
You need to create an OAuth application in this flow. See Create a Custom OAuth App to create and authorize an app. You can then connect to Box data that the service account has permission to access.
After setting the following connection properties, you are ready to connect:
You may choose to use your own OAuth Application Credentials when you want to:
At the Box Enterprise Developer Console:
Note: Box does not back up private keys for security reasons. Be careful to back up the Public/Private JSON file. If you lose your private key, you must reset the entire keypair.
openssl genrsa -des3 -out private.pem 2048 openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Note: To run OpenSSL in a Windows environment, install the Cygwin package.
After your application is created and registered, click Configuration from the main menu to access your settings. Note the displayed Redirect URI, Client ID, and Client Secret. You will need these values later.
If you change the JWT access scopes, you must reauthorize the application in the enterprise admin console:
Dropbox uses the OAuth authentication standard.
You need to choose between using CData's embedded OAuth app or Create a Custom OAuth App.
The embedded app includes the following scopes:
You may choose to use your own OAuth Application Credentials when you want to
No further values need to be specified in the SAS Xpt app settings.
Set the ProjectId property to the Id of the project you want to connect to.
The Sync App supports using user accounts and GCP instance accounts for authentication.
The following sections discuss the available authentication schemes for Google Cloud Storage:
AuthScheme must be set to OAuth in all user account flows.
Get an OAuth Access Token
Set the following connection properties to obtain the OAuthAccessToken:
Then call stored procedures to complete the OAuth exchange:
Once you have obtained the access and refresh tokens, you can connect to data and refresh the OAuth access token either automatically or manually.
Automatic Refresh of the OAuth Access Token
To have the driver automatically refresh the OAuth access token, set the following on the first data connection:
Manual Refresh of the OAuth Access Token
The only value needed to manually refresh the OAuth access token when connecting to data is the OAuth refresh token.
Use the RefreshOAuthAccessToken stored procedure to manually refresh the OAuthAccessToken after the ExpiresIn parameter value returned by GetOAuthAccessToken has elapsed, then set the following connection properties:
Then call RefreshOAuthAccessToken with OAuthRefreshToken set to the OAuth refresh token returned by GetOAuthAccessToken. After the new tokens have been retrieved, open a new connection by setting the OAuthAccessToken property to the value returned by RefreshOAuthAccessToken.
Finally, store the OAuth refresh token so that you can use it to manually refresh the OAuth access token after it has expired.
Option 1: Obtain and Exchange a Verifier Code
To obtain a verifier code, you must authenticate at the OAuth authorization URL.
Follow the steps below to authenticate from the machine with an internet browser and obtain the OAuthVerifier connection property.
On the headless machine, set the following connection properties to obtain the OAuth authentication values:
After the OAuth settings file is generated, you need to re-set the following properties to connect:
Option 2: Transfer OAuth Settings
Prior to connecting on a headless machine, you need to create and install a connection with the driver on a device that supports an internet browser. Set the connection properties as described in "Desktop Applications" above.
After completing the instructions in "Desktop Applications", the resulting authentication values are encrypted and written to the location specified by OAuthSettingsLocation. The default filename is OAuthSettings.txt.
Once you have successfully tested the connection, copy the OAuth settings file to your headless machine.
On the headless machine, set the following connection properties to connect to data:
When running on a GCP virtual machine, the Sync App can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to GCPInstanceAccount.
(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to SAS Xpt".)
However, you must create a custom OAuth application to connect to SAS Xpt via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.
Custom OAuth applications are useful if you want to:
The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).
For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)
Do the following:
Note: The client secret remains accessible from from the Google Cloud Console.
To create a new service account:
To complete the service account flow, generate a private key in the Google Cloud Console. In the service account flow, the driver exchanges a JSON Web token (JWT) for the OAuthAccessToken. The private key is required to sign the JWT. The driver will have the same permissions granted to the service account.
The Sync App supports using user accounts and GCP instance accounts for authentication.
The following sections discuss the available authentication schemes for Google Drive:
AuthScheme must be set to OAuth in all user account flows.
When running on a GCP virtual machine, the Sync App can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to GCPInstanceAccount.
(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to SAS Xpt".)
However, you must create a custom OAuth application to connect to SAS Xpt via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.
Custom OAuth applications are useful if you want to:
The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).
For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)
Do the following:
Note: The client secret remains accessible from from the Google Cloud Console.
To create a new service account:
To complete the service account flow, generate a private key in the Google Cloud Console. In the service account flow, the driver exchanges a JSON Web token (JWT) for the OAuthAccessToken. The private key is required to sign the JWT. The driver will have the same permissions granted to the service account.
The Sync App generically supports connecting to SAS Xpt data stored on HTTP(S) streams.
Several authentication methods, such as user/password, digest access, OAuth, OAuthJWT, and OAuth PASSWORD flow are supported.
You can also connect to streams that have no authentication set up.
Connect to an HTTP(S) stream with no authentication by setting the AuthScheme connection property to None.
Set the following to connect:
Set the following to connect:
OAuth requires the authenticating user to interact with SAS Xpt using the browser. The Sync App facilitates this in various ways as described in the following sections.
Before following the procedures below, you need to register an OAuth app with the service containing the SAS Xpt data you want to work with.
Creating a custom application in most services requires registering as a developer and creating an app in the UI of the service.
This is not necessarily true for all services. In some you must contact the service provider to create the app for you. However it is done, you must obtain the values for OAuthClientId, OAuthClientSecret, and CallbackURL.
Set AuthScheme to OAuthJWT.
The Sync App supports using JWT as an authorization grant in situations where a user cannot perform an interactive sign-on. After setting the following connection properties, you are ready to connect:
Note that the JWT signature algorithm cannot be set directly. The Sync App only supports the RS256 algorithm.
The Sync App will then construct a JWT including the following fields, and submit it to OAuthAccessTokenURL for an access token.
AuthScheme: Set this to OAuthPassword.
OAuth requires the authenticating user to interact with SAS Xpt using the browser. The Sync App facilitates this in various ways as described in the following sections.
Before following the procedures below, you need to register an OAuth app with the service containing the SAS Xpt data you want to work with.
Creating a custom application in most services requires registering as a developer and creating an app in the UI of the service.
This is not necessarily true for all services. In some you must contact the service provider to create the app for you. However it is done, you must obtain the values for OAuthClientId, OAuthClientSecret, and CallbackURL.
After setting the following connection properties, you are ready to connect:
If you do not already have Cloud Object Storage in your IBM Cloud account, you can follow the procedure below to install an instance of SQL Query in your account:
To connect with IBM Cloud Object Storage, you will need an ApiKey. You can obtain this as follows:
Set Region to to your IBM instance region.
You can authenticate to IBM Cloud Object Storage using either HMAC or OAuth authentication.
Set the following properties to authenticate:
For example:ConnectionType=IBM Object Storage Source;URI=ibmobjectstorage://bucket1/folder1; AccessKey=token1; SecretKey=secret1; Region=eu-gb;
Set the following to authenticate using OAuth authentication.
ConnectionType=IBM Object Storage Source;URI=ibmobjectstorage://bucket1/folder1; ApiKey=key1; Region=eu-gb; AuthScheme=OAuth; InitiateOAuth=GETANDREFRESH;
When you connect, the Sync App completes the OAuth process.
You can connect to OneDrive using an AzureAD user, with MSI authentication, or using an Azure Service Principal.
AuthScheme must be set to AzureAD in all user account flows.
The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the app are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
Create an AzureAD App and an Azure Service Principal
When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Azure AD Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application.
Client Secret
Set these connection properties:
Certificate
Set these connection properties:
You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.
If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.
If you would like to authenticate with a service principal instead of a client secret, it is also possible to authenticate with a client certificate. Set the following to authenticate:
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
You may choose to use your own AzureAD Application Credentials when you want to
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Follow the steps below to obtain the AzureAD values for your application.
You can authenticate to OneLake via AzureAD user, Azure MSI, or Azure Service Principal.
AuthScheme must be set to AzureAD in all user account flows.
The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the app are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.
Create an AzureAD App and an Azure Service Principal
When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Azure AD Application for more details.
In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application.
Client Secret
Set these connection properties:
Certificate
Set these connection properties:
You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.
If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.
If you would like to authenticate with a service principal instead of a client secret, it is also possible to authenticate with a client certificate. Set the following to authenticate:
There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.
You may choose to use your own AzureAD Application Credentials when you want to
Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.
When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.
Follow the steps below to obtain the AzureAD values for your application.
Follow the steps below to add a service principal to a workspace.
You can authenticate to SFTP using a user and password or an SSH certificate. Additionally, you can connect to an SFTP server that has no authentication enabled.
Set SSHAuthMode to None to connect without authentication, assuming your server supports doing so.
Provide user credentials associated with your SFTP server:
Set the following to connect.
| Service provider | Okta | OneLogin | ADFS | AzureAD |
| Amazon S3 | Y | Y | Y | |
| Azure Blob Storage | ||||
| Azure Data Lake Store Gen1 | ||||
| Azure Data Lake Store Gen2 | ||||
| Azure Data Lake Store Gen2 with SSL | ||||
| Google Drive | ||||
| OneDrive | ||||
| Box | ||||
| Dropbox | ||||
| SharePoint Online SOAP | Y | Y | Y | |
| SharePoint Online REST | ||||
| Wasabi | ||||
| Google Cloud Storage | ||||
| Oracle Cloud Storage | ||||
| Azure File |
Azure AD Configuration
The main theme behind this configuration is the OAuth 2.0 On-Behalf-Of flow. It requires two Azure AD applications:
Save the step "Assign the Azure AD test user" until after provisioning so that you can select the AWS roles when assigning the user.
CData Driver Common Properties
The following SSOProperties are needed to authenticate to Azure Active Directory and must be specified for every service provider.
We will retrieve the SSO SAML response from an OAuth 2.0 On-Behalf-Of flow so the following OAuth connection properties must be specified:
Amazon S3
In addition to the common properties, the following properties must be specified when connecting to Amazon S3 service provider:
AuthScheme=AzureAD;InitiateOAuth=GETANDREFRESH;OAuthClientId=d593a1d-ad89-4457-872d-8d7443aaa655;OauthClientSecret=g9-oy5D_rl9YEKfN-45~3Wm8FgVa2F;SSOProperties='Tenant=94be7-edb4-4fda-ab12-95bfc22b232f;Resource=https://signin.aws.amazon.com/saml;';AWSRoleARN=arn:aws:iam::2153385180:role/AWS_AzureAD;AWSPrincipalARN=arn:aws:iam::215515180:saml-provider/AzureAD;
OneLogin Configuration
You must create an application used for the single sign-on process to a specific provider.
Sharepoint SOAP
The following properties must be specified when connecting to Sharepoint SOAP service provider:
AuthScheme='OneLogin';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Okta Configuration
You must create an application used for the single sign-on process to a specific provider.
Sharepoint SOAP
The following properties must be specified when connecting to Sharepoint SOAP service provider:
AuthScheme='Okta';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Amazon S3
The following properties must be specified when connecting to an Amazon S3 service provider:
AuthScheme=Okta;User=OktaUser;Password=OktaPassword;SSOLoginURL='https://{subdomain}.okta.com/home/amazon_aws/0oan2hZLgQiy5d6/272';
ADFS Configuration
You must create an application used for the single sign-on process to a specific provider.
Sharepoint SOAP
The following properties must be specified when connecting to a Sharepoint SOAP service provider:
AuthScheme='ADFS';User=test;Password=test;SSOProperties='Domain=test.cdata;';
Amazon S3
The following properties must be specified when connecting to a Sharepoint SOAP service provider:
AuthScheme=ADFS;User=username;Password=password;SSOLoginURL='https://sts.company.com';ADFS Integrated
The ADFS Integrated flow indicates you are connecting with the currently logged in Windows user credentials. To use the ADFS Integrated flow, simply do not specify the User and Password, but otherwise follow the same steps in the ADFS guide above.
To authenticate to SAS Xpt with Kerberos, set AuthScheme to NEGOTIATE.
Authenticating to SAS Xpt via Kerberos requires you to define authentication properties and to choose how Kerberos should retrieve authentication tickets.
The Sync App provides three ways to retrieve the required Kerberos ticket, depending on whether or not the KRB5CCNAME and/or KerberosKeytabFile variables exist in your environment.
MIT Kerberos Credential Cache File
This option enables you to use the MIT Kerberos Ticket Manager or kinit command to get tickets. With this option there is no need to set the User or Password connection properties.
This option requires that KRB5CCNAME has been created in your system.
To enable ticket retrieval via MIT Kerberos Credential Cache Files:
If the ticket is successfully obtained, the ticket information appears in Kerberos Ticket Manager and is stored in the credential cache file.
The Sync App uses the cache file to obtain the Kerberos ticket to connect to SAS Xpt.
Note: If you would prefer not to edit KRB5CCNAME, you can use the KerberosTicketCache property to set the file path manually. After this is set, the Sync App uses the specified cache file to obtain the Kerberos ticket to connect to SAS Xpt.
Keytab File
If your environment lacks the KRB5CCNAME environment variable, you can retrieve a Kerberos ticket using a Keytab File.
To use this method, set the User property to the desired username, and set the KerberosKeytabFile property to a file path pointing to the keytab file associated with the user.
User and Password
If your environment lacks the KRB5CCNAME environment variable and the KerberosKeytabFile property has not been set, you can retrieve a ticket using a user and password combination.
To use this method, set the User and Password properties to the user/password combination that you use to authenticate with SAS Xpt.
To enable this kind of cross-realm authentication, set the KerberosRealm and KerberosKDC properties to the values required for user authentication. Also, set the KerberosServiceRealm and KerberosServiceKDC properties to the values required to obtain the service ticket.
This section details a selection of advanced features of the SAS Xpt Sync App.
The Sync App supports the use of user defined views, virtual tables whose contents are decided by a pre-configured user defined query. These views are useful when you cannot directly control queries being issued to the drivers. For an overview of creating and configuring custom views, see User Defined Views .
Use SSL Configuration to adjust how Sync App handles TLS/SSL certificate negotiations. You can choose from various certificate formats;. For further information, see the SSLServerCert property under "Connection String Options" .
Configure the Sync App for compliance with Firewall and Proxy, including Windows proxies and HTTP proxies. You can also set up tunnel connections.
For further information, see Query Processing.
By default, the Sync App attempts to negotiate TLS with the server. The server certificate is validated against the default system trusted certificate store. You can override how the certificate gets validated using the SSLServerCert connection property.
To specify another certificate, see the SSLServerCert connection property.
The SAS Xpt Sync App also supports setting client certificates. Set the following to connect using a client certificate.
To authenticate to an HTTP proxy, set the following:
Set the following properties:
This section shows the available API objects and provides more information on executing SQL to SAS Xpt APIs.
The connection string properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure in the connection string for this provider. Click the links for further details.
For more information on establishing a connection, see Establishing a Connection.
| Property | Description |
| AuthScheme | The type of authentication to use when connecting to remote services. |
| AccessKey | Your account access key. This value is accessible from your security credentials page. |
| SecretKey | Your account secret key. This value is accessible from your security credentials page. |
| ApiKey | The API Key used to identify the user to IBM Cloud. |
| User | The user account used to authenticate. |
| Password | The password used to authenticate the user. |
| SharePointEdition | The edition of SharePoint being used. Set either SharePointOnline or SharePointOnPremise. |
| ImpersonateUserMode | Specify the type of the user impersonation. It should be whether the User mode or the Admin mode. |
| Property | Description |
| ConnectionType | Specifies the file storage service, server, or file access protocol through which your SAS Xpt files are stored and retreived. |
| URI | The Uniform Resource Identifier (URI) for the SASXpt resource location. |
| Region | The hosting region for your S3-like Web Services. |
| ProjectId | The Id of the project where your Google Cloud Storage instance resides. |
| OracleNamespace | The Oracle Cloud Object Storage namespace to use. |
| StorageBaseURL | The URL of a cloud storage service provider. |
| UseVirtualHosting | If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified. |
| UseLakeFormation | When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion. |
| Property | Description |
| AWSAccessKey | Specifies your AWS account access key. This value is accessible from your AWS security credentials page. |
| AWSSecretKey | Your AWS account secret key. This value is accessible from your AWS security credentials page. |
| AWSRoleARN | The Amazon Resource Name of the role to use when authenticating. |
| AWSPrincipalARN | The ARN of the SAML Identity provider in your AWS account. |
| AWSRegion | The hosting region for your Amazon Web Services. |
| AWSCredentialsFile | The path to the AWS Credentials File to be used for authentication. |
| AWSCredentialsFileProfile | The name of the profile to be used from the supplied AWSCredentialsFile. |
| AWSSessionToken | Your AWS session token. |
| AWSExternalId | A unique identifier that might be required when you assume a role in another account. |
| MFASerialNumber | The serial number of the MFA device if one is being used. |
| MFAToken | The temporary token available from your MFA device. |
| TemporaryTokenDuration | The amount of time (in seconds) a temporary token will last. |
| AWSWebIdentityToken | The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. |
| ServerSideEncryption | When activated, file uploads into Amazon S3 buckets will be server-side encrypted. |
| SSEContext | A BASE64-encoded UTF-8 string holding JSON which represents a string-string (key-value) map. |
| SSEEnableS3BucketKeys | Configuration to use an S3 Bucket Key at the object level when encrypting data with AWS KMS. Enabling this will reduce the cost of server-side encryption by lowering calls to AWS KMS. |
| SSEKey | A symmetric encryption KeyManagementService key, that is used to protect the data when using ServerSideEncryption. |
| Property | Description |
| AzureStorageAccount | The name of your Azure storage account. |
| AzureAccessKey | The storage key associated with your Azure account. |
| AzureSharedAccessSignature | A shared access key signature that may be used for authentication. |
| AzureTenant | Identifies the SAS Xpt tenant being used to access data, either by name (for example, contoso.omnicrosoft.com) or ID. (Conditional). |
| AzureEnvironment | Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added. |
| Property | Description |
| SSOLoginURL | The identity provider's login URL. |
| SSOProperties | Additional properties required to connect to the identity provider, formatted as a semicolon-separated list. |
| SSOExchangeUrl | The URL used for consuming the SAML response and exchanging it for service specific credentials. |
| Property | Description |
| OAuthJWTCert | The JWT Certificate store. |
| OAuthJWTCertType | The type of key store containing the JWT Certificate. |
| OAuthJWTCertPassword | The password for the OAuth JWT certificate used to access a certificate store that requires a password. If the certificate store does not require a password, leave this property blank. |
| OAuthJWTCertSubject | The subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate. |
| OAuthJWTSubjectType | The SubType for the JWT authentication. |
| OAuthJWTPublicKeyId | The Id of the public key for JWT. |
| Property | Description |
| KerberosKDC | The Kerberos Key Distribution Center (KDC) service used to authenticate the user. |
| KerberosRealm | The Kerberos Realm used to authenticate the user. |
| KerberosSPN | The service principal name (SPN) for the Kerberos Domain Controller. |
| KerberosUser | The principal name for the Kerberos Domain Controller. Used in the format host/user@realm. |
| KerberosKeytabFile | The Keytab file containing your pairs of Kerberos principals and encrypted keys. |
| KerberosServiceRealm | The Kerberos realm of the service. |
| KerberosServiceKDC | The Kerberos KDC of the service. |
| KerberosTicketCache | The full file path to an MIT Kerberos credential cache file. |
| Property | Description |
| OAuthVersion | The version of OAuth being used. |
| OAuthClientId | Specifies the client Id that was assigned the custom OAuth application was created. (Also known as the consumer key.) This ID registers the custom application with the OAuth authorization server. |
| OAuthClientSecret | Specifies the client secret that was assigned when the custom OAuth application was created. (Also known as the consumer secret ). This secret registers the custom application with the OAuth authorization server. |
| SubjectId | The user subject for which the application is requesting delegated access. |
| SubjectType | The Subject Type for the Client Credentials authentication. |
| Scope | Specifies the scope of the authenticating user's access to the application. Generally specified at the time the custom OAuth application is created (if necessary), so that the authenticating user can obtain the the level of access appropriate to their credentials. |
| OAuthGrantType | Specifies the grant type for the chosen OAuth flow. This value should be the same as the grant_type that was set during OAuth custom application creation. |
| OAuthPasswordGrantMode | Specifies how the OAuth Client Id and Client Secret should be passed. Supported options: BASIC and POST. |
| OAuthIncludeCallbackURL | Whether to include the callback URL in an access token request. |
| OAuthAuthorizationURL | The authorization URL for the OAuth service. |
| OAuthAccessTokenURL | The URL to retrieve the OAuth access token from. |
| OAuthRefreshTokenURL | The URL to refresh the OAuth token from. |
| OAuthRequestTokenURL | The URL the service provides to retrieve request tokens from. This is required in OAuth 1.0. |
| AuthToken | The authentication token used to request and obtain the OAuth Access Token. |
| AuthKey | The authentication secret used to request and obtain the OAuth Access Token. |
| OAuthParams | A comma-separated list of other parameters to submit in the request for the OAuth access token in the format paramname=value. |
| Property | Description |
| SSLClientCert | Specifies the TLS/SSL client certificate store for SSL Client Authentication (2-way SSL). This property works in conjunction with other SSL-related properties to establish a secure connection. |
| SSLClientCertType | Specifies the type of key store containing the TLS/SSL client certificate for SSL Client Authentication. Choose from a variety of key store formats depending on your platform and certificate source. |
| SSLClientCertPassword | Specifes the password required to access the TLS/SSL client certificate store. Use this property if the selected certificate store type requires a password for access. |
| SSLClientCertSubject | Specifes the subject of the TLS/SSL client certificate to locate it in the certificate store. Use a comma-separated list of distinguished name fields, such as CN=www.server.com, C=US. The wildcard * selects the first certificate in the store. |
| SSLMode | The authentication mechanism to be used when connecting to the FTP or FTPS server. |
| SSLServerCert | Specifies the certificate to be accepted from the server when connecting using TLS/SSL. |
| Property | Description |
| SSHAuthMode | The authentication method used when establishing an SSH Tunnel to the service. |
| SSHClientCert | A certificate to be used for authenticating the SSHUser. |
| SSHClientCertPassword | The password of the SSHClientCert key if it has one. |
| SSHClientCertSubject | The subject of the SSH client certificate. |
| SSHClientCertType | The type of SSHClientCert private key. |
| SSHUser | The SSH user. |
| SSHPassword | The SSH password. |
| Property | Description |
| FirewallType | Specifies the protocol the provider uses to tunnel traffic through a proxy-based firewall. |
| FirewallServer | Identifies the IP address, DNS name, or host name of a proxy used to traverse a firewall and relay user queries to network resources. |
| FirewallPort | Specifies the TCP port to be used for a proxy-based firewall. |
| FirewallUser | Identifies the user ID of the account authenticating to a proxy-based firewall. |
| FirewallPassword | Specifies the password of the user account authenticating to a proxy-based firewall. |
| Property | Description |
| ProxyAutoDetect | Specifies whether the provider checks your system proxy settings for existing proxy server configurations, rather than using a manually specified proxy server. |
| ProxyServer | The hostname or IP address of the proxy server that you want to route HTTP traffic through. |
| ProxyPort | The TCP port on your specified proxy server (set in the ProxyServer connection property) that has been reserved for routing HTTP traffic to and from the client. |
| ProxyAuthScheme | Specifies the authentication method the provider uses when authenticating to the proxy server specified in the ProxyServer connection property. |
| ProxyUser | The username of a user account registered with the proxy server specified in the ProxyServer connection property. |
| ProxyPassword | The password associated with the user specified in the ProxyUser connection property. |
| ProxySSLType | The SSL type to use when connecting to the proxy server specified in the ProxyServer connection property. |
| ProxyExceptions | A semicolon separated list of destination hostnames or IPs that are exempt from connecting through the proxy server set in the ProxyServer connection property. |
| Property | Description |
| LogModules | Specifies the core modules to include in the log file. Use a semicolon-separated list of module names. By default, all modules are logged. |
| Property | Description |
| Location | Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path. |
| BrowsableSchemas | Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC . |
| Tables | Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC . |
| Views | Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC . |
| Property | Description |
| Charset | Specifies the session character set for encoding and decoding character data transferred to and from the SAS Xpt file. The default value is UTF-8. |
| ClientCulture | This property can be used to specify the format of data (e.g., currency values) that is accepted by the client application. This property can be used when the client application does not support the machine's culture settings. For example, Microsoft Access requires 'en-US'. |
| Culture | This setting can be used to specify culture settings that determine how the provider interprets certain data types that are passed into the provider. For example, setting Culture='de-DE' will output German formats even on an American machine. |
| DirectoryRetrievalDepth | Limit the subfolders recursively scanned when IncludeSubdirectories is enabled. |
| ExcludeFiles | Comma-separated list of file extensions to exclude from the set of the files modeled as tables. |
| FolderId | The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations. |
| IncludeDropboxTeamResources | Indicates if you want to include Dropbox team files and folders. |
| IncludeFiles | Comma-separated list of file extensions to include into the set of the files modeled as tables. |
| IncludeItemsFromAllDrives | Whether Google Drive shared drive items should be included in results. If not present or set to false, then shared drive items are not returned. |
| IncludeSubdirectories | Whether to read files from nested folders. In the case of a name collision, table names are prefixed by the underscore-separated folder names. |
| MaxRows | Specifies the maximum rows returned for queries without aggregation or GROUP BY. |
| Other | Specifies additional hidden properties for specific use cases. These are not required for typical provider functionality. Use a semicolon-separated list to define multiple properties. |
| PageSize | (Optional) PageSize value. |
| PathSeparator | Determines the character which will be used to replace the file separator. |
| PseudoColumns | Specifies the pseudocolumns to expose as table columns. Use the format 'TableName=ColumnName;TableName=ColumnName'. The default is an empty string, which disables this property. |
| TemporaryLocalFolder | The path, or URI, to the folder that is used to temporarily download xpt file(s). |
| Timeout | Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout. |
| UserDefinedViews | Specifies a filepath to a JSON configuration file defining custom views. The provider automatically detects and uses the views specified in this file. |
This section provides a complete list of the Authentication properties you can configure in the connection string for this provider.
| Property | Description |
| AuthScheme | The type of authentication to use when connecting to remote services. |
| AccessKey | Your account access key. This value is accessible from your security credentials page. |
| SecretKey | Your account secret key. This value is accessible from your security credentials page. |
| ApiKey | The API Key used to identify the user to IBM Cloud. |
| User | The user account used to authenticate. |
| Password | The password used to authenticate the user. |
| SharePointEdition | The edition of SharePoint being used. Set either SharePointOnline or SharePointOnPremise. |
| ImpersonateUserMode | Specify the type of the user impersonation. It should be whether the User mode or the Admin mode. |
The type of authentication to use when connecting to remote services.
The following options are available when ConnectionType is set to Amazon S3:
The following options are available when ConnectionType is set to Azure Blob Storage, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure Data Lake Storage Gen2 SSL, or OneDrive:
The following options are available when ConnectionType is set to OneLake:
The following options are available when ConnectionType is set to Box:
Only the following option is available when ConnectionType is set to Dropbox:
OAuth: Uses OAuth2 with the authorization code grant type. OAuthVersion must be set to 2.0.
Only the following option is available when ConnectionType is set to FTP or FTPS:
Basic: Basic user credentials (user/password).
The following options are available when ConnectionType points Google Cloud Storage or Google Drive:
The following options are available when ConnectionType is set to HDFS or HDFS Secure:
The following options are available when ConnectionType is set to HTTP or HTTPS:
The following options are also available when ConnectionType is set to IBM Object Storage Source:
Only the following option is available when ConnectionType is set to Oracle Cloud Storage:
HMAC: Uses AccessKey and SecretKey to authenticate to the Oracle Cloud Storage.
This ConnectionType defaults to using an AuthScheme called SFTP, but the authentication method is actually controlled using the SSHAuthMode property. See this property's documentation for further information.
The following options are also available when ConnectionType is set to SharePoint REST:
The following options are also available when ConnectionType is set to SharePoint SOAP:
Your account access key. This value is accessible from your security credentials page.
Your account access key. This value is accessible from your security credentials page depending on the service you are using.
Your account secret key. This value is accessible from your security credentials page.
Your account secret key. This value is accessible from your security credentials page depending on the service you are using.
The API Key used to identify the user to IBM Cloud.
Access to resources in the SAS Xpt REST API is governed by an API key in order to retrieve token. An API Key can be created by navigating to Manage --> Access (IAM) --> Users and clicking 'Create'.
The user account used to authenticate.
Together with Password, this field is used to authenticate against the server.
This property will refer to different things based on the context, namely the value of ConnectionType and AuthScheme:
The password used to authenticate the user.
The User and Password are together used to authenticate with the server.
This property will refer to different things based on the context, namely the value of ConnectionType and AuthScheme:
Specify the type of the user impersonation. It should be whether the User mode or the Admin mode.
Specify the type of the user impersonation. It should be whether the User mode or the Admin mode. The Admin mode is available only for Enterprise with Governance accounts and will be upon request. It will not work for any other accounts.
This section provides a complete list of the Connection properties you can configure in the connection string for this provider.
| Property | Description |
| ConnectionType | Specifies the file storage service, server, or file access protocol through which your SAS Xpt files are stored and retreived. |
| URI | The Uniform Resource Identifier (URI) for the SASXpt resource location. |
| Region | The hosting region for your S3-like Web Services. |
| ProjectId | The Id of the project where your Google Cloud Storage instance resides. |
| OracleNamespace | The Oracle Cloud Object Storage namespace to use. |
| StorageBaseURL | The URL of a cloud storage service provider. |
| UseVirtualHosting | If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified. |
| UseLakeFormation | When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion. |
Specifies the file storage service, server, or file access protocol through which your SAS Xpt files are stored and retreived.
Set the ConnectionType to one of the following:
Set the ConnectionType to one of the following:
The Uniform Resource Identifier (URI) for the SASXpt resource location.
Set the URI property to specify a path to a file or stream.
NOTE:
See for more advanced features available for parsing and merging multiple files.
Below are examples of the URI formats for the available data sources:
| Service provider | URI formats | |
| Local | Single File Path One table
localPath file://localPath Directory Path (one table per file) localPath file://localPath | |
| HTTP or HTTPS | http://remoteStream
https://remoteStream | |
| Amazon S3 | Single File Path One table
s3://remotePath Directory Path (one table per file) s3://remotePath | |
| Azure Blob Storage | Single File Path One table
azureblob://mycontainer/myblob/ Directory Path (one table per file) azureblob://mycontainer/myblob/ | |
| OneDrive | Single File Path One table
onedrive://remotePath Directory Path (one table per file) onedrive://remotePath | |
| Google Cloud Storage | Single File Path One table
gs://bucket/remotePath Directory Path (one table per file) gs://bucket/remotePath | |
| Google Drive | Single File Path One table
gdrive://remotePath Directory Path (one table per file) gdrive://remotePath | |
| Box | Single File Path One table
box://remotePath Directory Path (one table per file) box://remotePath | |
| FTP or FTPS | Single File Path One table
ftp://server:port/remotePath Directory Path (one table per file) ftp://server:port/remotePath | |
| SFTP | Single File Path One table
sftp://server:port/remotePath Directory Path (one table per file) sftp://server:port/remotePath | |
| Sharepoint | Single File Path One table
sp://https://server/remotePath Directory Path (one table per file) sp://https://server/remotePath |
Below are example connection strings to SASXpt files or streams.
| Service provider | URI formats | Connection example |
| Local | Single File Path One table
localPath file://localPath Directory Path (one table per file) localPath file://localPath | URI=C:\folder1 |
| Amazon S3 | Single File Path One table
s3://bucket1/folder1 Directory Path (one table per file) s3://bucket1/folder1 | URI=s3://bucket1/folder1; AWSAccessKey=token1; AWSSecretKey=secret1; AWSRegion=OHIO; |
| Azure Blob Storage | Single File Path One table
azureblob://mycontainer/myblob/ Directory Path (one table per file) azureblob://mycontainer/myblob/ | URI=azureblob://mycontainer/myblob/; AzureStorageAccount=myAccount; AzureAccessKey=myKey;
URI=azureblob://mycontainer/myblob/; AzureStorageAccount=myAccount; AuthScheme=OAuth; |
| OneDrive | Single File Path One table
onedrive://remotePath Directory Path (one table per file) onedrive://remotePath | URI=onedrive://folder1; AuthScheme=OAuth;
URI=onedrive://SharedWithMe/folder1; AuthScheme=OAuth; |
| Google Cloud Storage | Single File Path One table
gs://bucket/remotePath Directory Path (one table per file) gs://bucket/remotePath | URI=gs://bucket/folder1; AuthScheme=OAuth; ProjectId=test; |
| Google Drive | Single File Path One table
gdrive://remotePath Directory Path (one table per file) gdrive://remotePath | URI=gdrive://folder1; |
| Box | Single File Path One table
box://remotePath Directory Path (one table per file) box://remotePath | URI=box://folder1; OAuthClientId=oauthclientid1; OAuthClientSecret=oauthcliensecret1; CallbackUrl=http://localhost:12345; |
| FTP or FTPS | Single File Path One table
ftp://server:port/remotePath Directory Path (one table per file) ftp://server:port/remotePath | URI=ftps://localhost:990/folder1; User=user1; Password=password1; |
| SFTP | sftp://server:port/remotePath | URI=sftp://127.0.0.1:22/remotePath; User=user1; Password=password1; |
| Sharepoint | sp://https://server/remotePath | URI=sp://https://domain.sharepoint.com/Documents; User=user1; Password=password1; |
The hosting region for your S3-like Web Services.
The hosting region for your S3-like Web Services.
| Value | Region |
| Commercial Cloud Regions | |
| ap-hyderabad-1 | India South (Hyderabad) |
| ap-melbourne-1 | Australia Southeast (Melbourne) |
| ap-mumbai-1 | India West (Mumbai) |
| ap-osaka-1 | Japan Central (Osaka) |
| ap-seoul-1 | South Korea Central (Seoul) |
| ap-sydney-1 | Australia East (Sydney) |
| ap-tokyo-1 | Japan East (Tokyo) |
| ca-montreal-1 | Canada Southeast (Montreal) |
| ca-toronto-1 | Canada Southeast (Toronto) |
| eu-amsterdam-1 | Netherlands Northwest (Amsterdam) |
| eu-frankfurt-1 | Germany Central (Frankfurt) |
| eu-zurich-1 | Switzerland North (Zurich) |
| me-jeddah-1 | Saudi Arabia West (Jeddah) |
| sa-saopaulo-1 | Brazil East (Sao Paulo) |
| uk-london-1 | UK South (London) |
| us-ashburn-1 (default) | US East (Ashburn, VA) |
| us-phoenix-1 | US West (Phoenix, AZ) |
| US Gov FedRAMP High Regions | |
| us-langley-1 | US Gov East (Ashburn, VA) |
| us-luke-1 | US Gov West (Phoenix, AZ) |
| US Gov DISA IL5 Regions | |
| us-gov-ashburn-1 | US DoD East (Ashburn, VA) |
| us-gov-chicago-1 | US DoD North (Chicago, IL) |
| us-gov-phoenix-1 | US DoD West (Phoenix, AZ) |
| Value | Region |
| eu-central-1 | Europe (Amsterdam) |
| us-east-1 (Default) | US East (Ashburn, VA) |
| us-east-2 | US East (Manassas, VA) |
| us-west-1 | US West (Hillsboro, OR) |
The Id of the project where your Google Cloud Storage instance resides.
The Id of the project where your Google Cloud Storage instance resides. You can find this value by going to Google Cloud Console and clicking the project name at the top left screen. The ProjectId is displayed on the Id column of the matching project.
The Oracle Cloud Object Storage namespace to use.
The Oracle Cloud Object Storage namespace to use. This setting must be set to the Oracle Cloud Object Storage namespace associated with the Oracle Cloud account before any requests can be made. Refer to the Understanding Object Storage Namespaces page of the Oracle Cloud documentation for instructions on how to find your account's Object Storage namespace.
The URL of a cloud storage service provider.
This connection property is used to specify:
If the domain for this option ends in -my (for example, https://bigcorp-my.sharepoint.com) then you may need to use the onedrive:// scheme instead of the sp:// or sprest:// scheme.
If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.
If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.
When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion.
When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion.
This section provides a complete list of the AWS Authentication properties you can configure in the connection string for this provider.
| Property | Description |
| AWSAccessKey | Specifies your AWS account access key. This value is accessible from your AWS security credentials page. |
| AWSSecretKey | Your AWS account secret key. This value is accessible from your AWS security credentials page. |
| AWSRoleARN | The Amazon Resource Name of the role to use when authenticating. |
| AWSPrincipalARN | The ARN of the SAML Identity provider in your AWS account. |
| AWSRegion | The hosting region for your Amazon Web Services. |
| AWSCredentialsFile | The path to the AWS Credentials File to be used for authentication. |
| AWSCredentialsFileProfile | The name of the profile to be used from the supplied AWSCredentialsFile. |
| AWSSessionToken | Your AWS session token. |
| AWSExternalId | A unique identifier that might be required when you assume a role in another account. |
| MFASerialNumber | The serial number of the MFA device if one is being used. |
| MFAToken | The temporary token available from your MFA device. |
| TemporaryTokenDuration | The amount of time (in seconds) a temporary token will last. |
| AWSWebIdentityToken | The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. |
| ServerSideEncryption | When activated, file uploads into Amazon S3 buckets will be server-side encrypted. |
| SSEContext | A BASE64-encoded UTF-8 string holding JSON which represents a string-string (key-value) map. |
| SSEEnableS3BucketKeys | Configuration to use an S3 Bucket Key at the object level when encrypting data with AWS KMS. Enabling this will reduce the cost of server-side encryption by lowering calls to AWS KMS. |
| SSEKey | A symmetric encryption KeyManagementService key, that is used to protect the data when using ServerSideEncryption. |
Specifies your AWS account access key. This value is accessible from your AWS security credentials page.
To find your AWS account access key:
Your AWS account secret key. This value is accessible from your AWS security credentials page.
Your AWS account secret key. This value is accessible from your AWS security credentials page:
The Amazon Resource Name of the role to use when authenticating.
When authenticating outside of AWS, it is common to use a Role for authentication instead of your direct AWS account credentials. Entering the AWSRoleARN will cause the CData Sync App to perform a role based authentication instead of using the AWSAccessKey and AWSSecretKey directly. The AWSAccessKey and AWSSecretKey must still be specified to perform this authentication. You cannot use the credentials of an AWS root user when setting RoleARN. The AWSAccessKey and AWSSecretKey must be those of an IAM user.
The ARN of the SAML Identity provider in your AWS account.
The ARN of the SAML Identity provider in your AWS account.
The hosting region for your Amazon Web Services.
The hosting region for your Amazon Web Services. Available values are OHIO, NORTHERNVIRGINIA, NORTHERNCALIFORNIA, OREGON, CAPETOWN, HONGKONG, HYDERABAD, JAKARTA, MALAYSIA, MELBOURNE, MUMBAI, OSAKA, SEOUL, SINGAPORE, SYDNEY, TOKYO, CENTRAL, CALGARY, BEIJING, NINGXIA, FRANKFURT, IRELAND, LONDON, MILAN, PARIS, SPAIN, STOCKHOLM, ZURICH, TELAVIV, BAHRAIN, UAE, SAOPAULO, GOVCLOUDEAST, GOVCLOUDWEST, ISOLATEDUSEAST, ISOLATEDUSEASTB, ISOLATEDUSWEST, and ISOLATEDEUWEST.
The path to the AWS Credentials File to be used for authentication.
The path to the AWS Credentials File to be used for authentication. See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html for more information.
The name of the profile to be used from the supplied AWSCredentialsFile.
The name of the profile to be used from the supplied AWSCredentialsFile. See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html for more information.
Your AWS session token.
Your AWS session token. This value can be retrieved in different ways. See this link for more info.
A unique identifier that might be required when you assume a role in another account.
A unique identifier that might be required when you assume a role in another account.
The serial number of the MFA device if one is being used.
You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials. For virtual devices, this is actually an Amazon Resource Name (such as arn:aws:iam::123456789012:mfa/user).
The temporary token available from your MFA device.
If MFA is required, this value will be used along with the MFASerialNumber to retrieve temporary credentials to login. The temporary credentials available from AWS will only last up to 1 hour by default (see TemporaryTokenDuration). Once the time is up, the connection must be updated to specify a new MFA token so that new credentials may be obtained. %AWSpSecurityToken; %AWSpTemporaryTokenDuration;
The amount of time (in seconds) a temporary token will last.
Temporary tokens are used with both MFA and Role based authentication. Temporary tokens will eventually time out, at which time a new temporary token must be obtained. For situations where MFA is not used, this is not a big deal. The CData Sync App will internally request a new temporary token once the temporary token has expired.
However, for MFA required connection, a new MFAToken must be specified in the connection to retrieve a new temporary token. This is a more intrusive issue since it requires an update to the connection by the user. The maximum and minimum that can be specified will depend largely on the connection being used.
For Role based authentication, the minimum duration is 900 seconds (15 minutes) while the maximum if 3600 (1 hour). Even if MFA is used with role based authentication, 3600 is still the maximum.
For MFA authentication by itself (using an IAM User or root user), the minimum is 900 seconds (15 minutes), the maximum is 129600 (36 hours).
The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider.
The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. An application can get this token by authenticating a user with a web identity provider. If not specified, the value for this connection property is automatically obtained from the value of the 'AWS_WEB_IDENTITY_TOKEN_FILE' environment variable.
When activated, file uploads into Amazon S3 buckets will be server-side encrypted.
Server-side encryption is the encryption of data at its destination by the application or service that receives it. Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. Learn more: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html
A BASE64-encoded UTF-8 string holding JSON which represents a string-string (key-value) map.
Example of what the JSON may look decoded: {"aws:s3:arn": "arn:aws:s3:::_bucket_/_object_"}.
Configuration to use an S3 Bucket Key at the object level when encrypting data with AWS KMS. Enabling this will reduce the cost of server-side encryption by lowering calls to AWS KMS.
Configuration to use an S3 Bucket Key at the object level when encrypting data with AWS KMS. Enabling this will reduce the cost of server-side encryption by lowering calls to AWS KMS.
A symmetric encryption KeyManagementService key, that is used to protect the data when using ServerSideEncryption.
A symmetric encryption KeyManagementService key, that is used to protect the data when using ServerSideEncryption.
This section provides a complete list of the Azure Authentication properties you can configure in the connection string for this provider.
| Property | Description |
| AzureStorageAccount | The name of your Azure storage account. |
| AzureAccessKey | The storage key associated with your Azure account. |
| AzureSharedAccessSignature | A shared access key signature that may be used for authentication. |
| AzureTenant | Identifies the SAS Xpt tenant being used to access data, either by name (for example, contoso.omnicrosoft.com) or ID. (Conditional). |
| AzureEnvironment | Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added. |
The name of your Azure storage account.
The name of your Azure storage account.
The storage key associated with your Azure account.
The storage key associated with your SAS Xpt account. You can retrieve it as follows:
Identifies the SAS Xpt tenant being used to access data, either by name (for example, contoso.omnicrosoft.com) or ID. (Conditional).
A tenant is a digital representation of your organization, primarily associated with a domain (for example, microsoft.com). The tenant is managed through a Tenant ID (also known as the directory ID), which is specified whenever you assign users permissions to access or manage Azure resources.
To locate the directory ID in the Azure Portal, navigate to Azure Active Directory > Properties.
Specifying AzureTenant is required when AuthScheme = either AzureServicePrincipal or AzureServicePrincipalCert, or if AuthScheme = AzureAD and the user belongs to more than one tenant.
Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added.
Required if your Azure account is part of a different network than the Global network, such as China, USGOVT, or USGOVTDOD.
This section provides a complete list of the SSO properties you can configure in the connection string for this provider.
| Property | Description |
| SSOLoginURL | The identity provider's login URL. |
| SSOProperties | Additional properties required to connect to the identity provider, formatted as a semicolon-separated list. |
| SSOExchangeUrl | The URL used for consuming the SAML response and exchanging it for service specific credentials. |
The identity provider's login URL.
The identity provider's login URL.
Additional properties required to connect to the identity provider, formatted as a semicolon-separated list.
Additional properties required to connect to the identity provider, formatted as a semicolon-separated list. This is used with the SSOLoginURL.
SSO configuration is discussed further in .
The URL used for consuming the SAML response and exchanging it for service specific credentials.
The CData Sync App will use the URL specified here to consume a SAML response and exchange it for service specific credentials. The retrieved credentials are the final piece during the SSO connection that are used to communicate with SAS Xpt.
This section provides a complete list of the JWT OAuth properties you can configure in the connection string for this provider.
| Property | Description |
| OAuthJWTCert | The JWT Certificate store. |
| OAuthJWTCertType | The type of key store containing the JWT Certificate. |
| OAuthJWTCertPassword | The password for the OAuth JWT certificate used to access a certificate store that requires a password. If the certificate store does not require a password, leave this property blank. |
| OAuthJWTCertSubject | The subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate. |
| OAuthJWTSubjectType | The SubType for the JWT authentication. |
| OAuthJWTPublicKeyId | The Id of the public key for JWT. |
The JWT Certificate store.
The name of the certificate store for the client certificate.
The OAuthJWTCertType field specifies the type of the certificate store specified by OAuthJWTCert. If the store is password protected, specify the password in OAuthJWTCertPassword.
OAuthJWTCert is used in conjunction with the OAuthJWTCertSubject field in order to specify client certificates. If OAuthJWTCert has a value, and OAuthJWTCertSubject is set, a search for a certificate is initiated. Please refer to the OAuthJWTCertSubject field for details.
Designations of certificate stores are platform-dependent.
The following are designations of the most common User and Machine certificate stores in Windows:
| MY | A certificate store holding personal certificates with their associated private keys. |
| CA | Certifying authority certificates. |
| ROOT | Root certificates. |
| SPC | Software publisher certificates. |
In Java, the certificate store normally is a file containing certificates and optional private keys.
When the certificate store type is PFXFile, this property must be set to the name of the file. When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).
The type of key store containing the JWT Certificate.
This property can take one of the following values:
| USER | For Windows, this specifies that the certificate store is a certificate store owned by the current user. Note: This store type is not available in Java. |
| MACHINE | For Windows, this specifies that the certificate store is a machine store. Note: this store type is not available in Java. |
| PFXFILE | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
| PFXBLOB | The certificate store is a string (base-64-encoded) representing a certificate store in PFX (PKCS12) format. |
| JKSFILE | The certificate store is the name of a Java key store (JKS) file containing certificates. Note: this store type is only available in Java. |
| JKSBLOB | The certificate store is a string (base-64-encoded) representing a certificate store in Java key store (JKS) format. Note: this store type is only available in Java. |
| PEMKEY_FILE | The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate. |
| PEMKEY_BLOB | The certificate store is a string (base64-encoded) that contains a private key and an optional certificate. |
| PUBLIC_KEY_FILE | The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate. |
| PUBLIC_KEY_BLOB | The certificate store is a string (base-64-encoded) that contains a PEM- or DER-encoded public key certificate. |
| SSHPUBLIC_KEY_FILE | The certificate store is the name of a file that contains an SSH-style public key. |
| SSHPUBLIC_KEY_BLOB | The certificate store is a string (base-64-encoded) that contains an SSH-style public key. |
| P7BFILE | The certificate store is the name of a PKCS7 file containing certificates. |
| PPKFILE | The certificate store is the name of a file that contains a PPK (PuTTY Private Key). |
| XMLFILE | The certificate store is the name of a file that contains a certificate in XML format. |
| XMLBLOB | The certificate store is a string that contains a certificate in XML format. |
| BCFKSFILE | The certificate store is the name of a file that contains an Bouncy Castle keystore. |
| BCFKSBLOB | The certificate store is a string (base-64-encoded) that contains a Bouncy Castle keystore. |
| GOOGLEJSON | The certificate store is the name of a JSON file containing the service account information. Only valid when connecting to a Google service. |
| GOOGLEJSONBLOB | The certificate store is a string that contains the service account JSON. Only valid when connecting to a Google service. |
| BOXJSON | The certificate store is the name of a JSON file containing the service account credentials. Only valid when connecting to Box. |
| BOXJSONBLOB | The certificate store is a string that contains the service account JSON. Only valid when connecting to Box. |
The password for the OAuth JWT certificate used to access a certificate store that requires a password. If the certificate store does not require a password, leave this property blank.
This property specifies the password needed to open the certificate store, but only if the store type requires one. To determine if a password is necessary, refer to the documentation or configuration for your specific certificate store.
This is not required when using the GOOGLEJSON OAuthJWTCertType. Google JSON keys are not encrypted.
The subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate.
The value of this property is used to locate a matching certificate in the store. The search process works as follows:
You can set the value to '*' to automatically select the first certificate in the store. The certificate subject is a comma-separated list of distinguished name fields and values. For example: CN=www.server.com, OU=test, C=US, [email protected]. Common fields include:
| Field | Meaning |
| CN | Common Name. This is commonly a host name like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
If a field value contains a comma, enclose it in quotes. For example: "O=ACME, Inc.".
The SubType for the JWT authentication.
The SubType for the JWT authentication. Set this to "enterprise" or "user" depending on the type of token being requested.
The Id of the public key for JWT.
The Id of the public key for JWT. Set this to the value of your Public Key Id in your app settings.
This section provides a complete list of the Kerberos properties you can configure in the connection string for this provider.
| Property | Description |
| KerberosKDC | The Kerberos Key Distribution Center (KDC) service used to authenticate the user. |
| KerberosRealm | The Kerberos Realm used to authenticate the user. |
| KerberosSPN | The service principal name (SPN) for the Kerberos Domain Controller. |
| KerberosUser | The principal name for the Kerberos Domain Controller. Used in the format host/user@realm. |
| KerberosKeytabFile | The Keytab file containing your pairs of Kerberos principals and encrypted keys. |
| KerberosServiceRealm | The Kerberos realm of the service. |
| KerberosServiceKDC | The Kerberos KDC of the service. |
| KerberosTicketCache | The full file path to an MIT Kerberos credential cache file. |
The Kerberos Key Distribution Center (KDC) service used to authenticate the user.
The Kerberos properties are used when using SPNEGO or Windows Authentication. The Sync App will request session tickets and temporary session keys from the Kerberos KDC service. The Kerberos KDC service is conventionally colocated with the domain controller.
If Kerberos KDC is not specified, the Sync App will attempt to detect these properties automatically from the following locations:
The Kerberos Realm used to authenticate the user.
The Kerberos properties are used when using SPNEGO or Windows Authentication. The Kerberos Realm is used to authenticate the user with the Kerberos Key Distribution Service (KDC). The Kerberos Realm can be configured by an administrator to be any string, but conventionally it is based on the domain name.
If Kerberos Realm is not specified, the Sync App will attempt to detect these properties automatically from the following locations:
The service principal name (SPN) for the Kerberos Domain Controller.
If the SPN on the Kerberos Domain Controller is not the same as the URL that you are authenticating to, use this property to set the SPN.
The principal name for the Kerberos Domain Controller. Used in the format host/user@realm.
If the user you are using for the database doesn't match the user that is in the Kerberos database, this should be set to the Kerberos principal name.
The Keytab file containing your pairs of Kerberos principals and encrypted keys.
The Keytab file containing your pairs of Kerberos principals and encrypted keys.
The Kerberos realm of the service.
The KerberosServiceRealm is the specify the service Kerberos realm when using cross-realm Kerberos authentication.
In most cases, a single realm and KDC machine are used to perform the Kerberos authentication and this property is not required.
This property is available for complex setups where a different realm and KDC machine are used to obtain an authentication ticket (AS request) and a service ticket (TGS request).
The Kerberos KDC of the service.
The KerberosServiceKDC is used to specify the service Kerberos KDC when using cross-realm Kerberos authentication.
In most cases, a single realm and KDC machine are used to perform the Kerberos authentication and this property is not required.
This property is available for complex setups where a different realm and KDC machine are used to obtain an authentication ticket (AS request) and a service ticket (TGS request).
The full file path to an MIT Kerberos credential cache file.
This property can be set if you wish to use a credential cache file that was created using the MIT Kerberos Ticket Manager or kinit command.
This section provides a complete list of the OAuth properties you can configure in the connection string for this provider.
| Property | Description |
| OAuthVersion | The version of OAuth being used. |
| OAuthClientId | Specifies the client Id that was assigned the custom OAuth application was created. (Also known as the consumer key.) This ID registers the custom application with the OAuth authorization server. |
| OAuthClientSecret | Specifies the client secret that was assigned when the custom OAuth application was created. (Also known as the consumer secret ). This secret registers the custom application with the OAuth authorization server. |
| SubjectId | The user subject for which the application is requesting delegated access. |
| SubjectType | The Subject Type for the Client Credentials authentication. |
| Scope | Specifies the scope of the authenticating user's access to the application. Generally specified at the time the custom OAuth application is created (if necessary), so that the authenticating user can obtain the the level of access appropriate to their credentials. |
| OAuthGrantType | Specifies the grant type for the chosen OAuth flow. This value should be the same as the grant_type that was set during OAuth custom application creation. |
| OAuthPasswordGrantMode | Specifies how the OAuth Client Id and Client Secret should be passed. Supported options: BASIC and POST. |
| OAuthIncludeCallbackURL | Whether to include the callback URL in an access token request. |
| OAuthAuthorizationURL | The authorization URL for the OAuth service. |
| OAuthAccessTokenURL | The URL to retrieve the OAuth access token from. |
| OAuthRefreshTokenURL | The URL to refresh the OAuth token from. |
| OAuthRequestTokenURL | The URL the service provides to retrieve request tokens from. This is required in OAuth 1.0. |
| AuthToken | The authentication token used to request and obtain the OAuth Access Token. |
| AuthKey | The authentication secret used to request and obtain the OAuth Access Token. |
| OAuthParams | A comma-separated list of other parameters to submit in the request for the OAuth access token in the format paramname=value. |
The version of OAuth being used.
The version of OAuth being used. The following options are available: 1.0,2.0
Specifies the client Id that was assigned the custom OAuth application was created. (Also known as the consumer key.) This ID registers the custom application with the OAuth authorization server.
OAuthClientId is one of a handful of connection parameters that need to be set before users can authenticate via OAuth. For details, see Establishing a Connection.
Specifies the client secret that was assigned when the custom OAuth application was created. (Also known as the consumer secret ). This secret registers the custom application with the OAuth authorization server.
OAuthClientSecret is one of a handful of connection parameters that need to be set before users can authenticate via OAuth. For details, see Establishing a Connection.
The user subject for which the application is requesting delegated access.
Id of the user or enterprise, based on the configuration set in SubjectType.
The Subject Type for the Client Credentials authentication.
The Subject Type for the Client Credentials authentication. Set this to "enterprise" or "user" depending on the type of token being requested.
Specifies the scope of the authenticating user's access to the application. Generally specified at the time the custom OAuth application is created (if necessary), so that the authenticating user can obtain the the level of access appropriate to their credentials.
Scopes are set to define what kind of access the authenticating user will have; for example, read, read and write, restricted access to sensitive information. System administrators can use scopes to selectively enable access by functionality or security clearance.
When InitiateOAuth is set to GETANDREFRESH, you must use this property if you want to change which scopes are requested. When InitiateOAuth is set to either REFRESH or OFF, you can use either this property or the Scope input to change which scopes are requested.
Specifies the grant type for the chosen OAuth flow. This value should be the same as the grant_type that was set during OAuth custom application creation.
In most cases, the default grant type should not be modified. For information about the most common OAuth grant types and the trade-offs between them, see https://oauth.net/2/grant-types/.
Specifies how the OAuth Client Id and Client Secret should be passed. Supported options: BASIC and POST.
The OAuth RFC provides two methods of passing the OAuthClientId and OAuthClientSecret. POST passes OAuthClientId and OAuthClientSecret via post data. (Works with OAuthGrantType = PASSWORD, CODE, or CLIENT.) BASIC passes the OAuthClientId and OAuthClientSecret via the Authorize header. (Works with OAuthGrantType = CODE or CLIENT.)
Whether to include the callback URL in an access token request.
This defaults to true since standards-compliant OAuth services will ignore the redirect_uri parameter for grant types like CLIENT or PASSWORD that do not require it.
This option should only be enabled for OAuth services that report errors when redirect_uri is included.
The authorization URL for the OAuth service.
The authorization URL for the OAuth service. At this URL, the user logs into the server and grants permissions to the application. In OAuth 1.0, if permissions are granted, the request token is authorized.
The URL to retrieve the OAuth access token from.
The URL to retrieve the OAuth access token from. In OAuth 1.0, the authorized request token is exchanged for the access token at this URL.
The URL to refresh the OAuth token from.
The URL to refresh the OAuth token from. In OAuth 2.0, this URL is where the refresh token is exchanged for a new access token when the old access token expires.
The URL the service provides to retrieve request tokens from. This is required in OAuth 1.0.
The URL the service provides to retrieve request tokens from. This is required in OAuth 1.0. In OAuth 1.0, this is the URL where the app makes a request for the request token.
The authentication token used to request and obtain the OAuth Access Token.
This property is required only when performing headless authentication in OAuth 1.0. It can be obtained from the GetOAuthAuthorizationUrl stored procedure.
It can be supplied alongside the AuthKey in the GetOAuthAccessToken stored procedure to obtain the OAuthAccessToken.
The authentication secret used to request and obtain the OAuth Access Token.
This property is required only when performing headless authentication in OAuth 1.0. It can be obtained from the GetOAuthAuthorizationUrl stored procedure.
It can be supplied alongside the AuthToken in the GetOAuthAccessToken stored procedure to obtain the OAuthAccessToken.
A comma-separated list of other parameters to submit in the request for the OAuth access token in the format paramname=value.
A comma-separated list of other parameters to submit in the request for the OAuth access token in the format paramname=value.
This section provides a complete list of the SSL properties you can configure in the connection string for this provider.
| Property | Description |
| SSLClientCert | Specifies the TLS/SSL client certificate store for SSL Client Authentication (2-way SSL). This property works in conjunction with other SSL-related properties to establish a secure connection. |
| SSLClientCertType | Specifies the type of key store containing the TLS/SSL client certificate for SSL Client Authentication. Choose from a variety of key store formats depending on your platform and certificate source. |
| SSLClientCertPassword | Specifes the password required to access the TLS/SSL client certificate store. Use this property if the selected certificate store type requires a password for access. |
| SSLClientCertSubject | Specifes the subject of the TLS/SSL client certificate to locate it in the certificate store. Use a comma-separated list of distinguished name fields, such as CN=www.server.com, C=US. The wildcard * selects the first certificate in the store. |
| SSLMode | The authentication mechanism to be used when connecting to the FTP or FTPS server. |
| SSLServerCert | Specifies the certificate to be accepted from the server when connecting using TLS/SSL. |
Specifies the TLS/SSL client certificate store for SSL Client Authentication (2-way SSL). This property works in conjunction with other SSL-related properties to establish a secure connection.
This property specifies the client certificate store for SSL Client Authentication. Use this property alongside SSLClientCertType, which defines the type of the certificate store, and SSLClientCertPassword, which specifies the password for password-protected stores. When SSLClientCert is set and SSLClientCertSubject is configured, the driver searches for a certificate matching the specified subject.
Certificate store designations vary by platform. On Windows, certificate stores are identified by names such as MY (personal certificates), while in Java, the certificate store is typically a file containing certificates and optional private keys.
The following are designations of the most common User and Machine certificate stores in Windows:
| MY | A certificate store holding personal certificates with their associated private keys. |
| CA | Certifying authority certificates. |
| ROOT | Root certificates. |
| SPC | Software publisher certificates. |
For PFXFile types, set this property to the filename. For PFXBlob types, set this property to the binary contents of the file in PKCS12 format.
Specifies the type of key store containing the TLS/SSL client certificate for SSL Client Authentication. Choose from a variety of key store formats depending on your platform and certificate source.
This property determines the format and location of the key store used to provide the client certificate. Supported values include platform-specific and universal key store formats. The available values and their usage are:
| USER - default | For Windows, this specifies that the certificate store is a certificate store owned by the current user. Note that this store type is not available in Java. |
| MACHINE | For Windows, this specifies that the certificate store is a machine store. Note that this store type is not available in Java. |
| PFXFILE | The certificate store is the name of a PFX (PKCS12) file containing certificates. |
| PFXBLOB | The certificate store is a string (base-64-encoded) representing a certificate store in PFX (PKCS12) format. |
| JKSFILE | The certificate store is the name of a Java key store (JKS) file containing certificates. Note that this store type is only available in Java. |
| JKSBLOB | The certificate store is a string (base-64-encoded) representing a certificate store in JKS format. Note that this store type is only available in Java. |
| PEMKEY_FILE | The certificate store is the name of a PEM-encoded file that contains a private key and an optional certificate. |
| PEMKEY_BLOB | The certificate store is a string (base64-encoded) that contains a private key and an optional certificate. |
| PUBLIC_KEY_FILE | The certificate store is the name of a file that contains a PEM- or DER-encoded public key certificate. |
| PUBLIC_KEY_BLOB | The certificate store is a string (base-64-encoded) that contains a PEM- or DER-encoded public key certificate. |
| SSHPUBLIC_KEY_FILE | The certificate store is the name of a file that contains an SSH-style public key. |
| SSHPUBLIC_KEY_BLOB | The certificate store is a string (base-64-encoded) that contains an SSH-style public key. |
| P7BFILE | The certificate store is the name of a PKCS7 file containing certificates. |
| PPKFILE | The certificate store is the name of a file that contains a PuTTY Private Key (PPK). |
| XMLFILE | The certificate store is the name of a file that contains a certificate in XML format. |
| XMLBLOB | The certificate store is a string that contains a certificate in XML format. |
| BCFKSFILE | The certificate store is the name of a file that contains an Bouncy Castle keystore. |
| BCFKSBLOB | The certificate store is a string (base-64-encoded) that contains a Bouncy Castle keystore. |
Specifes the password required to access the TLS/SSL client certificate store. Use this property if the selected certificate store type requires a password for access.
This property provides the password needed to open a password-protected certificate store. This property is necessary when using certificate stores that require a password for decryption, as is often recommended for PFX or JKS type stores.
If the certificate store type does not require a password, for example USER or MACHINE on Windows, this property can be left blank. Ensure that the password matches the one associated with the specified certificate store to avoid authentication errors.
Specifes the subject of the TLS/SSL client certificate to locate it in the certificate store. Use a comma-separated list of distinguished name fields, such as CN=www.server.com, C=US. The wildcard * selects the first certificate in the store.
This property determines which client certificate to load based on its subject. The Sync App searches for a certificate that exactly matches the specified subject. If no exact match is found, the Sync App looks for certificates containing the value of the subject. If no match is found, no certificate is selected.
The subject should follow the standard format of a comma-separated list of distinguished name fields and values. For example, CN=www.server.com, OU=Test, C=US. Common fields include the following:
| Field | Meaning |
| CN | Common Name. This is commonly a host name like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
Note: If any field contains special characters, such as commas, the value must be quoted. For example: CN="Example, Inc.", C=US.
The authentication mechanism to be used when connecting to the FTP or FTPS server.
If SSLMode is set to NONE, default plaintext authentication is used to log in to the server. If SSLMode is set to IMPLICIT, the SSL negotiation will start immediately after the connection is established. If SSLMode is set to EXPLICIT, the Sync App will first connect in plaintext, and then explicitly start SSL negotiation through a protocol command such as STARTTLS. If SSLMode is set to AUTOMATIC, if the remote port is set to the standard plaintext port of the protocol (where applicable), the component will behave the same as if SSLMode is set to EXPLICIT. In all other cases, SSL negotiation will be IMPLICIT.
Specifies the certificate to be accepted from the server when connecting using TLS/SSL.
If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine is rejected.
This property can take the following forms:
| Description | Example |
| A full PEM Certificate (example shortened for brevity) | -----BEGIN CERTIFICATE----- MIIChTCCAe4CAQAwDQYJKoZIhv......Qw== -----END CERTIFICATE----- |
| A path to a local file containing the certificate | C:\cert.cer |
| The public key (example shortened for brevity) | -----BEGIN RSA PUBLIC KEY----- MIGfMA0GCSq......AQAB -----END RSA PUBLIC KEY----- |
| The MD5 Thumbprint (hex values can also be either space or colon separated) | ecadbdda5a1529c58a1e9e09828d70e4 |
| The SHA1 Thumbprint (hex values can also be either space or colon separated) | 34a929226ae0819f2ec14b4a3d904f801cbb150d |
If not specified, any certificate trusted by the machine is accepted.
Use '*' to signify to accept all certificates. Note that this is not recommended due to security concerns.
This section provides a complete list of the SSH properties you can configure in the connection string for this provider.
| Property | Description |
| SSHAuthMode | The authentication method used when establishing an SSH Tunnel to the service. |
| SSHClientCert | A certificate to be used for authenticating the SSHUser. |
| SSHClientCertPassword | The password of the SSHClientCert key if it has one. |
| SSHClientCertSubject | The subject of the SSH client certificate. |
| SSHClientCertType | The type of SSHClientCert private key. |
| SSHUser | The SSH user. |
| SSHPassword | The SSH password. |
The authentication method used when establishing an SSH Tunnel to the service.
A certificate to be used for authenticating the SSHUser.
SSHClientCert must contain a valid private key in order to use public key authentication. A public key is optional, if one is not included then the Sync App generates it from the private key. The Sync App sends the public key to the server and the connection is allowed if the user has authorized the public key.
The SSHClientCertType field specifies the type of the key store specified by SSHClientCert. If the store is password protected, specify the password in SSHClientCertPassword.
Some types of key stores are containers which may include multiple keys. By default the Sync App will select the first key in the store, but you can specify a specific key using SSHClientCertSubject.
The password of the SSHClientCert key if it has one.
This property is required for SSH tunneling when using certificate-based authentication. If the SSH certificate is in a password-protected key store, provide the password using this property to access the certificate.
The subject of the SSH client certificate.
When loading a certificate the subject is used to locate the certificate in the store.
If an exact match is not found, the store is searched for subjects containing the value of the property.
If a match is still not found, the property is set to an empty string, and no certificate is selected.
The special value "*" picks the first certificate in the certificate store.
The certificate subject is a comma separated list of distinguished name fields and values. For instance "CN=www.server.com, OU=test, C=US, [email protected]". Common fields and their meanings are displayed below.
| Field | Meaning |
| CN | Common Name. This is commonly a host name like www.server.com. |
| O | Organization |
| OU | Organizational Unit |
| L | Locality |
| S | State |
| C | Country |
| E | Email Address |
If a field value contains a comma it must be quoted.
The type of SSHClientCert private key.
This property can take one of the following values:
| Types | Description | Allowed Blob Values |
| MACHINE/USER | Blob values are not supported. | |
| JKSFILE/JKSBLOB | base64-only | |
| PFXFILE/PFXBLOB | A PKCS12-format (.pfx) file. Must contain both a certificate and a private key. | base64-only |
| PEMKEY_FILE/PEMKEY_BLOB | A PEM-format file. Must contain an RSA, DSA, or OPENSSH private key. Can optionally contain a certificate matching the private key. | base64 or plain text. Newlines may be replaced with spaces when providing the blob as text. |
| PPKFILE/PPKBLOB | A PuTTY-format private key created using the puttygen tool. | base64-only |
| XMLFILE/XMLBLOB | An XML key in the format generated by the .NET RSA class: RSA.ToXmlString(true). | base64 or plain text. |
The SSH user.
The SSH user.
The SSH password.
The SSH password.
This section provides a complete list of the Firewall properties you can configure in the connection string for this provider.
| Property | Description |
| FirewallType | Specifies the protocol the provider uses to tunnel traffic through a proxy-based firewall. |
| FirewallServer | Identifies the IP address, DNS name, or host name of a proxy used to traverse a firewall and relay user queries to network resources. |
| FirewallPort | Specifies the TCP port to be used for a proxy-based firewall. |
| FirewallUser | Identifies the user ID of the account authenticating to a proxy-based firewall. |
| FirewallPassword | Specifies the password of the user account authenticating to a proxy-based firewall. |
Specifies the protocol the provider uses to tunnel traffic through a proxy-based firewall.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
Note: By default, the Sync App connects to the system proxy. To disable this behavior and connect to one of the following proxy types, set ProxyAutoDetect to false.
The following table provides port number information for each of the supported protocols.
| Protocol | Default Port | Description |
| TUNNEL | 80 | The port where the Sync App opens a connection to SAS Xpt. Traffic flows back and forth via the proxy at this location. |
| SOCKS4 | 1080 | The port where the Sync App opens a connection to SAS Xpt. SOCKS 4 then passes theFirewallUser value to the proxy, which determines whether the connection request should be granted. |
| SOCKS5 | 1080 | The port where the Sync App sends data to SAS Xpt. If the SOCKS 5 proxy requires authentication, set FirewallUser and FirewallPassword to credentials the proxy recognizes. |
To connect to HTTP proxies, use ProxyServer and ProxyPort. To authenticate to HTTP proxies, use ProxyAuthScheme, ProxyUser, and ProxyPassword.
Identifies the IP address, DNS name, or host name of a proxy used to traverse a firewall and relay user queries to network resources.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
Specifies the TCP port to be used for a proxy-based firewall.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
Identifies the user ID of the account authenticating to a proxy-based firewall.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
Specifies the password of the user account authenticating to a proxy-based firewall.
A proxy-based firewall (or proxy firewall) is a network security device that acts as an intermediary between user requests and the resources they access. The proxy accepts the request of an authenticated user, tunnels through the firewall, and transmits the request to the appropriate server.
Because the proxy evaluates and transfers data backets on behalf of the requesting users, the users never connect directly with the servers, only with the proxy.
This section provides a complete list of the Proxy properties you can configure in the connection string for this provider.
| Property | Description |
| ProxyAutoDetect | Specifies whether the provider checks your system proxy settings for existing proxy server configurations, rather than using a manually specified proxy server. |
| ProxyServer | The hostname or IP address of the proxy server that you want to route HTTP traffic through. |
| ProxyPort | The TCP port on your specified proxy server (set in the ProxyServer connection property) that has been reserved for routing HTTP traffic to and from the client. |
| ProxyAuthScheme | Specifies the authentication method the provider uses when authenticating to the proxy server specified in the ProxyServer connection property. |
| ProxyUser | The username of a user account registered with the proxy server specified in the ProxyServer connection property. |
| ProxyPassword | The password associated with the user specified in the ProxyUser connection property. |
| ProxySSLType | The SSL type to use when connecting to the proxy server specified in the ProxyServer connection property. |
| ProxyExceptions | A semicolon separated list of destination hostnames or IPs that are exempt from connecting through the proxy server set in the ProxyServer connection property. |
Specifies whether the provider checks your system proxy settings for existing proxy server configurations, rather than using a manually specified proxy server.
When this connection property is set to True, the Sync App checks your system proxy settings for existing proxy server configurations (no need to manually supply proxy server details).
This connection property takes precedence over other proxy settings. Set to False if you want to manually configure the Sync App to connect to a specific proxy server.
To connect to an HTTP proxy, see ProxyServer. For other proxies, such as SOCKS or tunneling, see FirewallType.
The hostname or IP address of the proxy server that you want to route HTTP traffic through.
The Sync App only routes HTTP traffic through the proxy server specified in this connection property when ProxyAutoDetect is set to False. If ProxyAutoDetect is set to True, which is the default, the Sync App instead routes HTTP traffic through the proxy server specified in your system proxy settings.
The TCP port on your specified proxy server (set in the ProxyServer connection property) that has been reserved for routing HTTP traffic to and from the client.
The Sync App only routes HTTP traffic through the proxy server port specified in this connection property when ProxyAutoDetect is set to False. If ProxyAutoDetect is set to True, which is the default, the Sync App instead routes HTTP traffic through the proxy server port specified in your system proxy settings.
For other proxy types, see FirewallType.
Specifies the authentication method the provider uses when authenticating to the proxy server specified in the ProxyServer connection property.
The authentication type can be one of the following:
For all values other than "NONE", you must also set the ProxyUser and ProxyPassword connection properties.
If you need to use another authentication type, such as SOCKS 5 authentication, see FirewallType.
The username of a user account registered with the proxy server specified in the ProxyServer connection property.
The ProxyUser and ProxyPassword connection properties are used to connect and authenticate against the HTTP proxy specified in ProxyServer.
After selecting one of the available authentication types in ProxyAuthScheme, set this property as follows:
| ProxyAuthScheme Value | Value to set for ProxyUser |
| BASIC | The user name of a user registered with the proxy server. |
| DIGEST | The user name of a user registered with the proxy server. |
| NEGOTIATE | The username of a Windows user who is a valid user in the domain or trusted domain that the proxy server is part of, in the format user@domain or domain\user. |
| NTLM | The username of a Windows user who is a valid user in the domain or trusted domain that the proxy server is part of, in the format user@domain or domain\user. |
| NONE | Do not set the ProxyPassword connection property. |
The Sync App only uses this username if ProxyAutoDetect is set to False. If ProxyAutoDetect is set to True, which is the default, the Sync App instead uses the username specified in your system proxy settings.
The password associated with the user specified in the ProxyUser connection property.
The ProxyUser and ProxyPassword connection properties are used to connect and authenticate against the HTTP proxy specified in ProxyServer.
After selecting one of the available authentication types in ProxyAuthScheme, set this property as follows:
| ProxyAuthScheme Value | Value to set for ProxyPassword |
| BASIC | The password associated with the proxy server user specified in ProxyUser. |
| DIGEST | The password associated with the proxy server user specified in ProxyUser. |
| NEGOTIATE | The password associated with the Windows user account specified in ProxyUser. |
| NTLM | The password associated with the Windows user account specified in ProxyUser. |
| NONE | Do not set the ProxyPassword connection property. |
For SOCKS 5 authentication or tunneling, see FirewallType.
The Sync App only uses this password if ProxyAutoDetect is set to False. If ProxyAutoDetect is set to True, which is the default, the Sync App instead uses the password specified in your system proxy settings.
The SSL type to use when connecting to the proxy server specified in the ProxyServer connection property.
This property determines when to use SSL for the connection to the HTTP proxy specified by ProxyServer. You can set this connection property to the following values :
| AUTO | Default setting. If ProxyServer is set to an HTTPS URL, the Sync App uses the TUNNEL option. If ProxyServer is set to an HTTP URL, the component uses the NEVER option. |
| ALWAYS | The connection is always SSL enabled. |
| NEVER | The connection is not SSL enabled. |
| TUNNEL | The connection is made through a tunneling proxy. The proxy server opens a connection to the remote host and traffic flows back and forth through the proxy. |
A semicolon separated list of destination hostnames or IPs that are exempt from connecting through the proxy server set in the ProxyServer connection property.
The ProxyServer is used for all addresses, except for addresses defined in this property. Use semicolons to separate entries.
Note that the Sync App uses the system proxy settings by default, without further configuration needed. If you want to explicitly configure proxy exceptions for this connection, set ProxyAutoDetect to False.
This section provides a complete list of the Logging properties you can configure in the connection string for this provider.
| Property | Description |
| LogModules | Specifies the core modules to include in the log file. Use a semicolon-separated list of module names. By default, all modules are logged. |
Specifies the core modules to include in the log file. Use a semicolon-separated list of module names. By default, all modules are logged.
This property lets you customize the log file content by specifying the logging modules to include. Logging modules categorize logged information into distinct areas, such as query execution, metadata, or SSL communication. Each module is represented by a four-character code, with some requiring a trailing space for three-letter names.
For example, EXEC logs query execution, and INFO logs general provider messages. To include multiple modules, separate their names with semicolons as follows: INFO;EXEC;SSL.
The Verbosity connection property takes precedence over the module-based filtering specified by this property. Only log entries that meet the verbosity level and belong to the specified modules are logged. Leave this property blank to include all available modules in the log file.
For a complete list of available modules and detailed guidance on configuring logging, refer to the Advanced Logging section in Logging.
This section provides a complete list of the Schema properties you can configure in the connection string for this provider.
| Property | Description |
| Location | Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path. |
| BrowsableSchemas | Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC . |
| Tables | Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC . |
| Views | Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC . |
Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path.
The Location property is only needed if you want to either customize definitions (for example, change a column name, ignore a column, etc.) or extend the data model with new tables, views, or stored procedures.
If left unspecified, the default location is %APPDATA%\\CData\\SASXpt Data Provider\\Schema, where %APPDATA% is set to the user's configuration directory:
| Platform | %APPDATA% |
| Windows | The value of the APPDATA environment variable |
| Linux | ~/.config |
Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC .
Listing all available database schemas can take extra time, thus degrading performance. Providing a list of schemas in the connection string saves time and improves performance.
Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC .
Listing all available tables from some databases can take extra time, thus degrading performance. Providing a list of tables in the connection string saves time and improves performance.
If there are lots of tables available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those tables. To do this, specify the tables you want in a comma-separated list. Each table should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Tables=TableA,[TableB/WithSlash],WithCatalog.WithSchema.`TableC With Space`.
Note: If you are connecting to a data source with multiple schemas or catalogs, you must specify each table you want to view by its fully qualified name. This avoids ambiguity between tables that may exist in multiple catalogs or schemas.
Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC .
Listing all available views from some databases can take extra time, thus degrading performance. Providing a list of views in the connection string saves time and improves performance.
If there are lots of views available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those views. To do this, specify the views you want in a comma-separated list. Each view should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Views=ViewA,[ViewB/WithSlash],WithCatalog.WithSchema.`ViewC With Space`.
Note: If you are connecting to a data source with multiple schemas or catalogs, you must specify each view you want to examine by its fully qualified name. This avoids ambiguity between views that may exist in multiple catalogs or schemas.
This section provides a complete list of the Miscellaneous properties you can configure in the connection string for this provider.
| Property | Description |
| Charset | Specifies the session character set for encoding and decoding character data transferred to and from the SAS Xpt file. The default value is UTF-8. |
| ClientCulture | This property can be used to specify the format of data (e.g., currency values) that is accepted by the client application. This property can be used when the client application does not support the machine's culture settings. For example, Microsoft Access requires 'en-US'. |
| Culture | This setting can be used to specify culture settings that determine how the provider interprets certain data types that are passed into the provider. For example, setting Culture='de-DE' will output German formats even on an American machine. |
| DirectoryRetrievalDepth | Limit the subfolders recursively scanned when IncludeSubdirectories is enabled. |
| ExcludeFiles | Comma-separated list of file extensions to exclude from the set of the files modeled as tables. |
| FolderId | The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations. |
| IncludeDropboxTeamResources | Indicates if you want to include Dropbox team files and folders. |
| IncludeFiles | Comma-separated list of file extensions to include into the set of the files modeled as tables. |
| IncludeItemsFromAllDrives | Whether Google Drive shared drive items should be included in results. If not present or set to false, then shared drive items are not returned. |
| IncludeSubdirectories | Whether to read files from nested folders. In the case of a name collision, table names are prefixed by the underscore-separated folder names. |
| MaxRows | Specifies the maximum rows returned for queries without aggregation or GROUP BY. |
| Other | Specifies additional hidden properties for specific use cases. These are not required for typical provider functionality. Use a semicolon-separated list to define multiple properties. |
| PageSize | (Optional) PageSize value. |
| PathSeparator | Determines the character which will be used to replace the file separator. |
| PseudoColumns | Specifies the pseudocolumns to expose as table columns. Use the format 'TableName=ColumnName;TableName=ColumnName'. The default is an empty string, which disables this property. |
| TemporaryLocalFolder | The path, or URI, to the folder that is used to temporarily download xpt file(s). |
| Timeout | Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout. |
| UserDefinedViews | Specifies a filepath to a JSON configuration file defining custom views. The provider automatically detects and uses the views specified in this file. |
Specifies the session character set for encoding and decoding character data transferred to and from the SAS Xpt file. The default value is UTF-8.
Specifies the session character set for encoding and decoding character data transferred to and from the SAS Xpt file. The default value is UTF-8.
This property can be used to specify the format of data (e.g., currency values) that is accepted by the client application. This property can be used when the client application does not support the machine's culture settings. For example, Microsoft Access requires 'en-US'.
This option affects the format of Sync App output. To specify the format that defines how input should be interpreted, use the Culture option. By default the Sync App uses the current locale settings of the machine to interpret input and format output.
This setting can be used to specify culture settings that determine how the provider interprets certain data types that are passed into the provider. For example, setting Culture='de-DE' will output German formats even on an American machine.
This property affects the Sync App input. To interpret values in a different cultural format, use the Client Culture property. By default the Sync App uses the current locale settings of the machine to interpret input and format output.
Limit the subfolders recursively scanned when IncludeSubdirectories is enabled.
When IncludeSubdirectories is enabled, DirectoryRetrievalDepth specifies how many subfolders will be recursively scanned before stopping. -1 specifies that all subfolders are scanned.
Comma-separated list of file extensions to exclude from the set of the files modeled as tables.
It is also possible to specify datetime filters. We currently support CreatedDate and ModifiedDate. All extension filters are evaluated in disjunction (using OR operator), and then the resulting filter is evaluated in conjunction (using AND operator) with the datetime filters.
Examples:
ExcludeFiles="TXT,CreatedDate<='2020-11-26T07:39:34-05:00'"
ExcludeFiles="TXT,ModifiedDate<=DATETIMEFROMPARTS(2020, 11, 26, 7, 40, 50, 000)"
ExcludeFiles="ModifiedDate>=DATETIMEFROMPARTS(2020, 11, 26, 7, 40, 49, 000),ModifiedDate<=CURRENT_TIMESTAMP()"
The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations.
The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations.
Indicates if you want to include Dropbox team files and folders.
In order to access Dropbox team folders and files, please set this connection property to True.
Comma-separated list of file extensions to include into the set of the files modeled as tables.
Comma-separated list of file extensions to include into the set of the files modeled as tables. For example, IncludeFiles=xpt,TXT. The default is xpt.
A '*' value can be specified to include all files. A 'NOEXT' value can be specified to include files without an extension.
It is also possible to specify datetime filters. We currently support CreatedDate and ModifiedDate. All extension filters are evaluated in disjunction (using OR operator), and then the resulting filter is evaluated in conjunction (using AND operator) with the datetime filters.
Examples:
IncludeFiles="TXT,CreatedDate<='2020-11-26T07:39:34-05:00'"
IncludeFiles="TXT,ModifiedDate<=DATETIMEFROMPARTS(2020, 11, 26, 7, 40, 50, 000)"
IncludeFiles="ModifiedDate>=DATETIMEFROMPARTS(2020, 11, 26, 7, 40, 49, 000),ModifiedDate<=CURRENT_TIMESTAMP()"
Whether Google Drive shared drive items should be included in results. If not present or set to false, then shared drive items are not returned.
If this property is set to 'True', files will be retrieved from all drives, including shared drives. The file retrieval can be limited a specific shared drive or a specific folder in that shared drive by setting the start of the URI to the path of the shared drive and optionally any folder within, for example: 'gdrive://SharedDriveA/FolderA/...'. Additionally, the FolderId property can be used to limit the search to an exact subdirectory.
Whether to read files from nested folders. In the case of a name collision, table names are prefixed by the underscore-separated folder names.
Whether to read files from nested folders. Table names are prefixed by each nested folder name separated by underscores. For example,
| Root\subfolder1\tableA | Root\subfolder1\subfolder2\tableA |
| subfolder1_tableA | subfolder1_subfolder2_tableA |
Specifies the maximum rows returned for queries without aggregation or GROUP BY.
This property sets an upper limit on the number of rows the Sync App returns for queries that do not include aggregation or GROUP BY clauses. This limit ensures that queries do not return excessively large result sets by default.
When a query includes a LIMIT clause, the value specified in the query takes precedence over the MaxRows setting. If MaxRows is set to "-1", no row limit is enforced unless a LIMIT clause is explicitly included in the query.
This property is useful for optimizing performance and preventing excessive resource consumption when executing queries that could otherwise return very large datasets.
Specifies additional hidden properties for specific use cases. These are not required for typical provider functionality. Use a semicolon-separated list to define multiple properties.
This property allows advanced users to configure hidden properties for specialized scenarios. These settings are not required for normal use cases but can address unique requirements or provide additional functionality. Multiple properties can be defined in a semicolon-separated list.
Note: It is strongly recommended to set these properties only when advised by the support team to address specific scenarios or issues.
Specify multiple properties in a semicolon-separated list.
| DefaultColumnSize | Sets the default length of string fields when the data source does not provide column length in the metadata. The default value is 2000. |
| ConvertDateTimeToGMT | Determines whether to convert date-time values to GMT, instead of the local time of the machine. |
| RecordToFile=filename | Records the underlying socket data transfer to the specified file. |
(Optional) PageSize value.
The PageSize value is used to specify number of rows to fetch at a time.
Determines the character which will be used to replace the file separator.
Determines the character which will be used to replace the file separator. If there is a XPT file located in "Test/Files/Test.xpt" and if this property is set to "_", then the table name for this file would be "Test_Files_Test.xpt".
Specifies the pseudocolumns to expose as table columns. Use the format 'TableName=ColumnName;TableName=ColumnName'. The default is an empty string, which disables this property.
This property allows you to define which pseudocolumns the Sync App exposes as table columns.
To specify individual pseudocolumns, use the following format: "Table1=Column1;Table1=Column2;Table2=Column3"
To include all pseudocolumns for all tables use: "*=*"
The path, or URI, to the folder that is used to temporarily download xpt file(s).
For instance: LocalFolderPath='C:/User/Download'
Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout.
This property controls the maximum time, in seconds, that the Sync App waits for an operation to complete before canceling it. If the timeout period expires before the operation finishes, the Sync App cancels the operation and throws an exception.
The timeout applies to each individual communication with the server rather than the entire query or operation. For example, a query could continue running beyond 60 seconds if each paging call completes within the timeout limit.
Setting this property to 0 disables the timeout, allowing operations to run indefinitely until they succeed or fail due to other conditions such as server-side timeouts, network interruptions, or resource limits on the server. Use this property cautiously to avoid long-running operations that could degrade performance or result in unresponsive behavior.
Specifies a filepath to a JSON configuration file defining custom views. The provider automatically detects and uses the views specified in this file.
This property allows you to define and manage custom views through a JSON-formatted configuration file called UserDefinedViews.json. These views are automatically recognized by the Sync App and enable you to execute custom SQL queries as if they were standard database views. The JSON file defines each view as a root element with a child element called "query", which contains the SQL query for the view. For example:
{
"MyView": {
"query": "SELECT * FROM SampleTable_1 WHERE MyColumn = 'value'"
},
"MyView2": {
"query": "SELECT * FROM MyTable WHERE Id IN (1,2,3)"
}
}
You can define multiple views in a single file and specify the filepath using this property. For example: UserDefinedViews=C:\Path\To\UserDefinedViews.json. When you use this property, only the specified views are seen by the Sync App.
Refer to User Defined Views for more information.