This page provides a guide to Establishing a Connection to SAS Data Sets in CData Cloud, as well as information on the available resources, and a reference to the available connection properties.

Connecting to SAS Data Sets

Establishing a Connection shows how to authenticate to SAS Data Sets and configure any necessary connection properties to create a database in CData Cloud

Accessing Data from CData Cloud Services

Accessing data from SAS Data Sets through the available standard services and CData Cloud administration is documented in further details in the CData Cloud Documentation.

Connect to SAS Data Sets by selecting the corresponding icon in the Database tab. Required properties are listed under Settings. The Advanced tab lists connection properties that are not typically required.

The CData Cloud allows connecting to local and remote SAS resources. Set the URI property to the SAS resource location, in addition to any other properties necessary to connect to your data source.

Connecting to Local Files

Set the ConnectionType to Local. Local files support SELECT\INSERT queries.

Set the URI to a folder containing SAS files: C:\folder1.

Connecting to Cloud-Hosted SAS Data Sets Files

While the Cloud is capable of pulling data from SAS Data Sets files hosted on a variety of cloud data stores, INSERT, UPDATE, and DELETE are not supported outside of local files in this Cloud.

If you need INSERT/UPDATE/DELETE cloud files, you can download the corresponding CData Cloud for that cloud host (supported via stored procedures), make changes with the local file's corresponding Cloud, then upload the file using the cloud source's stored procedures.

As an example, if you wanted to update a file stored on SharePoint, you could use the CData SharePoint Cloud's DownloadDocument procedure to download the SAS Data Sets file, update the local SAS Data Sets file with the CData SAS Data Sets Cloud, then use the SharePoint Cloud's UploadDocument procedure to upload the changed file to SharePoint.

A unique prefix at the beginning of the URI connection property is used to identify the cloud data store being targed by the Cloud and the remainder of the path is a relative path to the desired folder (one table per file) or single file (a single table).

Amazon S3

Set the following to identify your SAS Data Sets resources stored on Amazon S3:

• ConnectionType: Set the ConnectionType to Amazon S3.
• URI: Set this to the bucket and folder: s3://bucket1/folder1.
  • You can also connect to SAS Data Sets resources stored on Cloudera Ozone, after creating a volume and bucket and making a symbolic link to that bucket: s3://linktobucket

See Connecting to Amazon S3 for more information regarding how to connect and authenticate to SAS files hosted on Amazon S3.

Azure Blob Storage

Set the following to identify your SAS Data Sets resources stored on Azure Blob Storage:

• ConnectionType: Set this to Azure Blob Storage.
• URI: Set this to the name of your container and the name of the blob. For example: azureblob://mycontainer/myblob.

See Connecting to Azure Blob Storage for more information regarding how to connect and authenticate to SAS files hosted on Amazon Blob Storage.

Azure Data Lake Storage

Set the following to identify your SAS Data Sets resources stored on Azure Data Lake Storage:

• ConnectionType: Set this to Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, or Azure Data Lake Storage Gen2 SSL.
• URI: Set this to the name of the file system and the name of the folder which contains your SAS Data Sets files. For example:
  • Gen 1: adl://myfilesystem/folder1
  • Gen 2: abfs://myfilesystem/folder1
  • Gen 2 SSL: abfss://myfilesystem/folder1

See Connecting to Azure Data Lake Storage for more information regarding how to connect and authenticate to SAS files hosted on Azure Data Lake Storage.

Azure File Storage

Set the following properties to connect:

• ConnectionType: Set this to Azure Files.
• URI: Set this the name of your azure file share and the name of the resource. For example: azurefile://fileShare/remotePath.
• AzureStorageAccount (Required): Set this to the account associated with the Azure file.

You can authenticate either an Azure access key or an Azure shared access signature. Set one of the following:

• AzureAccessKey: Set this to the access key associated with the Azure file.
• AzureSharedAccessSignature: Set this to the shared access signature associated with the Azure file.

Box

Set the following to identify your SAS Data Sets resources stored on Box:

• ConnectionType: Set this to Box.
• URI: Set this the name of the file system and the name of the folder which contains your SAS Data Sets files. For example: box://folder1.

See Connecting to Box for more information regarding how to connect and authenticate to SAS files hosted on Box.

Dropbox

Set the following to identify your SAS Data Sets resources stored on Dropbox:

• ConnectionType: Set this to Dropbox.
• URI: Set this to the path to a folder containing SAS files. For example: dropbox://folder1.

See Connecting to Dropbox for more information regarding how to connect and authenticate to SAS files hosted on Dropbox.

FTP

The Cloud supports both plaintext and SSL/TLS connections to FTP servers.

Set the following connection properties to connect:

• ConnectionType: Set this to either FTP or FTPS.
• URI: Set this to the address of the server followed by the path to the folder to be used as the root folder. For example: ftp://localhost:990/folder1or ftps://localhost:990/folder1.
• User: Set this to your username on the FTP(S) server you want to connect to.
• Password: Set this to your password on the FTP(S) server you want to connect to.

Google Cloud Storage

Set the following to identify your SAS Data Sets resources stored on Google Cloud Storage:

• ConnectionType: Set this to Google Cloud Storage.
• URI: Set this to the path to the name of the file system and the name of the folder which contains your SAS Data Sets files. For example: gs://bucket/remotePath.

See Connecting to Google Cloud Storage for more information regarding how to connect and authenticate to SAS files hosted on Google Cloud Storage.

Google Drive

Set the following to identify your SAS Data Sets resources stored on Google Drive:

• ConnectionType: Set this to Google Drive.
• URI: Set to the path to the name of the file system and the name of the folder which contains your SAS Data Sets files. For example: gdrive://folder1.

See Connecting to Google Drive for more information regarding how to connect and authenticate to SAS files hosted on Google Drive.

HDFS

Set the following to identify your SAS Data Sets resources stored on HDFS:

• ConnectionType: Set this to HDFS or HDFS Secure.
• URI: Set this to the path to a folder containing SAS files. For example:
  • HDFS: webhdfs://host:port/remotePath
  • HDFS Secure: webhdfss://host:port/remotePath
  • Cloudera Ozone (via the HttpFS gateway): webhdfs://<Ozone server>:<port>/user/myuser
    • You must use Kerberos authentication to access SAS Data Sets files stored on Ozone.
    • Ensure that you have Ozone 718.2.x on the Ozone cluster.
    • Cloudera Manager version 7.10.1 is required.

There are two authentication methods available for connecting to HDFS data source, Anonymous Authentication and Negotiate (Kerberos) Authentication.

Anonymous Authentication

In some situations, you can connect to HDFS without any authentication connection properties. To do so, set the AuthScheme property to None (default).

Authenticate using Kerberos

When authentication credentials are required, you can use Kerberos for authentication. See Using Kerberos for details on how to authenticate with Kerberos.

HTTP Streams

Set the following to identify your SAS Data Sets resources stored on HTTP streams:

• ConnectionType: Set this to HTTP or HTTPS.
• URI: Set this to the URI of your HTTP(S) stream. For example:
  • HTTP: http://remoteStream
  • HTTPS: https://remoteStream

See Connecting to HTTP Streams for more information regarding how to connect and authenticate to SAS files hosted on HTTP Streams.

IBM Cloud Object Storage

Set the following to identify your SAS Data Sets resources stored on IBM Cloud Object Storage:

• ConnectionType: Set this to IBM Object Storage Source.
• URI: Set this to the bucket and folder. For example: ibmobjectstorage://bucket1/remotePath.
• Region: Set this property to your IBM instance region. For example: eu-gb.

See Connecting to IBM Object Storage for more information regarding how to connect and authenticate to SAS files hosted on IBM Cloud Object Storage.

OneDrive

Set the following to identify your SAS Data Sets resources stored on OneDrive:

• ConnectionType: Set this to OneDrive.
• URI: Set this to the path to a folder containing SAS files. For example: onedrive://remotePath.

See Connecting to OneDrive for more information regarding how to connect and authenticate to SAS files hosted on OneDrive.

OneLake

Set the following to identify your SAS Data Sets resources stored on OneLake:

• ConnectionType: Set this to OneLake.
• URI: Set this to the name of the workspace, followed by the item and item type. Optionally, include the folder path to be used as the root folder. For example: onelake://Workspace/Test.LakeHouse/Files/CustomFolder.

See Connecting to OneLake for more information regarding how to connect and authenticate to SAS files hosted on OneLake.

Oracle Cloud Storage

Set the following properties to authenticate with IAMSecretKey:

• ConnectionType: Set the ConnectionType to Oracle Cloud Storage.
• URI: Set this to the bucket and folder: os://bucket/remotePath.
• AccessKey: Set this to an Oracle Cloud Access Key.
• SecretKey: Set this to an Oracle Cloud Secret Key.
• OracleNamespace: Set this to an Oracle cloud namespace.
• Region (optional): Set this to the hosting region for your S3-like Web Services.

SFTP

Set the following to identify your SAS Data Sets resources stored on SFTP:

• ConnectionType: Set this to SFTP.
• URI: Set this to the address of the server followed by the path. For example: sftp://server:port/remotePath.

See Connecting to SFTP for more information regarding how to connect and authenticate to SAS files hosted on SFTP.

SharePoint Online

Set the following to identify your SAS Data Sets resources stored on SharePoint Online:

• ConnectionType: Set this to SharePoint REST or SharePoint SOAP.
• URI: Set this to a document library containing SAS files. For example:
  • SharePoint Online REST: sprest://remotePath
  • SharePoint Online SOAP: sp://remotePath

    Use the Sharepoint URL as the remote path. Not the display name.

If your files are stored in a non-root-level SharePoint Online site (for example, under /sites/<your site>/), be sure to set the StorageBaseURL property to the full path of the SharePoint site.

• To access files in the top-level document library:
  • URI: Set this to sprest://Documents/
  • StorageBaseURL: Set this to https://<your domain>.sharepoint.com/sites/<your site>/
• To access a subfolder within that site:
  • URI: Set this to sprest://Documents/<subfolder>/
  • StorageBaseURL: Set this to https://<your domain>.sharepoint.com/sites/<your site>/

Using the full SharePoint site URL ensures the Cloud can properly locate files stored in non-root-level locations within your organization's SharePoint Online environment.

See Connecting to SharePoint Online for more information regarding how to connect and authenticate to SAS files hosted on SharePoint Online.

SharePoint On Premise

Set the following to identify your SAS Data Sets resources stored on SharePoint On Premise:

• ConnectionType: Set this to SharePoint REST or SharePoint SOAP.
• URI: Set this to a document library containing SAS files. For example:
  • SharePoint On Premise REST: sprest://remotePath
  • SharePoint On Premise SOAP: sp://remotePath

    Use the Sharepoint URL as the remote path. Not the display name.

See Connecting to SharePoint On Premise for more information regarding how to connect and authenticate to SAS files hosted on SharePoint On Premise.

Securing SAS Data Sets Connections

By default, the Cloud attempts to negotiate SSL/TLS by checking the server's certificate against the system's trusted certificate store. To specify another certificate, see the SSLServerCert property for the available formats to do so.

Connecting to SAS Data Sets

Below are example connection strings to SAS files or streams, using the Cloud's default data modeling configuration (see below)

Service provider	URI formats	Connection example
Local	Single File Path (One table) file://localPath	URI=C:/folder1;
	Directory Path (one table per file) file://localPath
HTTP or HTTPS	http://remoteStream https://remoteStream	URI=http://www.host1.com/streamname1;
Amazon S3	Single File Path (One table) s3://remotePath	URI=s3://bucket1/folder1; AWSSecretKey=secret1; AWSRegion=OHIO;
	Directory Path (one table per file) s3://remotePath
Azure Blob Storage	azureblob://mycontainer/myblob	URI=azureblob://mycontainer/myblob; AzureStorageAccount=myAccount; AzureAccessKey=myKey; URI=azureblob://mycontainer/myblob; AzureStorageAccount=myAccount; AuthScheme=OAuth;
Google Drive	Single File Path (One table) gdrive://remotePath gdrive://SharedWithMe/remotePath	URI=gdrive://folder1; AuthScheme=OAuth; URI=gdrive://SharedWithMe/folder1; AuthScheme=OAuth;
	Directory Path (one table per file) gdrive://remotePath gdrive://SharedWithMe/remotePath
One Drive	Single File Path (One table) onedrive://remotePath onedrive://SharedWithMe/remotePath	URI=onedrive://folder1; AuthScheme=OAuth; URI=onedrive://SharedWithMe/folder1; AuthScheme=OAuth;
	Directory Path (one table per file) onedrive://remotePath onedrive://SharedWithMe/remotePath
Box	Single File Path (One table) box://remotePath	URI=box://folder1; AuthScheme=OAuth;
	Directory Path (one table per file) box://remotePath
Dropbox	Single File Path (One table) dropbox://remotePath	URI=dropbox://folder1; AuthScheme=OAuth; OAuthClientId=oauthclientid1; OAuthClientSecret=oauthcliensecret1; CallbackUrl=http://localhost:12345;
	Directory Path (one table per file) dropbox://remotePath
SharePoint SOAP	Single File Path (One table) sp://remotePath	URI=sp://Documents/folder1; User=user1; Password=password1; StorageBaseURL=https://subdomain.sharepoint.com;
	Directory Path (one table per file) sp://remotePath
SharePoint REST	Single File Path (One table) sprest://remotePath	URI=sprest://Documents/folder1; AuthScheme=OAuth; StorageBaseURL=https://subdomain.sharepoint.com;
	Directory Path (one table per file) sprest://remotePath
FTP or FTPS	Single File Path (One table) ftp://server:port/remotePath ftps://server:port/remotepath	URI=ftps://localhost:990/folder1; User=user1; Password=password1;
	Directory Path (one table per file) ftp://server:port/remotePath ftps://server:port/remotepath;
SFTP	Single File Path (One table) sftp://server:port/remotePath	URI=sftp://127.0.0.1:22/folder1; User=user1; Password=password1; URI=sftp://127.0.0.1:22/folder1; SSHAuthmode=PublicKey; SSHClientCert=myPrivateKey
	Directory Path (one table per file) sftp://server:port/remotePath
Azure Data Lake Store Gen1	adl://remotePath adl://Account.azuredatalakestore.net@remotePath	URI=adl://folder1; AuthScheme=OAuth; AzureStorageAccount=myAccount; AzureTenant=tenant; URI=adl://myAccount.azuredatalakestore.net@folder1; AuthScheme=OAuth; AzureTenant=tenant;
Azure Data Lake Store Gen2	abfs://myfilesystem/remotePath abfs://[email protected]/remotepath	URI=abfs://myfilesystem/folder1; AzureStorageAccount=myAccount; AzureAccessKey=myKey; URI=abfs://[email protected]/folder1; AzureAccessKey=myKey;
Azure Data Lake Store Gen2 with SSL	abfss://myfilesystem/remotePath abfss://[email protected]/remotepath	URI=abfss://myfilesystem/folder1; AzureStorageAccount=myAccount; AzureAccessKey=myKey; URI=abfss://[email protected]/folder1; AzureAccessKey=myKey;
Wasabi	Single File Path (One table) wasabi://bucket1/remotePath	URI=wasabi://bucket/folder1; AccessKey=token1; SecretKey=secret1; Region='us-west-1';
	Directory Path (one table per file) wasabi://bucket1/remotePath
Google Cloud Storage	Single File Path (One table) gs://bucket/remotePath	URI=gs://bucket/folder1; AuthScheme=OAuth; ProjectId=test;
	Directory Path (one table per file) gs://bucket/remotePath
Oracle Cloud Storage	Single File Path (One table) os://bucket/remotePath	URI=os://bucket/folder1; AccessKey='myKey'; SecretKey='mySecretKey'; OracleNameSpace='myNameSpace' Region='us-west-1';
	Directory Path (one table per file) os://bucket/remotePath
Azure File	Single File Path (One table) azurefile://fileShare/remotePath	URI=azurefile://bucket/folder1; AzureStorageAccount='myAccount'; AzureAccessKey='mySecretKey'; URI=azurefile://bucket/folder1; AzureStorageAccount='myAccount'; AzureSharedAccessSignature='mySharedAccessSignature';
	Directory Path (one table per file) azurefile://fileShare/remotePath
IBM Object Storage Source	Single File Path (One table) ibmobjectstorage://bucket1/remotePath	URI=ibmobjectstorage://bucket/folder1; AuthScheme='IAMSecretKey'; AccessKey=token1; SecretKey=secret1; Region='eu-gb'; URI=ibmobjectstorage://bucket/folder1; ApiKey=key1; Region='eu-gb'; AuthScheme=OAuth; InitiateOAuth=GETANDREFRESH;
	Directory Path (one table per file) ibmobjectstorage://bucket1/remotePath
Hadoop Distributed File System	Single File Path (One table) webhdfs://host:port/remotePath	URI=webhdfs://host:port/folder1
	Directory Path (one table per file) webhdfs://host:port/remotePath
Secure Hadoop Distributed File System	Single File Path (One table) webhdfss://host:port/remotePath	URI=webhdfss://host:port/folder1
	Directory Path (one table per file) webhdfss://host:port/remotePath

Accessing Sub-Folders

Set the following properties to model subfolders as views:

• IncludeSubdirectories: Set this to read files and Schema.ini from nested folders. In the case of a name collision, table names are prefixed by underscore-separated folder names. By default this is false.
• DirectoryRetrievalDepth: Set this to specify how many subfolders will be recursively scanned when IncludeSubdirectories is set. By default, the Cloud scans all subfolders.

When IncludeSubdirectories is set, the automatically detected table names follow the convention below:

File Path	Root\subfolder1\tableA	Root\subfolder1\subfolder2\tableA
Table Name	subfolder1_tableA	subfolder1_subfolder2_tableA

Before You Connect

Obtain AWS Keys

To obtain the credentials for an IAM user:

1. Sign into the IAM console.
2. In the navigation pane, select Users.
3. To create or manage the access keys for a user, select the user and then navigate to the Security Credentials tab.

To obtain the credentials for your AWS root account:

1. Sign into the AWS Management console with the credentials for your root account.
2. Select your account name or number.
3. In the menu that displays, select My Security Credentials.
4. To manage or create root account access keys, click Continue to Security Credentials and expand the "Access Keys" section.

Connecting to Amazon S3

Specify the following to connect to data:

• AWSRegion: Set this to the region where your SAS Data Sets data is hosted.
• StorageBaseURL (optional): Specify the base S3 service URL only if it has a different URL from "amazonaws.com". Make sure to specify the full URL. For example: http://127.0.0.1:9000.

Authenticating to Amazon S3

There are several authentication methods available for connecting to SAS Data Sets including:

• Root Credentials
• AWS Role, as an AWS Role (from an EC2 Instance or by specifying the root credentials)
• SSO (ADFS, Okta, PingFederate)
• Temporary Credentials
• Credentials File

Root Credentials

To authenticate using account root credentials, set these parameters:

• AuthScheme: AwsRootKeys.
• AWSAccessKey: The access key associated with the AWS root account.
• AWSSecretKey: The secret key associated with the AWS root account.

Note: Amazon discourages using root credentials for anything beyond simple testing. The account root credentials have the full permissions of the user, posing a security risk and making this the least secure authentication method.

If multi-factor authentication is required, specify the following:

• CredentialsLocation: The location of the settings file where MFA credentials are saved.
• MFASerialNumber: The serial number of the MFA device if one is being used.
• MFAToken: The temporary token available from your MFA device.

This causes the Cloud to submit the MFA credentials in the request to retrieve temporary authentication credentials.

Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).

Using AWS From an EC2 Instance

Set AuthScheme to AwsEC2Roles.

If you are using the Cloud from an EC2 Instance and have an IAM Role assigned to the instance, you can use the IAM Role to authenticate. Since the Cloud automatically obtains your IAM Role credentials and authenticates with them, it is not necessary to specify AWSAccessKey and AWSSecretKey.

If you are also using an IAM role to authenticate, you must additionally specify the following:

• AWSRoleARN: Specify the Role ARN for the role you'd like to authenticate with. This causes the Cloud to attempt to retrieve credentials for the specified role.
• AWSExternalId (optional): Only required if you are assuming a role in another AWS account.

IMDSv2 Support

The SAS Data Sets Cloud now supports IMDSv2. Unlike IMDSv1, the new version requires an authentication token. Endpoints and response are the same in both versions.

In IMDSv2, the SAS Data Sets Cloud first attempts to retrieve the IMDSv2 metadata token and then uses it to call AWS metadata endpoints. If it is unable to retrieve the token, the Cloud reverts to IMDSv1.

AWS Web Identity

Set AuthScheme to AwsWebIdentity.

If you are either using SAS Data Sets from a container configured to assume role with web identity (such as a Pod in an EKS cluster with an OpenID Provider) or have authenticated with a web identity provider associated with an IAM role (and have thus obtained an identity token), you can exchange the web identity token and IAM role information for temporary security credentials to authenticate and access AWS services.

If the container has AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE specified in the environment variables, SAS Data Sets automatically obtains the credentials.

You can also authenticate by specifying both AWSRoleARN and AWSWebIdentityToken to execute the AssumeRoleWithWebIdentity API operation.

AWS IAM Roles

To authenticate through AWS, set AuthScheme to AwsIAMRoles.

To authenticate as an AWS role, set these properties:

• AWSAccessKey: The access key of the IAM user to assume the role for.
• AWSSecretKey: The secret key of the IAM user to assume the role for.
• AWSRoleARN: Specify the Role ARN for the role you'd like to authenticate with. This will cause the Cloud to attempt to retrieve credentials for the specified role.
• AWSExternalId (optional): Only required if you are assuming a role in another AWS account.

If multi-factor authentication is required, specify the following:

• CredentialsLocation: The location of the settings file where MFA credentials are saved.
• MFASerialNumber: The serial number of the MFA device if one is being used.
• MFAToken: The temporary token available from your MFA device.

This causes the Cloud to submit the MFA credentials in the request to retrieve temporary authentication credentials.

Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).

Note: In some circumstances it might be preferable to use an IAM role for authentication, rather than the direct security credentials of an AWS root user. If you are specifying the AWSAccessKey and AWSSecretKey of an AWS root user, you cannot use roles.

ADFS

To connect to ADFS, set these properties:

• AuthScheme: ADFS.
• User: The authenticating ADFS user.
• Password: The password of the authenticating ADFS user.
• SSOLoginURL: The SSO provider's login URL.

To authenticate to ADFS, set these SSOProperties:

• RelyingParty: The value of the ADFS server's Relying Party Identifier.

Example connection string:

AuthScheme=ADFS;User=username;Password=password;SSOLoginURL='https://sts.company.com';SSOProperties='RelyingParty=https://saml.salesforce.com';

ADFS Integrated

The ADFS Integrated flow indicates you are connecting with the user credentials of the currently logged in Windows user. To use the ADFS Integrated flow, do not specify the User and Password, but otherwise follow the same steps noted above under ADFS.

Okta

To connect to Okta, set these properties:

• AuthScheme: Okta.
• User: The authentiating Okta user.
• Password: The password of the authenticating Okta user.
• SSOLoginURL: The SSO provider's login URL.

If you are either using a trusted application or proxy that overrides the Okta client request OR configuring MFA, you must use combinations of SSOProperties to authenticate using Okta. Set any of the following, as applicable:

• APIToken: When authenticating a user via a trusted application or proxy that overrides the Okta client request context, set this to the API Token the customer created from the Okta organization.
• MFAType: If you have configured the MFA flow, set this to one of the following supported types: OktaVerify, Email, or SMS.
• MFAPassCode: If you have configured the MFA flow, set this to a valid passcode.
  If you set this to empty or an invalid value, the Cloud issues a one-time password challenge to your device or email. After the passcode is received, reopen the connection where the retrieved one-time password value is set to the MFAPassCode connection property.
• MFARememberDevice: True by default. Okta supports remembering devices when MFA is required. If remembering devices is allowed according to the configured authentication policies, the Cloud sends a device token to extend MFA authentication lifetime. If you do not want MFA to be remembered, set this variable to False.

Example connection string:

AuthScheme=Okta;SSOLoginURL='https://example.okta.com/home/appType/0bg4ivz6cJRZgCz5d6/46';User=oktaUserName;Password=oktaPassword;

PingFederate

To connect to PingFederate, set these properties:

• AuthScheme: PingFederate.
• User: The authenticating PingFederate user.
• Password: The authenticating user's PingFederate password.
• SSOLoginURL: The SSO provider's login URL.
• AWSRoleARN (optional): If you have multiple role ARNs, specify the one you want to use for authorization.
• AWSPrincipalARN (optional): If you have multiple principal ARNs, specify the one you want to use for authorization.
• SSOExchangeURL: The Partner Service Identifier URI configured in your PingFederate server instance under: SP Connections > SP Connection > WS-Trust > Protocol Settings. This should uniquely identify a PingFederate SP Connection, so it is a good idea to set it to your AWS SSO ACS URL. You can find it under AWS SSO > Settings > View Details next to the Authentication field.
• SSOProperties (optional): If you want to include your username and password as an authorization header in requests to Amazon S3, set this to Authscheme=Basic.

To enable mutual SSL authentication for SSOLoginURL, the WS-Trust STS endpoint, configure these SSOProperties:

• SSLClientCert
• SSLClientCertType
• SSLClientCertSubject
• SSLClientCertPassword

Example connection string:

authScheme=pingfederate;SSOLoginURL=https://mycustomserver.com:9033/idp/sts.wst;SSOExchangeUrl=https://us-east-1.signin.aws.amazon.com/platform/saml/acs/764ef411-xxxxxx;user=admin;password=PassValue;AWSPrincipalARN=arn:aws:iam::215338515180:saml-provider/pingFederate;AWSRoleArn=arn:aws:iam::215338515180:role/SSOTest2;

Temporary Credentials

To authenticate using temporary credentials, specify the following:

• AuthScheme: AwsTempCredentials.
• AWSAccessKey: The access key of the IAM user who will assume the role.
• AWSSecretKey: The secret key of the IAM user who will assume the role.
• AWSSessionToken: Your AWS session token, provided with your temporary credentials. For details, see AWS Identity and Access Management User Guide.

The Cloud can now request resources using the same permissions provided by long-term credentials (such as IAM user credentials) for the lifespan of the temporary credentials.

To authenticate using both temporary credentials and an IAM role, set all the parameters described above, and specify these additional parameters:

• AWSRoleARN: The Role ARN for the role you'd like to authenticate with. This prompts the Cloud to retrieve credentials for the specified role.
• AWSExternalId (optional): Only required if you are assuming a role in another AWS account.

If multi-factor authentication is required, specify the following:

• CredentialsLocation: The location of the settings file where MFA credentials are saved.
• MFASerialNumber: The serial number of the MFA device if one is being used.
• MFAToken: The temporary token available from your MFA device.

This causes the Cloud to submit the MFA credentials in the request to retrieve temporary authentication credentials.

Note: If you want to control the duration of the temporary credentials, set the TemporaryTokenDuration property (default: 3600 seconds).

Credentials Files

You can use any credentials file to authenticate, including any configurations related to AccessKey/SecretKey authentication, temporary credentials, role authentication, or MFA.

To do this, set these properties:

• AuthScheme: AwsCredentialsFile.
• AWSCredentialsFile: The location of your credentials file.
• AWSCredentialsFileProfile (optional): The name of the profile you would like to use from the specified credentials file. If not specified, the default profile is used.

For further information, see AWS Command Line Interface User Guide.

Azure AD

This configuration requires two separate Azure AD applications:

• The "SAS Data Sets" application used for single sign-on, and
• A custom OAuth application with user_impersonation permission on the "SAS Data Sets" application. (See Creating a Custom OAuth App.)

To connect to Azure AD, set the AuthScheme to AzureAD, and set these properties:

• OAuthClientId: The application Id of the connector application, listed in the Overview section of the app registration.
• OAuthClientSecret: The client secret value of the connector application. Azure AD displays this when you create a new client secret.
• CallbackURL: The redirect URI of the connector application. For example: https://localhost:33333.

To authenticate to Azure AD, set these SSOProperties:

• Resource: The application Id URI of the SAS Data Sets application, listed in the app registration's Overview section. In most cases this is the URL of your custom SAS Data Sets domain.
• AzureTenant: The Id of the Azure AD tenant where the applications are registered.

Example connection string:

AuthScheme=AzureAD;OAuthClientId=3ea1c786-d527-4399-8c3b-2e3696ae4b48;OauthClientSecret=xxx;CallbackUrl=https://localhost:33333;SSOProperties='Resource=https://signin.aws.amazon.com/saml;AzureTenant=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx';

Before You Connect

To obtain the credentials for an AzureBlob user, follow the steps below:

1. Sign into the Azure portal with the credentials for your root account.
2. Click on Storage Accounts and select the storage account you want to use.
3. Under Settings, click Access keys.
4. Your storage account name and key will be displayed on that page.

Connecting to Azure Blob Storage

Set AzureStorageAccount to your Azure Blob Storage account name.

Authenticating to Azure Blob Storage

You can authenticate to Azure Blob Storage via Access Key, Shared Access Signatures (SAS), AzureAD user, Azure MSI, or Azure Service Principal.

Access Key

Set the following to authenticate with an Azure Access Key:

• AuthScheme: Set this to AccessKey.
• AzureAccessKey: Set this to the storage key associated with your Azure Blob Storage account.

Shared Access Signature (SAS)

Set the following to authenticate with an Shared Access Signature (SAS):

• AuthScheme: Set this to AzureStorageSAS.
• AzureSharedAccessSignature: Set this to the SAS associated with your Azure Blob Storage account.

Follow these steps to create a shared access signature using AzureSharedAccessSignature:

1. Sign into the Azure Portal with the credentials for your root account. (https://portal.azure.com/)
2. Click storage accounts and select the storage account you want to use.
3. Under settings, click Shared Access Signature.
4. Set the permissions.
5. Specify when you want the token to expire.
6. Click Generate SAS and copy the shared access signature it generates.
7. Set AzureSharedAccessSignature to the shared access signature from the previous step.

AzureAD User

AuthScheme must be set to AzureAD in all user account flows.

Azure Service Principal

The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.

Create an AzureAD App and an Azure Service Principal

When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.

In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.

Assign a role to the application

To access resources in your subscription, you must assign a role to the application.

1. Open the Subscriptions page by searching and selecting the Subscriptions service from the search bar.
2. Select the subscription to assign the application to.
3. Open the Access control (IAM) and select Add > Add role assignment to open the Add role assignment page.
4. Select Owner as the role to assign to your created Azure AD app.

Complete the Authentication Choose whether to use a client secret or a certificate and follow the relevant steps below.

Client Secret

Set these connection properties:

• AuthScheme: AzureServicePrincipal to use a client secret.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthClientId: The client Id in your application settings.
• OAuthClientSecret: The client secret in your application settings.

Certificate

Set these connection properties:

• AuthScheme: AzureServicePrincipalCert to use a certificate.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthJWTCert: The JWT Certificate store.
• OAuthJWTCertType: The type of the certificate store specified by OAuthJWTCert.

You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.

Azure MSI

If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.

There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.

When to Create a Custom Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting via either a Desktop Application or from a Headless Machine.

You may choose to use your own AzureAD Application Credentials when you want to

• control branding of the Authentication Dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

Custom AzureAD Applications

You can use a custom AzureAD application to authenticate a service account or a user account. You can always create a custom AzureAD application, but note that desktop and headless connections support embedded OAuth, which simplifies the process of authentication. See "Establishing a Connection" for information about using the embedded OAuth application.

Create a Custom AzureAD App

Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select All services. Filter and select App registrations.
3. Click New registrations.
4. Enter an application name and select the desired tenant setup. When creating a custom AzureAD application in Azure Active Directory, you can define whether the application is single- or multi-tenant. If you select the default option, "Accounts in this organizational directory only", you must set the AzureTenant connection property to the Id of the Azure AD Tenant when establishing a connection with the CData Cloud. Otherwise, the authentication attempt fails with an error. If your application is for private use only, "Accounts in this organization directory only" should be sufficient. Otherwise, if you want to distribute your application, choose one of the multi-tenant options.
5. Set the redirect url to http://localhost:33333, the Cloud's default. Or, specify a different port and set CallbackURL to the exact reply URL you defined.
6. Click Register to register the new application. This opens an application management screen. Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant.
7. Navigate to the "Certificates & Secrets" and define the application authentication type. There are two types of authentication available: using a client secret or a certificate. The recommended authentication method is using a certificate.
   • Option 1: Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
   • Option 2: Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will need it as the OAuthClientSecret.
8. Select API Permissions > Add. If your application connects without a user context, select Application Permissions. If your application authenticates on behalf of a signed-in user, choose Delegated permissions.
9. Save your changes.
10. If you have selected to use permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page. Otherwise, follow the steps under "Admin Consent".

Custom AzureAD Service Principal Applications

When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.

Create a Custom AzureAD App with an Azure Service Principal

Follow the steps below to obtain the AzureAD values for your application.

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select All services. Filter and select App registrations.
3. Click New registrations.
4. Enter an app name and select Any Azure AD Directory - Multi Tenant. Then set the redirect url to http://localhost:33333, the Cloud's default.
5. After creating the application, copy the Application (client) Id value displayed in the "Overview" section. This value is used as the OAuthClientId
6. Define the app authentication type by going to the "Certificates & Secrets" section. There are two types of authentication available: using a client secret and using a certificate. The recommended authentication method is via a certificate.
   • Option 1 - Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
   • Option 2 - Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will use it as the OAuthClientSecret.
7. On the Authentication tab, make sure to select Access tokens (used for implicit flows).

Connecting to Azure Data Lake Storage

Set AzureStorageAccount to your Azure Data Lake Storage account name.

Authenticating to Azure Data Lake Storage

You can authenticate to Azure Data Lake Storage via Access Key, Shared Access Signature (SAS), AzureAD user, Azure MSI, or Azure Service Principal.

Access Key

Set the following to authenticate with an Azure Access Key:

• AuthScheme: Set this to AccessKey.
• AzureAccessKey: Set this to the storage key associated with your Azure Data Lake Storage account.

Shared Access Signature (SAS)

Set the following to authenticate with an Shared Access Signature (SAS):

• AuthScheme: Set this to AzureStorageSAS.
• AzureSharedAccessSignature: Set this to the SAS associated with your Azure Blob Storage account.

Follow these steps to create a shared access signature using AzureSharedAccessSignature:

1. Sign into the Azure Portal with the credentials for your root account. (https://portal.azure.com/)
2. Click storage accounts and select the storage account you want to use.
3. Under settings, click Shared Access Signature.
4. Set the permissions.
5. Specify when you want the token to expire.
6. Click Generate SAS and copy the shared access signature it generates.
7. Set AzureSharedAccessSignature to the shared access signature from the previous step.

AzureAD User

AuthScheme must be set to AzureAD in all user account flows.

Azure Service Principal

The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.

Create an AzureAD App and an Azure Service Principal

When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.

In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.

Assign a role to the application

To access resources in your subscription, you must assign a role to the application.

1. Open the Subscriptions page by searching and selecting the Subscriptions service from the search bar.
2. Select the subscription to assign the application to.
3. Open the Access control (IAM) and select Add > Add role assignment to open the Add role assignment page.
4. Select Owner as the role to assign to your created Azure AD app.

Complete the Authentication Choose whether to use a client secret or a certificate and follow the relevant steps below.

Client Secret

Set these connection properties:

• AuthScheme: AzureServicePrincipal to use a client secret.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthClientId: The client Id in your application settings.
• OAuthClientSecret: The client secret in your application settings.

Certificate

Set these connection properties:

• AuthScheme: AzureServicePrincipalCert to use a certificate.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthJWTCert: The JWT Certificate store.
• OAuthJWTCertType: The type of the certificate store specified by OAuthJWTCert.

You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.

Azure MSI

If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.

There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.

When to Create a Custom Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting via either a Desktop Application or from a Headless Machine.

You may choose to use your own AzureAD Application Credentials when you want to

• control branding of the Authentication Dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

Custom AzureAD Applications

You can use a custom AzureAD application to authenticate a service account or a user account. You can always create a custom AzureAD application, but note that desktop and headless connections support embedded OAuth, which simplifies the process of authentication. See "Establishing a Connection" for information about using the embedded OAuth application.

Create a Custom AzureAD App

Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select All services. Filter and select App registrations.
3. Click New registrations.
4. Enter an application name and select the desired tenant setup. When creating a custom AzureAD application in Azure Active Directory, you can define whether the application is single- or multi-tenant. If you select the default option, "Accounts in this organizational directory only", you must set the AzureTenant connection property to the Id of the Azure AD Tenant when establishing a connection with the CData Cloud. Otherwise, the authentication attempt fails with an error. If your application is for private use only, "Accounts in this organization directory only" should be sufficient. Otherwise, if you want to distribute your application, choose one of the multi-tenant options.
5. Set the redirect url to http://localhost:33333, the Cloud's default. Or, specify a different port and set CallbackURL to the exact reply URL you defined.
6. Click Register to register the new application. This opens an application management screen. Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant.
7. Navigate to the "Certificates & Secrets" and define the application authentication type. There are two types of authentication available: using a client secret or a certificate. The recommended authentication method is using a certificate.
   • Option 1: Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
   • Option 2: Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will need it as the OAuthClientSecret.
8. Select API Permissions > Add. If your application connects without a user context, select Application Permissions. If your application authenticates on behalf of a signed-in user, choose Delegated permissions.
9. Save your changes.
10. If you have selected to use permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page. Otherwise, follow the steps under "Admin Consent".

Custom AzureAD Service Principal Applications

When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.

Create a Custom AzureAD App with an Azure Service Principal

Follow the steps below to obtain the AzureAD values for your application.

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select All services. Filter and select App registrations.
3. Click New registrations.
4. Enter an app name and select Any Azure AD Directory - Multi Tenant. Then set the redirect url to http://localhost:33333, the Cloud's default.
5. After creating the application, copy the Application (client) Id value displayed in the "Overview" section. This value is used as the OAuthClientId
6. Define the app authentication type by going to the "Certificates & Secrets" section. There are two types of authentication available: using a client secret and using a certificate. The recommended authentication method is via a certificate.
   • Option 1 - Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
   • Option 2 - Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will use it as the OAuthClientSecret.
7. On the Authentication tab, make sure to select Access tokens (used for implicit flows).

Connecting to Box

Use the OAuth authentication standard to connect to Box. You can authenticate with a user account or with a service account. A service account is required to grant organization-wide access scopes to the Cloud. The Cloud facilitates these authentication flows as described below.

User Accounts (OAuth)

AuthScheme must be set to OAuth in all user account flows.

Authenticate with a Service Account

Set the AuthScheme to OAuthJWT to authenticate with this method.

Service accounts have silent authentication, without user authentication in the browser. You can also use a service account to delegate enterprise-wide access scopes to the Cloud.

You need to create an OAuth application in this flow. See Create a Custom OAuth App to create and authorize an app. You can then connect to Box data that the service account has permission to access.

After setting the following connection properties, you are ready to connect:

• OAuthClientId: Set to the Client Id in your app settings.
• OAuthClientSecret: Set to the Client Secret in your app settings.
• OAuthJWTCertType: Set to "PEMKEY_FILE".
• OAuthJWTCert: Set to the path to the .pem file you generated.
• OAuthJWTCertPassword: Set to the password of the .pem file.
• OAuthJWTCertSubject: Set to "*" to pick the first certificate in the certificate store.
• OAuthJWTSubjectType: Set to "enterprise" or "user" depending on the Application Access Value you selected in your app settings. The default value of this connection property is "enterprise".
• OAuthJWTSubject: Set to your enterprise Id if your subject type is set to "enterprise" or your app user Id if your subject type is set to "user".
• OAuthJWTPublicKeyId: Set to the Id of your public key in your app settings.

When you connect the Cloud completes the OAuth flow for a service account.

Creating a Custom OAuth Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting via a .

You may choose to use your own OAuth Application Credentials when you want to:

• control branding of the authentication dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

Procedure

This procedure creates a custom OAuth application, registers that application, and generates values that are used to configure the OAuthClientId and OAuthClientSecret.

At the Box Enterprise Developer Console:

1. Log in to your Box developers dashboard.
2. Click Create New App.
3. Specify basic application information, as appropriate.
4. Specify your application type (e.g., Custom App).
5. Select the User Authentication (OAuth 2.0) authentication method.
6. Set the Redirect URI:
   • If this is a , set the Redirect URI to http://localhost:33333 or a different port number.
7. Click Create App.
8. The next task is to create a public and private key pair.
   • To create a keypair from the Developer Console:
     1. Navigate to the Developer Console Configuration tab.
     2. Scroll down to Add and Manage Public Keys.
     3. Click Generate a Public/Private Keypair. Box creates a keypair in a JSON file, and downloads that file to your desktop. You can then move that file to your application code.

        Note: Box does not back up private keys for security reasons. Be careful to back up the Public/Private JSON file. If you lose your private key, you must reset the entire keypair.

   • To add a keypair manually:
     1. Open a terminal window and run the following OpenSSL commands:
        

        openssl genrsa -des3 -out private.pem 2048
        openssl rsa -in private.pem -outform PEM -pubout -out public.pem

        Note: To run OpenSSL in a Windows environment, install the Cygwin package.

     2. At the Developer Console, navigate to the configuration tab for the Custom OAuth application you just created.
     3. Scroll down to Add and Manage Public Keys.
     4. Click Add a Public Key.
     5. Click Verify and Save.
9. Before the custom application can be used, a Box Admin must authorize it within the Box Admin Console.
   1. Navigate to your application within the Developer Console.
   2. Click the Authorization tab.
   3. At the prompt to Submit app for authorization for access to the Enterprise, click Review and Submit.
      Your Box Enterprise Admin approves the application.
10. Finally, select the scope of user permissions your custom OAuth application must request.

After your application is created and registered, click Configuration from the main menu to access your settings. Note the displayed Redirect URI, Client ID, and Client Secret. You will need these values later.

When JWT Access Scopes Change

If you change the JWT access scopes, you must reauthorize the application in the enterprise admin console:

1. Click Apps in the main manu.
2. Select the ellipsis button next to your JWT application name.
3. Select Reauthorize App in the menu.

Connecting to Dropbox

Dropbox uses the OAuth authentication standard.

Dropbox OAuth Scopes

You need to choose between using CData's embedded OAuth app or Create a Custom OAuth App.

The embedded app includes the following scopes:

• account_info.read
• file_requests.read
• files.content.read
• files.content.write
• files.metadata.read
• sharing.read
• sharing.write

When To Create a Custom OAuth Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting via a .

You may choose to use your own OAuth Application Credentials when you want to

• control branding of the Authentication Dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

Create a Custom OAuth App

1. Log in to your Dropbox developers dashboard and click Create New App. Select the Dropbox API type. Select the Full Dropbox access for your app.
2. After creating your app, you can view Configuration from the main menu that displays your app settings.
3. On the app Settings tab, note the values of App key and App secret for later Cloud configuration.
4. Set the Redirect URI and store the specified value for later Cloud configuration.
   • When setting up a , set the Redirect URI to http://localhost:33333 or a different port number.
5. On the app Permissions tab, select the scope of user permissions your app will request.

No further values need to be specified in the SAS Data Sets app settings.

Connecting to Google Cloud Storage

Set the ProjectId property to the Id of the project you want to connect to.

Authenticating to Google Cloud Storage

The Cloud supports using user accounts and GCP instance accounts for authentication.

The following sections discuss the available authentication schemes for Google Cloud Storage:

• User Accounts (OAuth)
• Service Account (OAuthJWT)
• GCP Instance Account

User Accounts (OAuth)

AuthScheme must be set to OAuth in all user account flows.

Web Applications

When connecting via a Web application, you need to create and register a custom OAuth application with Google Cloud Storage. You can then use the Cloud to acquire and manage the OAuth token values. See Create a Custom OAuth App for more information about custom applications.

Get an OAuth Access Token

Set the following connection properties to obtain the OAuthAccessToken:

• OAuthClientId: Set this to the Client Id in your application settings.
• OAuthClientSecret: Set this to the Client Secret in your application settings.

Then call stored procedures to complete the OAuth exchange:

1. Call the GetOAuthAuthorizationURL stored procedure. Set the CallbackURL input to the Callback URL you specified in your application settings. The stored procedure returns the URL to the OAuth endpoint.
2. Navigate to the URL that the stored procedure returned in Step 1. Log in to the custom OAuth application and authorize the web application. Once authenticated, the browser redirects you to the callback URL.
3. Call the GetOAuthAccessToken stored procedure. Set AuthMode to WEB and the Verifier input to the "code" parameter in the query string of the callback URL.

Once you have obtained the access and refresh tokens, you can connect to data and refresh the OAuth access token either automatically or manually.

Automatic Refresh of the OAuth Access Token

To have the driver automatically refresh the OAuth access token, set the following on the first data connection:

• InitiateOAuth: Set this to REFRESH.
• OAuthClientId: Set this to the Client Id in your application settings.
• OAuthClientSecret: Set this to the Client Secret in your application settings.
• OAuthAccessToken: Set this to the access token returned by GetOAuthAccessToken.
• OAuthRefreshToken: Set this to the refresh token returned by GetOAuthAccessToken.
• OAuthSettingsLocation: Set this to the location where the Cloud saves the OAuth token values, which persist across connections.

On subsequent data connections, the values for OAuthAccessToken and OAuthRefreshToken are taken from OAuthSettingsLocation.

Manual Refresh of the OAuth Access Token

The only value needed to manually refresh the OAuth access token when connecting to data is the OAuth refresh token.

Use the RefreshOAuthAccessToken stored procedure to manually refresh the OAuthAccessToken after the ExpiresIn parameter value returned by GetOAuthAccessToken has elapsed, then set the following connection properties:

• OAuthClientId: Set this to the Client Id in your application settings.
• OAuthClientSecret: Set this to the Client Secret in your application settings.

Then call RefreshOAuthAccessToken with OAuthRefreshToken set to the OAuth refresh token returned by GetOAuthAccessToken. After the new tokens have been retrieved, open a new connection by setting the OAuthAccessToken property to the value returned by RefreshOAuthAccessToken.

Finally, store the OAuth refresh token so that you can use it to manually refresh the OAuth access token after it has expired.

Headless Machines

To configure the driver, use OAuth with a user account on a headless machine. You need to authenticate on another device that has an internet browser.

1. Choose one of two options:
   • Option 1: Obtain the OAuthVerifier value as described in "Obtain and Exchange a Verifier Code" below.
   • Option 2: Install the Cloud on a machine with an internet browser and transfer the OAuth authentication values after you authenticate through the usual browser-based flow.
2. Then configure the Cloud to automatically refresh the access token on the headless machine.

Option 1: Obtain and Exchange a Verifier Code

To obtain a verifier code, you must authenticate at the OAuth authorization URL.

Follow the steps below to authenticate from the machine with an internet browser and obtain the OAuthVerifier connection property.

1. Choose one of these options:
   • If you are using the Embedded OAuth Application click Google Cloud Storage OAuth endpoint to open the endpoint in your browser.
   • If you are using a custom OAuth application, create the Authorization URL by setting the following properties:
     • InitiateOAuth: Set to OFF.
     • OAuthClientId: Set to the client Id assigned when you registered your application.
     • OAuthClientSecret: Set to the client secret assigned when you registered your application.
     Then call the GetOAuthAuthorizationURL stored procedure with the appropriate CallbackURL. Open the URL returned by the stored procedure in a browser.
2. Log in and grant permissions to the Cloud. You are then redirected to the callback URL, which contains the verifier code.
3. Save the value of the verifier code. Later you will set this in the OAuthVerifier connection property.

Next, you need to exchange the OAuth verifier code for OAuth refresh and access tokens. Set the following properties:

On the headless machine, set the following connection properties to obtain the OAuth authentication values:

• InitiateOAuth: Set this to REFRESH.
• OAuthVerifier: Set this to the verifier code.
• OAuthClientId: (custom applications only) Set this to the Client Id in your custom OAuth application settings.
• OAuthClientSecret: (custom applications only) Set this to the Client Secret in the custom OAuth application settings.
• OAuthSettingsLocation: Set this to persist the encrypted OAuth authentication values to the specified location.

After the OAuth settings file is generated, you need to re-set the following properties to connect:

• InitiateOAuth: Set this to REFRESH.
• OAuthClientId: (custom applications only) Set this to the client Id assigned when you registered your application.
• OAuthClientSecret: (custom applications only) Set this to the client secret assigned when you registered your application.
• OAuthSettingsLocation: Set this to the location containing the encrypted OAuth authentication values. Make sure this location gives read and write permissions to the Cloud to enable the automatic refreshing of the access token.

Option 2: Transfer OAuth Settings

Prior to connecting on a headless machine, you need to create and install a connection with the driver on a device that supports an internet browser. Set the connection properties as described in "Desktop Applications" above.

After completing the instructions in "Desktop Applications", the resulting authentication values are encrypted and written to the location specified by OAuthSettingsLocation. The default filename is OAuthSettings.txt.

Once you have successfully tested the connection, copy the OAuth settings file to your headless machine.

On the headless machine, set the following connection properties to connect to data:

• InitiateOAuth: Set this to REFRESH.
• OAuthClientId: (custom applications only) Set this to the client Id assigned when you registered your application.
• OAuthClientSecret: (custom applications only) Set this to the client secret assigned when you registered your application.
• OAuthSettingsLocation: Set this to the location of your OAuth settings file. Make sure this location gives read and write permissions to the Cloud to enable the automatic refreshing of the access token.

GCP Instance Accounts

When running on a GCP virtual machine, the Cloud can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to GCPInstanceAccount.

Creating a Custom OAuth Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting to SAS Data Sets via a desktop application or a headless machine.

(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to SAS Data Sets".)

However, you must create a custom OAuth application to connect to SAS Data Sets via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.

Custom OAuth applications are useful if you want to:

• control branding of the authentication dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).

Enable the Cloud Storage API

Follow these steps to enable the Cloud Storage API:

1. Navigate to the Google Cloud Console.
2. Select Library from the left-hand navigation menu. This opens the Library page.
3. In the search field, enter "Cloud Storage API" and select Cloud Storage API from the search results.
4. On the Cloud Storage API page, click ENABLE.

Create an OAuth Application

To create custom OAuth applications that retrieve the necessary OAuth connection properties, follow these procedures.

User Accounts (OAuth)

For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)

Do the following:

1. Navigate to the Google Cloud Console.
2. Create a new project or select an existing project.
3. At the left-hand navigation menu, select Credentials.
4. If this project does not already have a consent screen configured, click CONFIGURE CONSENT SCREEN to create one. If you are not using a Google Workspace account, you are restricted to creating an External-type Consent Screen, which requires specifying a support email and developer contact email. Additional info is optional.
5. On the Credentials page, select Create Credentials > OAuth Client ID.
6. In the Application Type menu, select Web application.
7. Specify a name for your custom OAuth application.
8. Under Authorized redirect URIs, click ADD URI and enter a redirect URI.
9. Click Enter, then CREATE. The Cloud Console returns you to the Credentials page.
   A window opens that displays your client Id and client secret.
10. Record the client Id and Client Secret for later use as the OAuthClientId and OAuthClientSecret connection properties.

Note: The client secret remains accessible from from the Google Cloud Console.

Service Accounts (OAuthJWT)

Service accounts (AuthScheme OAuthJWT) can be used in an OAuth flow to access Google APIs on behalf of users in a domain. A domain administrator can delegate domain-wide access to the service account.

To create a new service account:

1. Navigate to the Google Cloud Console.
2. Create a new project or select an existing project.
3. At the left-hand navigation menu, select Credentials.
4. Select Create Credentials > Service account.
5. On the Create service account page, enter the service account name, ID, and an optional description.
6. Click DONE. The Cloud Console redisplays the Credentials page.
7. In the Service Accounts section, select the service account you just created.
8. Click the Advanced Settings section and enable Domain-Wide Delegation.
9. Record the Client ID shown for domain-wide delegation. You'll use this in the Admin Console.
10. In a new tab, navigate to the Google Admin Console.
11. Go to Security > API Controls > Domain-Wide Delegation.
12. Click Manage Domain-Wide Delegation, then Add new.
13. Enter the recorded Client ID and the list of required scopes. See OAuth Scopes and Endpoints for more details.
14. Back in the Cloud Console, select the KEYS tab for the service account.
15. Click ADD KEY > Create new key.
16. Select a supported key type (see OAuthJWTCert and OAuthJWTCertType).
17. Click CREATE. The key is automatically downloaded to your device.
18. Record the additional information for later use.

In the service account flow, the Cloud exchanges a JSON Web Token (JWT) for the OAuthAccessToken. The private key downloaded in the steps above is used to sign the JWT. The Cloud inherits the permissions granted to the service account, including any scopes configured through domain-wide delegation.

Authenticating to Google Drive

The Cloud supports using user accounts and GCP instance accounts for authentication.

The following sections discuss the available authentication schemes for Google Drive:

• User Accounts (OAuth)
• Service Account (OAuthJWT)
• GCP Instance Account

User Accounts (OAuth)

AuthScheme must be set to OAuth in all user account flows.

GCP Instance Accounts

When running on a GCP virtual machine, the Cloud can authenticate using a service account tied to the virtual machine. To use this mode, set AuthScheme to GCPInstanceAccount.

Creating a Custom OAuth Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting to SAS Data Sets via a desktop application or a headless machine.

(For information on getting and setting the OAuthAccessToken and other configuration parameters, see the Desktop Authentication section of "Connecting to SAS Data Sets".)

However, you must create a custom OAuth application to connect to SAS Data Sets via the Web. And since custom OAuth applications seamlessly support all three commonly-used auth flows, you might want to create custom OAuth applications (use your own OAuth Application Credentials) for those auth flows anyway.

Custom OAuth applications are useful if you want to:

• control branding of the authentication dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

The following sections describe how to enable the Directory API and create custom OAuth applications for user accounts (OAuth) and Service Accounts (OAuth/JWT).

Enable the Google Drive API

Follow these steps to enable the Google Drive API:

1. Navigate to the Google Cloud Console.
2. Select Library from the left-hand navigation menu. This opens the Library page.
3. In the search field, enter "Google Drive API" and select Google Drive API from the search results.
4. On the Google Drive API page, click ENABLE.

Create an OAuth Application

To create custom OAuth applications that retrieve the necessary OAuth connection properties, follow these procedures.

User Accounts (OAuth)

For users whose AuthScheme is OAuth and who need to authenticate over a web application, you must always create a custom OAuth application. (For desktop and headless flows, creating a custom OAuth application is optional.)

Do the following:

1. Navigate to the Google Cloud Console.
2. Create a new project or select an existing project.
3. At the left-hand navigation menu, select Credentials.
4. If this project does not already have a consent screen configured, click CONFIGURE CONSENT SCREEN to create one. If you are not using a Google Workspace account, you are restricted to creating an External-type Consent Screen, which requires specifying a support email and developer contact email. Additional info is optional.
5. On the Credentials page, select Create Credentials > OAuth Client ID.
6. In the Application Type menu, select Web application.
7. Specify a name for your custom OAuth application.
8. Under Authorized redirect URIs, click ADD URI and enter a redirect URI.
9. Click Enter, then CREATE. The Cloud Console returns you to the Credentials page.
   A window opens that displays your client Id and client secret.
10. Record the client Id and Client Secret for later use as the OAuthClientId and OAuthClientSecret connection properties.

Note: The client secret remains accessible from from the Google Cloud Console.

Service Accounts (OAuthJWT)

Service accounts (AuthScheme OAuthJWT) can be used in an OAuth flow to access Google APIs on behalf of users in a domain. A domain administrator can delegate domain-wide access to the service account.

To create a new service account:

1. Navigate to the Google Cloud Console.
2. Create a new project or select an existing project.
3. At the left-hand navigation menu, select Credentials.
4. Select Create Credentials > Service account.
5. On the Create service account page, enter the service account name, ID, and an optional description.
6. Click DONE. The Cloud Console redisplays the Credentials page.
7. In the Service Accounts section, select the service account you just created.
8. Click the Advanced Settings section and enable Domain-Wide Delegation.
9. Record the Client ID shown for domain-wide delegation. You'll use this in the Admin Console.
10. In a new tab, navigate to the Google Admin Console.
11. Go to Security > API Controls > Domain-Wide Delegation.
12. Click Manage Domain-Wide Delegation, then Add new.
13. Enter the recorded Client ID and the list of required scopes. See OAuth Scopes and Endpoints for more details.
14. Back in the Cloud Console, select the KEYS tab for the service account.
15. Click ADD KEY > Create new key.
16. Select a supported key type (see OAuthJWTCert and OAuthJWTCertType).
17. Click CREATE. The key is automatically downloaded to your device.
18. Record the additional information for later use.

In the service account flow, the Cloud exchanges a JSON Web Token (JWT) for the OAuthAccessToken. The private key downloaded in the steps above is used to sign the JWT. The Cloud inherits the permissions granted to the service account, including any scopes configured through domain-wide delegation.

Authenticating to HTTP(S)

The Cloud generically supports connecting to SAS Data Sets data stored on HTTP(S) streams.

Several authentication methods, such as user/password, digest access, OAuth, OAuthJWT, and OAuth PASSWORD flow are supported.

You can also connect to streams that have no authentication set up.

No Authentication

Connect to an HTTP(S) stream with no authentication by setting the AuthScheme connection property to None.

Basic

Set the following to connect:

• AuthScheme: Set this to Basic.
• User: Set this to the username associated with your HTTP(S) stream.
• Password: Set this to the password associated with your HTTP(S) stream.

Digest

Set the following to connect:

• AuthScheme: Set this to Digest.
• User: Set this to the username associated with your HTTP(S) stream.
• Password: Set this to the password associated with your HTTP(S) stream.

OAuth

Set the AuthScheme to OAuth.

OAuth requires the authenticating user to interact with SAS Data Sets using the browser. The Cloud facilitates this in various ways as described in the following sections.

Before following the procedures below, you need to register an OAuth app with the service containing the SAS Data Sets data you want to work with.

Creating a custom application in most services requires registering as a developer and creating an app in the UI of the service.

This is not necessarily true for all services. In some you must contact the service provider to create the app for you. However it is done, you must obtain the values for OAuthClientId, OAuthClientSecret, and CallbackURL.

OAuth JWT

Set AuthScheme to OAuthJWT.

The Cloud supports using JWT as an authorization grant in situations where a user cannot perform an interactive sign-on. After setting the following connection properties, you are ready to connect:

• OAuthVersion: Set this to 2.0.
• OAuthAccessTokenURL: Set this to the URL where the JWT is exchanged for an access token.
• OAuthJWTCert: Set this to the certificate you want to use. In most cases this will be a path to a PEM or PFX file.
• OAuthJWTCertType: Set this to the correct certificate type. In most cases this will either PEMKEY_FILE or PFXFILE.
• OAuthJWTCertPassword: If the certificate is encrypted, set this to the encryption password.
• OAuthJWTIssuer: Set this to the issuer. This corresponds to the iss field in the JWT.

Note that the JWT signature algorithm cannot be set directly. The Cloud only supports the RS256 algorithm.

The Cloud will then construct a JWT including the following fields, and submit it to OAuthAccessTokenURL for an access token.

• scope This will come from Scope if it is provided.
• aud This will come from OAuthJWTAudience if it is provided.
• iss This will come from OAuthJWTIssuer.
• iat This is the time when the JWT is generated.
• exp This is the value of iat plus the value of OAuthJWTValidityTime.
• sub This will come from OAuthJWTSubject if it is provided.

OAuthPassword

AuthScheme: Set this to OAuthPassword.

OAuth requires the authenticating user to interact with SAS Data Sets using the browser. The Cloud facilitates this in various ways as described in the following sections.

Before following the procedures below, you need to register an OAuth app with the service containing the SAS Data Sets data you want to work with.

Creating a custom application in most services requires registering as a developer and creating an app in the UI of the service.

This is not necessarily true for all services. In some you must contact the service provider to create the app for you. However it is done, you must obtain the values for OAuthClientId, OAuthClientSecret, and CallbackURL.

After setting the following connection properties, you are ready to connect:

• OAuthVersion: Set this to the OAuth Version, either 1.0 or 2.0.
• OAuthRequestTokenURL: Required for OAuth 1.0. In OAuth 1.0, this is the URL where the app makes a request for the request token.
• OAuthAuthorizationURL: Required for OAuth 1.0 and 2.0. This is the URL where the user logs into the service and grants permissions to the application. In OAuth 1.0, if permissions are granted, the request token is authorized.
• OAuthAccessTokenURL: Required for OAuth 1.0 and 2.0. This is the URL where the request for the access token is made. In OAuth 1.0, the authorized request token is exchanged for the access token.
• OAuthRefreshTokenURL: Required for OAuth 2.0. In OAuth 2.0, this is the URL where the refresh token is exchanged for a new access token when the old one expires. Note that for your data source this may be the same as the access token URL.
• OAuthClientId: Set this to the client Id in your app settings. This may also be called the consumer key.
• OAuthClientSecret: Set this to the client secret in your app settings. This may also be called the consumer secret.
• CallbackURL: Set this to http://localhost:33333. If you specified a redirect URL in your app settings, this must match.

When you connect, the Cloud opens the OAuth endpoint in your default browser. Log in and grant permissions to the application. The Cloud then completes the OAuth process:

1. Extracts the access token from the callback URL and authenticates requests.
2. Refreshes the access token when it expires.
3. Saves OAuth values to be persisted across connections.

Before You Connect

Register a New Instance of Cloud Object Storage

If you do not already have Cloud Object Storage in your IBM Cloud account, you can follow the procedure below to install an instance of SQL Query in your account:

1. Log in to your IBM Cloud account.
2. Navigate to the Cloud Object Storage page, choose a name for your instance and click Create. You will be redirected to the instance of Cloud Object Storage you just created.

API Key

To connect with IBM Cloud Object Storage, you will need an ApiKey. You can obtain this as follows:

1. Log in to your IBM Cloud account.
2. Navigate to the Platform API Keys page.
3. On the middle-right corner click Create an IBM Cloud API Key to create a new API Key.
4. In the pop-up window, specify the API Key name and click Create. Note the ApiKey as you can never access it again from the dashboard.

Connecting to IBM Cloud Object Storage

Set Region to to your IBM instance region.

Authenticating to IBM Cloud Object Storage

You can authenticate to IBM Cloud Object Storage using either IAMSecretKey, or OAuth authentication.

IAMSecretKey

Set the following properties to authenticate:

• AccessKey: Set this to an IBM Access Key (a username).
• SecretKey: Set this to an IBM Secret Key.

For example:

ConnectionType=IBM Object Storage Source;URI=ibmobjectstorage://bucket1/folder1; AccessKey=token1; SecretKey=secret1; Region=eu-gb;

OAuth

Set the following to authenticate using OAuth authentication.

• AuthScheme: Set this to OAuth.
• ApiKey: Set this to the IBM API Key noted during setup.

For example:

ConnectionType=IBM Object Storage Source;URI=ibmobjectstorage://bucket1/folder1; ApiKey=key1; Region=eu-gb; AuthScheme=OAuth; InitiateOAuth=GETANDREFRESH;

When you connect, the Cloud completes the OAuth process.

Connecting to OneDrive

You can connect to OneDrive using an AzureAD user, with MSI authentication, or using an Azure Service Principal.

AzureAD Users

AuthScheme must be set to AzureAD in all user account flows.

Azure Service Principal

The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.

Create an AzureAD App and an Azure Service Principal

When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.

In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.

Assign a role to the application

To access resources in your subscription, you must assign a role to the application.

1. Open the Subscriptions page by searching and selecting the Subscriptions service from the search bar.
2. Select the subscription to assign the application to.
3. Open the Access control (IAM) and select Add > Add role assignment to open the Add role assignment page.
4. Select Owner as the role to assign to your created Azure AD app.

Complete the Authentication Choose whether to use a client secret or a certificate and follow the relevant steps below.

Client Secret

Set these connection properties:

• AuthScheme: AzureServicePrincipal to use a client secret.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthClientId: The client Id in your application settings.
• OAuthClientSecret: The client secret in your application settings.

Certificate

Set these connection properties:

• AuthScheme: AzureServicePrincipalCert to use a certificate.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthJWTCert: The JWT Certificate store.
• OAuthJWTCertType: The type of the certificate store specified by OAuthJWTCert.

You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.

Azure MSI

If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.

There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.

When to Create a Custom Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting via either a Desktop Application or from a Headless Machine.

You may choose to use your own AzureAD Application Credentials when you want to

• control branding of the Authentication Dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

Custom AzureAD Applications

You can use a custom AzureAD application to authenticate a service account or a user account. You can always create a custom AzureAD application, but note that desktop and headless connections support embedded OAuth, which simplifies the process of authentication. See "Establishing a Connection" for information about using the embedded OAuth application.

Create a Custom AzureAD App

Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select All services. Filter and select App registrations.
3. Click New registrations.
4. Enter an application name and select the desired tenant setup. When creating a custom AzureAD application in Azure Active Directory, you can define whether the application is single- or multi-tenant. If you select the default option, "Accounts in this organizational directory only", you must set the AzureTenant connection property to the Id of the Azure AD Tenant when establishing a connection with the CData Cloud. Otherwise, the authentication attempt fails with an error. If your application is for private use only, "Accounts in this organization directory only" should be sufficient. Otherwise, if you want to distribute your application, choose one of the multi-tenant options.
5. Set the redirect url to http://localhost:33333, the Cloud's default. Or, specify a different port and set CallbackURL to the exact reply URL you defined.
6. Click Register to register the new application. This opens an application management screen. Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant.
7. Navigate to the "Certificates & Secrets" and define the application authentication type. There are two types of authentication available: using a client secret or a certificate. The recommended authentication method is using a certificate.
   • Option 1: Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
   • Option 2: Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will need it as the OAuthClientSecret.
8. Select API Permissions > Add. If your application connects without a user context, select Application Permissions. If your application authenticates on behalf of a signed-in user, choose Delegated permissions.
9. Save your changes.
10. If you have selected to use permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page. Otherwise, follow the steps under "Admin Consent".

Custom AzureAD Service Principal Applications

When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.

Create a Custom AzureAD App with an Azure Service Principal

Follow the steps below to obtain the AzureAD values for your application.

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select All services. Filter and select App registrations.
3. Click New registrations.
4. Enter an app name and select Any Azure AD Directory - Multi Tenant. Then set the redirect url to http://localhost:33333, the Cloud's default.
5. After creating the application, copy the Application (client) Id value displayed in the "Overview" section. This value is used as the OAuthClientId
6. Define the app authentication type by going to the "Certificates & Secrets" section. There are two types of authentication available: using a client secret and using a certificate. The recommended authentication method is via a certificate.
   • Option 1 - Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
   • Option 2 - Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will use it as the OAuthClientSecret.
7. On the Authentication tab, make sure to select Access tokens (used for implicit flows).

Authenticating to OneLake

You can authenticate to OneLake via AzureAD user, Azure MSI, or Azure Service Principal.

AzureAD User

AuthScheme must be set to AzureAD in all user account flows.

Azure Service Principal

The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.

Create an AzureAD App and an Azure Service Principal

When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.

In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.

Assign a role to the application

To access resources in your subscription, you must assign a role to the application.

1. Open the Subscriptions page by searching and selecting the Subscriptions service from the search bar.
2. Select the subscription to assign the application to.
3. Open the Access control (IAM) and select Add > Add role assignment to open the Add role assignment page.
4. Select Owner as the role to assign to your created Azure AD app.

Complete the Authentication Choose whether to use a client secret or a certificate and follow the relevant steps below.

Client Secret

Set these connection properties:

• AuthScheme: AzureServicePrincipal to use a client secret.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthClientId: The client Id in your application settings.
• OAuthClientSecret: The client secret in your application settings.

Certificate

Set these connection properties:

• AuthScheme: AzureServicePrincipalCert to use a certificate.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthJWTCert: The JWT Certificate store.
• OAuthJWTCertType: The type of the certificate store specified by OAuthJWTCert.

You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.

Azure MSI

If you are connecting from an Azure VM with permissions for Azure Data Lake Storage, set AuthScheme to AzureMSI.

There are two types of custom AzureAD applications: AzureAD and AzureAD with an Azure Service Principal. Both are OAuth-based.

When to Create a Custom Application

CData embeds OAuth Application Credentials with CData branding that can be used when connecting via either a Desktop Application or from a Headless Machine.

You may choose to use your own AzureAD Application Credentials when you want to

• control branding of the Authentication Dialog
• control the redirect URI that the application redirects the user to after the user authenticates
• customize the permissions that you are requesting from the user

Custom AzureAD Applications

You can use a custom AzureAD application to authenticate a service account or a user account. You can always create a custom AzureAD application, but note that desktop and headless connections support embedded OAuth, which simplifies the process of authentication. See "Establishing a Connection" for information about using the embedded OAuth application.

Create a Custom AzureAD App

Follow the steps below to obtain the AzureAD values for your application, the OAuthClientId and OAuthClientSecret.

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select All services. Filter and select App registrations.
3. Click New registrations.
4. Enter an application name and select the desired tenant setup. When creating a custom AzureAD application in Azure Active Directory, you can define whether the application is single- or multi-tenant. If you select the default option, "Accounts in this organizational directory only", you must set the AzureTenant connection property to the Id of the Azure AD Tenant when establishing a connection with the CData Cloud. Otherwise, the authentication attempt fails with an error. If your application is for private use only, "Accounts in this organization directory only" should be sufficient. Otherwise, if you want to distribute your application, choose one of the multi-tenant options.
5. Set the redirect url to http://localhost:33333, the Cloud's default. Or, specify a different port and set CallbackURL to the exact reply URL you defined.
6. Click Register to register the new application. This opens an application management screen. Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant.
7. Navigate to the "Certificates & Secrets" and define the application authentication type. There are two types of authentication available: using a client secret or a certificate. The recommended authentication method is using a certificate.
   • Option 1: Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
   • Option 2: Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will need it as the OAuthClientSecret.
8. Select API Permissions > Add a permission > Azure Storage > user_impersonation > Add permissions.
9. Save your changes.
10. If you have selected to use permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page. Otherwise, follow the steps under "Admin Consent".

Custom AzureAD Service Principal Applications

When authenticating using an Azure Service Principal, you must create both a custom AzureAD application and a service principal that can access the necessary resources. Follow the steps below to create a custom AzureAD application and obtain the connection properties for Azure Service Principal authentication.

Create a Custom AzureAD App with an Azure Service Principal

Follow the steps below to obtain the AzureAD values for your application.

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select All services. Filter and select App registrations.
3. Click New registrations.
4. Enter an app name and select Any Azure AD Directory - Multi Tenant. Then set the redirect url to http://localhost:33333, the Cloud's default.
5. After creating the application, copy the Application (client) Id value displayed in the "Overview" section. This value is used as the OAuthClientId
6. Define the app authentication type by going to the "Certificates & Secrets" section. There are two types of authentication available: using a client secret and using a certificate. The recommended authentication method is via a certificate.
   • Option 1 - Upload a certificate: In "Certificates & Secrets", select Upload certificate and the certificate to upload from your local machine.
   • Option 2 - Create a new application secret: In "Certificates & Secrets", select New Client Secret for the application and specify its duration. After saving the client secret, the key value is displayed. Copy this value as it is displayed only once. You will use it as the OAuthClientSecret.
7. On the Authentication tab, make sure to select Access tokens (used for implicit flows).

Add Service Principal to Workspace

Follow the steps below to add a service principal to a workspace.

1. Log in to Microsoft Fabric.
2. Click the gear icon (Settings) on the top right.
3. Select Admin portal.
4. In the left-hand navigation pane, select Tenant settings.
5. Scroll until you find Developer settings.
6. Expand Service principals can use Fabric APIs.
7. Enable the option.
8. Select Apply.
9. Select the workspace where you want to add your service principal.
10. Click Manage access.
11. Click Add people or groups.
12. Enter the name of your application (verify the ID if there are multiple applications with the same name).
13. Set the level of access you would like to grant to your application. Contributor is the lowest security level necessary to access OneLake via the API.
14. Select Add.

Connecting to SFTP

You can authenticate to SFTP using a user and password or an SSH certificate. Additionally, you can connect to an SFTP server that has no authentication enabled.

No Authentication

Set SSHAuthMode to None to connect without authentication, assuming your server supports doing so.

Password

Provide user credentials associated with your SFTP server:

• SSHAuthMode: Set this to Password.
• SSHUser: A username associated with your SFTP server.
• SSHPassword: The password associated with the user.

SSH Certificate

Set the following to connect.

• SSHAuthMode: Set this to Public_Key.
• SSHClientCert: Specify the SSH certificate in the form specified by SSHClientCertType (see the associated documentation for this connection property).
• SSHClientCertType: The type of the key store specified in SSHClientCert.
• SSHClientCertPassword (optional): The certificate store password.
• SSHClientCertSubject (optional): If there are multiple keys in your key store, specify the desired key, by name, here.

Connecting to SharePoint Online (REST)

The following authentication schemes are supported for the REST API:

• AzureAD
• MSI
• AzureServicePrincipal

AzureAD

Azure Active Directory (AzureAD) is a connection type that leverages OAuth to authenticate. OAuth requires the authenticating user to interact with SAS Data Sets using an internet browser. The driver facilitates this in several ways as described below. Set your AuthScheme to AzureAD. The AzureAD flows described below assume that you have done so.

Your organization may require Admin Consent when authorizing a new AzureAD application for your Azure Tenant. In all AzureAD flows, any initial installation and use of an AzureAD application requires that an administrator approve the application for their Azure Tenant.

Azure Service Principal

The authentication as an Azure Service Principal is handled via the OAuth Client Credentials flow. It does not involve direct user authentication. Instead, credentials are created for just the application itself. All tasks taken by the application are done without a default user context, but based on the assigned roles. The application access to the resources is controlled through the assigned roles' permissions.

Create an AzureAD App and an Azure Service Principal

When authenticating using an Azure Service Principal, you must create and register an Azure AD application with an Azure AD tenant. See Creating an Entra ID (Azure AD) Application for more details.

In your App Registration in portal.azure.com, navigate to API Permissions and select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.

Assign a role to the application

To access resources in your subscription, you must assign a role to the application.

1. Open the Subscriptions page by searching and selecting the Subscriptions service from the search bar.
2. Select the subscription to assign the application to.
3. Open the Access control (IAM) and select Add > Add role assignment to open the Add role assignment page.
4. Select Owner as the role to assign to your created Azure AD app.

Complete the Authentication Choose whether to use a client secret or a certificate and follow the relevant steps below.

Client Secret

Set these connection properties:

• AuthScheme: AzureServicePrincipal to use a client secret.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthClientId: The client Id in your application settings.
• OAuthClientSecret: The client secret in your application settings.

Certificate

Set these connection properties:

• AuthScheme: AzureServicePrincipalCert to use a certificate.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.
• AzureTenant: The tenant you want to connect to.
• OAuthJWTCert: The JWT Certificate store.
• OAuthJWTCertType: The type of the certificate store specified by OAuthJWTCert.

You are now ready to connect. Authentication with client credentials takes place automatically like any other connection, except there is no window opened prompting the user. Because there is no user context, there is no need for a browser popup. Connections take place and are handled internally.

MSI

If you are running SAS Data Sets on an Azure VM, you can leverage Managed Service Identity (MSI) credentials to connect:

• AuthScheme: Set this to AzureMSI.

The MSI credentials are automatically obtained for authentication.

Azure Service Principal

When authenticating using an Azure Service Principal, you must register an application with an Azure AD tenant.

Assign a role to the application

To access resources in your subscription, you must assign a role to the application.

1. Open the Subscriptions page by searching and selecting the Subscriptions service from the search bar.
2. Select the particular subscription to assign the application to.
3. Open the Access control (IAM) and select Add > Add role assignment to open the Add role assignment page.
4. Select Owner as the role to assign to your created Azure AD app.

Authenticate with an Azure Service Principal

You are ready to connect after setting one of the below connection properties groups, depending on the configured app authentication (client secret or certificate).

Before choosing client secret or certicate authentication, set the following:

• AzureTenant: Set this to the tenant you wish to connect to.
• OAuthClientId: Set this to the client Id in your app settings.

Option 1: Authenticating using a Client Secret

Set the following to authenticate with a client secret:

• AuthScheme: Set this to the AzureServicePrincipal in your app settings.
• OAuthClientId: Set this to the client Id in your app settings.
• OAuthClientSecret: Set this to the client secret in your app settings.

Option 2: Authenticating using a JWT Certificate

Set the following to authenticate with a JWT Certificate:

• AuthScheme: Set this to the AzureServicePrincipal in your app settings.
• OAuthJWTCert: Set this to the JWT Certificate store.
• OAuthJWTCertType: Set this to the type of the certificate store specified by OAuthJWTCert.

Connecting to SharePoint Online (SOAP)

The following authentications are supported for the SOAP API:

• User Credentials
• ADFS
• Okta
• OneLogin

User Credentials

ADFS

Set the AuthScheme to ADFS. You need to set the following connection properties:

• User: Set this to the ADFS user.
• Password: Set this to ADFS password for the user.
• SSOLoginURL: Set this to the base URL for your ADFS server.

Below is an example connection string:

AuthScheme=ADFS;User=ADFSUserName;Password=ADFSPassword;URL='http://sharepointserver/mysite';

Okta

Set the AuthScheme to Okta. The following connection properties are used to connect to Okta:

• User: Set this to the Okta user.
• Password: Set this to Okta password for the user.
• SSOLoginURL: Set this to your Okta applications's embed link.

The following is an example connection string:

AuthScheme=Okta;User=oktaUserName;Password=oktaPassword;URL='http://sharepointserver/mysite';

OneLogin

Set the AuthScheme to OneLogin. The following connection properties are used to connect to OneLogin:

• User: Set this to the OneLogin user.
• Password: Set this to OneLogin password for the user.

The following is an example connection string:

AuthScheme=OneLogin;User=OneLoginUserName;Password=OneLoginPassword;URL='http://sharepointserver/mysite';

Connecting to SharePoint On Premise

The following authentication schemes are supported:

• User Credentials
• ADFS
• NTLM

User Credentials

Set the AuthScheme to Basic. You need to set the following connection properties:

• User: Set this to the SharePoint user.
• Password: Set this to SharePoint password for the user.

Below is an example connection string:

AuthScheme=Basic;User=yourUserName;Password=yourPassword;URL='http://sharepointserver/mysite';SharePointEdition=SharePointOnPremise;

ADFS

Set the AuthScheme to ADFS. You need to set the following connection properties:

• User: Set this to the ADFS user.
• Password: Set this to ADFS password for the user.
• SSOLoginURL: Set this to the base URL for your ADFS server.

Below is an example connection string:

AuthScheme=ADFS;User=ADFSUserName;Password=ADFSPassword;URL='http://sharepointserver/mysite';SharePointEdition=SharePointOnPremise;

NTLM

Set the AuthScheme to NTLM. The following connection properties are used to connect to NTLM:

• User: Set this to the NTLM user.
• Password: Set this to NTLM password for the user.

The following is an example connection string:

AuthScheme=NTLM;User=NtlmUsername;Password=NtlmPassword;SharePointEdition=SharePointOnPremise;ConnectionType='SharePoint SOAP';URI='sp://Documents/';StorageBaseURL=http://sharePointServer/;

AuthScheme=NTLM;User=NtlmUsername;Password=NtlmPassword;SharePointEdition=SharePointOnPremise;ConnectionType='SharePoint SOAP';URI='sp://Documents/mycars.SAS';StorageBaseURL=http://sharePointServer/;

Authenticating with SSO

Service provider	Okta	OneLogin	ADFS	AzureAD
Amazon S3	Y		Y	Y
Azure Blob Storage
Azure Data Lake Store Gen1
Azure Data Lake Store Gen2
Azure Data Lake Store Gen2 with SSL
Google Drive
OneDrive
Box
Dropbox
SharePoint Online SOAP	Y	Y	Y
SharePoint Online REST
Wasabi
Google Cloud Storage
Oracle Cloud Storage
Azure File

AzureAD

Azure AD Configuration

The main theme behind this configuration is the OAuth 2.0 On-Behalf-Of flow. It requires two Azure AD applications:

1. An application used for the single sign-on process to a specific service provider.
   • Amazon S3: Please follow this link for detailed instructions on how to create this application. Make sure you test the connection and you are able to login to the AWS console from Azure AD.

     Save the step "Assign the Azure AD test user" until after provisioning so that you can select the AWS roles when assigning the user.

2. A "connector" application with user_impersonation permission on the SSO application you created in the previous step. Go to Azure Active Directory > App registrations and register a new application. After you register this application, you need to allow it to make API calls to the SSO application. Go to the API permissions section of the app you registered and click the "Add a permission" box. Select the API of your SSO application by specifying the API name or Application Id and add the user_impersonation permission.

CData Driver Common Properties

The following SSOProperties are needed to authenticate to Azure Active Directory and must be specified for every service provider.

• Resource: The application Id URI of the SSO application, listed in the Overview section of the app registration.
• Tenant: The Id of the Azure AD tenant where the applications are registered. You can find this value using the instructions found here.

We will retrieve the SSO SAML response from an OAuth 2.0 On-Behalf-Of flow so the following OAuth connection properties must be specified:

• OAuthClientId: The application Id of the connector application, listed in the Overview section of the app registration.
• OAuthClientSecret: The client secret value of the connector application. Azure AD displays this when you create a new client secret (Certificates & secrets section).

Amazon S3

In addition to the common properties, the following properties must be specified when connecting to Amazon S3 service provider:

• AuthScheme: Set the AuthScheme to AzureAD.
• AWSRoleARN: The ARN of the IAM role. Find this on the Summary page of the IAM role.
• AWSPrincipalARN: The ARN of the identity provider. Find this on the identity provider's summary page.

The following is an example connection string:

AuthScheme=AzureAD;InitiateOAuth=GETANDREFRESH;OAuthClientId=d593a1d-ad89-4457-872d-8d7443aaa655;OauthClientSecret=g9-oy5D_rl9YEKfN-45~3Wm8FgVa2F;SSOProperties='Tenant=94be7-edb4-4fda-ab12-95bfc22b232f;Resource=https://signin.aws.amazon.com/saml;';AWSRoleARN=arn:aws:iam::2153385180:role/AWS_AzureAD;AWSPrincipalARN=arn:aws:iam::215515180:saml-provider/AzureAD;

OneLogin

OneLogin Configuration

You must create an application used for the single sign-on process to a specific provider.

• Sharepoint SOAP: Please follow this link for detailed instructions on how to create this application. Make sure you test the connection and you are able to login to Office 365 from OneLogin. Make sure you have enabled WS-TRUST in your application. Otherwise, the CData driver will not be able to connect.

Sharepoint SOAP

The following properties must be specified when connecting to Sharepoint SOAP service provider:

• AuthScheme: Set the AuthScheme to OneLogin.
• User: The username of the OneLogin account.
• Password: The password of the OneLogin account.
• SSOProperties:
  • Domain (optional): It may be required to be set this property if the domain configured on the SSO domain is different than the domain of the User.

The following is an example connection string:

AuthScheme='OneLogin';User=test;Password=test;SSOProperties='Domain=test.cdata;';

Okta

Okta Configuration

You must create an application used for the single sign-on process to a specific provider.

• Sharepoint SOAP: Please follow this link for detailed instructions on how to create this application and configure SSO. Make sure you test the connection and you are able to login to Office 365 from Okta. Make sure you have configured SSO using WS-Federation in your application. Otherwise, the CData driver will not be able to connect.
• Amazon S3: Please follow this link for detailed instructions on how to create this application and configure SSO. Make sure you test the connection and you are able to login to AWS from Okta. Make sure you have configured SSO with SAML 2.0 in your application. Otherwise, the CData driver will not be able to connect. Ensure that the assigned AWS role in the Okta app has access to the S3 bucket you want to connect.

Sharepoint SOAP

The following properties must be specified when connecting to Sharepoint SOAP service provider:

• AuthScheme: Set the AuthScheme to Okta.
• User: The username of the Okta account.
• Password: The password of the Okta account.
• SSOProperties:
  • Domain (optional): It may be required to be set this property if the domain configured on the SSO domain is different than the domain of the User.

The following is an example connection string:

AuthScheme='Okta';User=test;Password=test;SSOProperties='Domain=test.cdata;';

Amazon S3

The following properties must be specified when connecting to an Amazon S3 service provider:

• AuthScheme: Set the AuthScheme to Okta.
• User: The username of the Okta account.
• Password: The password of the Okta account.
• SSOLoginURL: Set this to the embedded URL of your AWS Okta SSO app.
• AWSRoleARN (optional): The ARN of the IAM role. Find this on the Summary page of the IAM role.
• AWSPrincipalARN (optional): The ARN of the identity provider. Find this on the identity provider's summary page.
• SSOProperties:
  • APIToken (optional): Set this to the API Token that the customer created from the Okta org. It should be used when authenticating a user via a trusted application or proxy that overrides Okta client request context.

The following is an example connection string:

AuthScheme=Okta;User=OktaUser;Password=OktaPassword;SSOLoginURL='https://{subdomain}.okta.com/home/amazon_aws/0oan2hZLgQiy5d6/272';

ADFS

ADFS Configuration

You must create an application used for the single sign-on process to a specific provider.

• Sharepoint SOAP: Please follow this link for detailed instructions on how to set up ADFS for Office 365 for Single Sign-On. Make sure you test the connection and you are able to login to Office 365 from ADFS.
• Amazon S3: Please follow this link for detailed instructions on how to set up ADFS for AWS Single Sign-On. Make sure you test the connection and you are able to login to AWS from ADFS.

Sharepoint SOAP

The following properties must be specified when connecting to a Sharepoint SOAP service provider:

• AuthScheme: Set the AuthScheme to ADFS.
• User: The username of the ADFS account.
• Password: The password of the ADFS account.
• SSOProperties:
  • Domain (optional): It may be required to be set this property if the domain configured on the SSO domain is different than the domain of the User.

The following is an example connection string:

AuthScheme='ADFS';User=test;Password=test;SSOProperties='Domain=test.cdata;';

Amazon S3

The following properties must be specified when connecting to a Sharepoint SOAP service provider:

• AuthScheme: Set the AuthScheme to ADFS.
• SSOLoginURL: Set this to the URL of your ADFS instance.
• User: The username of the ADFS account.
• Password: The password of the ADFS account.
• AWSRoleARN (optional): The ARN of the IAM role. Find this on the Summary page of the IAM role.
• AWSPrincipalARN (optional): The ARN of the identity provider. Find this on the identity provider's summary page.

The following is an example connection string:

AuthScheme=ADFS;User=username;Password=password;SSOLoginURL='https://sts.company.com';

ADFS Integrated

The ADFS Integrated flow indicates you are connecting with the currently logged in Windows user credentials. To use the ADFS Integrated flow, simply do not specify the User and Password, but otherwise follow the same steps in the ADFS guide above.

Kerberos

To authenticate to SAS Data Sets with Kerberos, set AuthScheme to NEGOTIATE.

Authenticating to SAS Data Sets via Kerberos requires you to define authentication properties and to choose how Kerberos should retrieve authentication tickets.

Retrieve Kerberos Tickets

Kerberos tickets are used to authenticate the requester's identity. The use of tickets instead of formal logins/passwords eliminates the need to store passwords locally or send them over a network. Users are reauthenticated (tickets are refreshed) whenever they log in at their local computer or enter kinit USER at the command prompt.

The Cloud provides three ways to retrieve the required Kerberos ticket, depending on whether or not the KRB5CCNAME and/or KerberosKeytabFile variables exist in your environment.

MIT Kerberos Credential Cache File

This option enables you to use the MIT Kerberos Ticket Manager or kinit command to get tickets. With this option there is no need to set the User or Password connection properties.

This option requires that KRB5CCNAME has been created in your system.

To enable ticket retrieval via MIT Kerberos Credential Cache Files:

1. Ensure that the KRB5CCNAME variable is present in your environment.
2. Set KRB5CCNAME to a path that points to your credential cache file. (For example, C:\krb_cache\krb5cc_0 or /tmp/krb5cc_0.) The credential cache file is created when you use the MIT Kerberos Ticket Manager to generate your ticket.
3. To obtain a ticket:
   1. Open the MIT Kerberos Ticket Manager application.
   2. Click Get Ticket.
   3. Enter your principal name and password.
   4. Click OK.

   If the ticket is successfully obtained, the ticket information appears in Kerberos Ticket Manager and is stored in the credential cache file.

The Cloud uses the cache file to obtain the Kerberos ticket to connect to SAS Data Sets.

Note: If you would prefer not to edit KRB5CCNAME, you can use the KerberosTicketCache property to set the file path manually. After this is set, the Cloud uses the specified cache file to obtain the Kerberos ticket to connect to SAS Data Sets.

Keytab File

If your environment lacks the KRB5CCNAME environment variable, you can retrieve a Kerberos ticket using a Keytab File.

To use this method, set the User property to the desired username, and set the KerberosKeytabFile property to a file path pointing to the keytab file associated with the user.

User and Password

If your environment lacks the KRB5CCNAME environment variable and the KerberosKeytabFile property has not been set, you can retrieve a ticket using a user and password combination.

To use this method, set the User and Password properties to the user/password combination that you use to authenticate with SAS Data Sets.

Enabling Cross-Realm Authentication

More complex Kerberos environments can require cross-realm authentication where multiple realms and KDC servers are used. For example, they might use one realm/KDC for user authentication, and another realm/KDC for obtaining the service ticket.

To enable this kind of cross-realm authentication, set the KerberosRealm and KerberosKDC properties to the values required for user authentication. Also, set the KerberosServiceRealm and KerberosServiceKDC properties to the values required to obtain the service ticket.

Stored procedures are function-like interfaces that extend the functionality of the Cloud beyond simple SELECT/INSERT operations with SAS Data Sets.

Stored procedures accept a list of parameters, perform their intended function, and then return any relevant response data from SAS Data Sets, along with an indication of whether the procedure succeeded or failed.

CData Cloud - SAS Data Sets Stored Procedures

Name	Description
DeleteFile	Delete a file from a local or cloud storage.

Delete a file from a local or cloud storage.

Procedure-Specific Information

The Path input accepts paths relative to the URI provided in the connection string.

If URI is set to: gs://test-bucket/folder2 and Path='file1.txt', the file /folder2/file1.txt will be deleted.

The procedure is executed as below:

    EXEC DeleteFile Path='/hello-cdata.txt'

Input

Name	Type	Description
Path	String	The full path of the file to delete. Relative to the path provided in the URI connection property.

Result Set Columns

Name	Type	Description
Success	Bool	Boolean indicating if the procedure was executed successfully. If false, the output parameter 'Details' will contain the failure details.
Details	String	Details of execution failure. NULL if success=true.

You can query the system tables described in this section to access schema information, information on data source functionality, and batch operation statistics.

Schema Tables

The following tables return database metadata for SAS Data Sets:

• sys_catalogs: Lists the available databases.
• sys_schemas: Lists the available schemas.
• sys_tables: Lists the available tables and views.
• sys_tablecolumns: Describes the columns of the available tables and views.
• sys_procedures: Describes the available stored procedures.
• sys_procedureparameters: Describes stored procedure parameters.
• sys_keycolumns: Describes the primary and foreign keys.
• sys_indexes: Describes the available indexes.

Data Source Tables

The following tables return information about how to connect to and query the data source:

• sys_connection_props: Returns information on the available connection properties.
• sys_sqlinfo: Describes the SELECT queries that the Cloud can offload to the data source.

Query Information Tables

The following table returns query statistics for data modification queries, including batch operations::

• sys_identity: Returns information about batch operations or single updates.

Lists the available databases.

The following query retrieves all databases determined by the connection string:

SELECT * FROM sys_catalogs

Columns

Name	Type	Description
CatalogName	String	The database name.

Lists the available schemas.

The following query retrieves all available schemas:

          SELECT * FROM sys_schemas
          

Columns

Name	Type	Description
CatalogName	String	The database name.
SchemaName	String	The schema name.

Lists the available tables.

The following query retrieves the available tables and views:

          SELECT * FROM sys_tables
          

Columns

Name	Type	Description
CatalogName	String	The database containing the table or view.
SchemaName	String	The schema containing the table or view.
TableName	String	The name of the table or view.
TableType	String	The table type (table or view).
Description	String	A description of the table or view.
IsUpdateable	Boolean	Whether the table can be updated.

Describes the columns of the available tables and views.

The following query returns the columns and data types for the Account table:

SELECT ColumnName, DataTypeName FROM sys_tablecolumns WHERE TableName='Account' 

Columns

Name	Type	Description
CatalogName	String	The name of the database containing the table or view.
SchemaName	String	The schema containing the table or view.
TableName	String	The name of the table or view containing the column.
ColumnName	String	The column name.
DataTypeName	String	The data type name.
DataType	Int32	An integer indicating the data type. This value is determined at run time based on the environment.
Length	Int32	The storage size of the column.
DisplaySize	Int32	The designated column's normal maximum width in characters.
NumericPrecision	Int32	The maximum number of digits in numeric data. The column length in characters for character and date-time data.
NumericScale	Int32	The column scale or number of digits to the right of the decimal point.
IsNullable	Boolean	Whether the column can contain null.
Description	String	A brief description of the column.
Ordinal	Int32	The sequence number of the column.
IsAutoIncrement	String	Whether the column value is assigned in fixed increments.
IsGeneratedColumn	String	Whether the column is generated.
IsHidden	Boolean	Whether the column is hidden.
IsArray	Boolean	Whether the column is an array.
IsReadOnly	Boolean	Whether the column is read-only.
IsKey	Boolean	Indicates whether a field returned from sys_tablecolumns is the primary key of the table.
ColumnType	String	The role or classification of the column in the schema. Possible values include SYSTEM, LINKEDCOLUMN, NAVIGATIONKEY, REFERENCECOLUMN, and NAVIGATIONPARENTCOLUMN.

Lists the available stored procedures.

The following query retrieves the available stored procedures:

          SELECT * FROM sys_procedures
          

Columns

Name	Type	Description
CatalogName	String	The database containing the stored procedure.
SchemaName	String	The schema containing the stored procedure.
ProcedureName	String	The name of the stored procedure.
Description	String	A description of the stored procedure.
ProcedureType	String	The type of the procedure, such as PROCEDURE or FUNCTION.

Describes stored procedure parameters.

The following query returns information about all of the input parameters for the SelectEntries stored procedure:

SELECT * FROM sys_procedureparameters WHERE ProcedureName = 'SelectEntries' AND Direction = 1 OR Direction = 2

To include result set columns in addition to the parameters, set the IncludeResultColumns pseudo column to True:

SELECT * FROM sys_procedureparameters WHERE ProcedureName = 'SelectEntries' AND IncludeResultColumns='True'

Columns

Name	Type	Description
CatalogName	String	The name of the database containing the stored procedure.
SchemaName	String	The name of the schema containing the stored procedure.
ProcedureName	String	The name of the stored procedure containing the parameter.
ColumnName	String	The name of the stored procedure parameter.
Direction	Int32	An integer corresponding to the type of the parameter: input (1), input/output (2), or output(4). input/output type parameters can be both input and output parameters.
DataType	Int32	An integer indicating the data type. This value is determined at run time based on the environment.
DataTypeName	String	The name of the data type.
NumericPrecision	Int32	The maximum precision for numeric data. The column length in characters for character and date-time data.
Length	Int32	The number of characters allowed for character data. The number of digits allowed for numeric data.
NumericScale	Int32	The number of digits to the right of the decimal point in numeric data.
IsNullable	Boolean	Whether the parameter can contain null.
IsRequired	Boolean	Whether the parameter is required for execution of the procedure.
IsArray	Boolean	Whether the parameter is an array.
Description	String	The description of the parameter.
Ordinal	Int32	The index of the parameter.
Values	String	The values you can set in this parameter are limited to those shown in this column. Possible values are comma-separated.
SupportsStreams	Boolean	Whether the parameter represents a file that you can pass as either a file path or a stream.
IsPath	Boolean	Whether the parameter is a target path for a schema creation operation.
Default	String	The value used for this parameter when no value is specified.
SpecificName	String	A label that, when multiple stored procedures have the same name, uniquely identifies each identically-named stored procedure. If there's only one procedure with a given name, its name is simply reflected here.
IsCDataProvided	Boolean	Whether the procedure is added/implemented by CData, as opposed to being a native SAS Data Sets procedure.

Pseudo-Columns

Name	Type	Description
IncludeResultColumns	Boolean	Whether the output should include columns from the result set in addition to parameters. Defaults to False.

Describes the primary and foreign keys.

The following query retrieves the primary key for the Account table:

         SELECT * FROM sys_keycolumns WHERE IsKey='True' AND TableName='Account' 
          

Columns

Name	Type	Description
CatalogName	String	The name of the database containing the key.
SchemaName	String	The name of the schema containing the key.
TableName	String	The name of the table containing the key.
ColumnName	String	The name of the key column.
IsKey	Boolean	Whether the column is a primary key in the table referenced in the TableName field.
IsForeignKey	Boolean	Whether the column is a foreign key referenced in the TableName field.
PrimaryKeyName	String	The name of the primary key.
ForeignKeyName	String	The name of the foreign key.
ReferencedCatalogName	String	The database containing the primary key.
ReferencedSchemaName	String	The schema containing the primary key.
ReferencedTableName	String	The table containing the primary key.
ReferencedColumnName	String	The column name of the primary key.

Describes the foreign keys.

The following query retrieves all foreign keys which refer to other tables:

         SELECT * FROM sys_foreignkeys WHERE ForeignKeyType = 'FOREIGNKEY_TYPE_IMPORT'
          

Columns

Name	Type	Description
CatalogName	String	The name of the database containing the key.
SchemaName	String	The name of the schema containing the key.
TableName	String	The name of the table containing the key.
ColumnName	String	The name of the key column.
PrimaryKeyName	String	The name of the primary key.
ForeignKeyName	String	The name of the foreign key.
ReferencedCatalogName	String	The database containing the primary key.
ReferencedSchemaName	String	The schema containing the primary key.
ReferencedTableName	String	The table containing the primary key.
ReferencedColumnName	String	The column name of the primary key.
ForeignKeyType	String	Designates whether the foreign key is an import (points to other tables) or export (referenced from other tables) key.

Describes the primary keys.

The following query retrieves the primary keys from all tables and views:

         SELECT * FROM sys_primarykeys
          

Columns

Name	Type	Description
CatalogName	String	The name of the database containing the key.
SchemaName	String	The name of the schema containing the key.
TableName	String	The name of the table containing the key.
ColumnName	String	The name of the key column.
KeySeq	String	The sequence number of the primary key.
KeyName	String	The name of the primary key.

Describes the available indexes. By filtering on indexes, you can write more selective queries with faster query response times.

The following query retrieves all indexes that are not primary keys:

          SELECT * FROM sys_indexes WHERE IsPrimary='false'
          

Columns

Name	Type	Description
CatalogName	String	The name of the database containing the index.
SchemaName	String	The name of the schema containing the index.
TableName	String	The name of the table containing the index.
IndexName	String	The index name.
ColumnName	String	The name of the column associated with the index.
IsUnique	Boolean	True if the index is unique. False otherwise.
IsPrimary	Boolean	True if the index is a primary key. False otherwise.
Type	Int16	An integer value corresponding to the index type: statistic (0), clustered (1), hashed (2), or other (3).
SortOrder	String	The sort order: A for ascending or D for descending.
OrdinalPosition	Int16	The sequence number of the column in the index.

Returns information on the available connection properties and those set in the connection string.

The following query retrieves all connection properties that have been set in the connection string or set through a default value:

SELECT * FROM sys_connection_props WHERE Value <> ''

Columns

Name	Type	Description
Name	String	The name of the connection property.
ShortDescription	String	A brief description.
Type	String	The data type of the connection property.
Default	String	The default value if one is not explicitly set.
Values	String	A comma-separated list of possible values. A validation error is thrown if another value is specified.
Value	String	The value you set or a preconfigured default.
Required	Boolean	Whether the property is required to connect.
Category	String	The category of the connection property.
IsSessionProperty	String	Whether the property is a session property, used to save information about the current connection.
Sensitivity	String	The sensitivity level of the property. This informs whether the property is obfuscated in logging and authentication forms.
PropertyName	String	A camel-cased truncated form of the connection property name.
Ordinal	Int32	The index of the parameter.
CatOrdinal	Int32	The index of the parameter category.
Hierarchy	String	Shows dependent properties associated that need to be set alongside this one.
Visible	Boolean	Informs whether the property is visible in the connection UI.
ETC	String	Various miscellaneous information about the property.

Describes the SELECT query processing that the Cloud can offload to the data source.

See SQL Compliance for SQL syntax details.

Discovering the Data Source's SELECT Capabilities

Below is an example data set of SQL capabilities. Some aspects of SELECT functionality are returned in a comma-separated list if supported; otherwise, the column contains NO.

Name	Description	Possible Values
AGGREGATE_FUNCTIONS	Supported aggregation functions.	AVG, COUNT, MAX, MIN, SUM, DISTINCT
COUNT	Whether COUNT function is supported.	YES, NO
IDENTIFIER_QUOTE_OPEN_CHAR	The opening character used to escape an identifier.	[
IDENTIFIER_QUOTE_CLOSE_CHAR	The closing character used to escape an identifier.	]
SUPPORTED_OPERATORS	A list of supported SQL operators.	=, >, <, >=, <=, <>, !=, LIKE, NOT LIKE, IN, NOT IN, IS NULL, IS NOT NULL, AND, OR
GROUP_BY	Whether GROUP BY is supported, and, if so, the degree of support.	NO, NO_RELATION, EQUALS_SELECT, SQL_GB_COLLATE
OJ_CAPABILITIES	The supported varieties of outer joins supported.	NO, LEFT, RIGHT, FULL, INNER, NOT_ORDERED, ALL_COMPARISON_OPS
OUTER_JOINS	Whether outer joins are supported.	YES, NO
SUBQUERIES	Whether subqueries are supported, and, if so, the degree of support.	NO, COMPARISON, EXISTS, IN, CORRELATED_SUBQUERIES, QUANTIFIED
STRING_FUNCTIONS	Supported string functions.	LENGTH, CHAR, LOCATE, REPLACE, SUBSTRING, RTRIM, LTRIM, RIGHT, LEFT, UCASE, SPACE, SOUNDEX, LCASE, CONCAT, ASCII, REPEAT, OCTET, BIT, POSITION, INSERT, TRIM, UPPER, REGEXP, LOWER, DIFFERENCE, CHARACTER, SUBSTR, STR, REVERSE, PLAN, UUIDTOSTR, TRANSLATE, TRAILING, TO, STUFF, STRTOUUID, STRING, SPLIT, SORTKEY, SIMILAR, REPLICATE, PATINDEX, LPAD, LEN, LEADING, KEY, INSTR, INSERTSTR, HTML, GRAPHICAL, CONVERT, COLLATION, CHARINDEX, BYTE
NUMERIC_FUNCTIONS	Supported numeric functions.	ABS, ACOS, ASIN, ATAN, ATAN2, CEILING, COS, COT, EXP, FLOOR, LOG, MOD, SIGN, SIN, SQRT, TAN, PI, RAND, DEGREES, LOG10, POWER, RADIANS, ROUND, TRUNCATE
TIMEDATE_FUNCTIONS	Supported date/time functions.	NOW, CURDATE, DAYOFMONTH, DAYOFWEEK, DAYOFYEAR, MONTH, QUARTER, WEEK, YEAR, CURTIME, HOUR, MINUTE, SECOND, TIMESTAMPADD, TIMESTAMPDIFF, DAYNAME, MONTHNAME, CURRENT_DATE, CURRENT_TIME, CURRENT_TIMESTAMP, EXTRACT
REPLICATION_SKIP_TABLES	Indicates tables skipped during replication.
REPLICATION_TIMECHECK_COLUMNS	A string array containing a list of columns which will be used to check for (in the given order) to use as a modified column during replication.
IDENTIFIER_PATTERN	String value indicating what string is valid for an identifier.
SUPPORT_TRANSACTION	Indicates if the provider supports transactions such as commit and rollback.	YES, NO
DIALECT	Indicates the SQL dialect to use.
KEY_PROPERTIES	Indicates the properties which identify the uniform database.
SUPPORTS_MULTIPLE_SCHEMAS	Indicates if multiple schemas may exist for the provider.	YES, NO
SUPPORTS_MULTIPLE_CATALOGS	Indicates if multiple catalogs may exist for the provider.	YES, NO
DATASYNCVERSION	The CData Data Sync version needed to access this driver.	Standard, Starter, Professional, Enterprise
DATASYNCCATEGORY	The CData Data Sync category of this driver.	Source, Destination, Cloud Destination
SUPPORTSENHANCEDSQL	Whether enhanced SQL functionality beyond what is offered by the API is supported.	TRUE, FALSE
SUPPORTS_BATCH_OPERATIONS	Whether batch operations are supported.	YES, NO
SQL_CAP	All supported SQL capabilities for this driver.	SELECT, INSERT, DELETE, UPDATE, TRANSACTIONS, ORDERBY, OAUTH, ASSIGNEDID, LIMIT, LIKE, BULKINSERT, COUNT, BULKDELETE, BULKUPDATE, GROUPBY, HAVING, AGGS, OFFSET, REPLICATE, COUNTDISTINCT, JOINS, DROP, CREATE, DISTINCT, INNERJOINS, SUBQUERIES, ALTER, MULTIPLESCHEMAS, GROUPBYNORELATION, OUTERJOINS, UNIONALL, UNION, UPSERT, GETDELETED, CROSSJOINS, GROUPBYCOLLATE, MULTIPLECATS, FULLOUTERJOIN, MERGE, JSONEXTRACT, BULKUPSERT, SUM, SUBQUERIESFULL, MIN, MAX, JOINSFULL, XMLEXTRACT, AVG, MULTISTATEMENTS, FOREIGNKEYS, CASE, LEFTJOINS, COMMAJOINS, WITH, LITERALS, RENAME, NESTEDTABLES, EXECUTE, BATCH, BASIC, INDEX
PREFERRED_CACHE_OPTIONS	A string value specifies the preferred cacheOptions.
ENABLE_EF_ADVANCED_QUERY	Indicates if the driver directly supports advanced queries coming from Entity Framework. If not, queries will be handled client side.	YES, NO
PSEUDO_COLUMNS	A string array indicating the available pseudo columns.
MERGE_ALWAYS	If the value is true, The Merge Mode is forcibly executed in Data Sync.	TRUE, FALSE
REPLICATION_MIN_DATE_QUERY	A select query to return the replicate start datetime.
REPLICATION_MIN_FUNCTION	Allows a provider to specify the formula name to use for executing a server side min.
REPLICATION_START_DATE	Allows a provider to specify a replicate startdate.
REPLICATION_MAX_DATE_QUERY	A select query to return the replicate end datetime.
REPLICATION_MAX_FUNCTION	Allows a provider to specify the formula name to use for executing a server side max.
IGNORE_INTERVALS_ON_INITIAL_REPLICATE	A list of tables which will skip dividing the replicate into chunks on the initial replicate.
CHECKCACHE_USE_PARENTID	Indicates whether the CheckCache statement should be done against the parent key column.	TRUE, FALSE
CREATE_SCHEMA_PROCEDURES	Indicates stored procedures that can be used for generating schema files.

The following query retrieves the operators that can be used in the WHERE clause:

SELECT * FROM sys_sqlinfo WHERE Name = 'SUPPORTED_OPERATORS'

Note that individual tables may have different limitations or requirements on the WHERE clause; refer to the Data Model section for more information.

Columns

Name	Type	Description
NAME	String	A component of SQL syntax, or a capability that can be processed on the server.
VALUE	String	Detail on the supported SQL or SQL syntax.

Returns information about attempted modifications.

The following query retrieves the Ids of the modified rows in a batch operation:

         SELECT * FROM sys_identity
          

Columns

Name	Type	Description
Id	String	The database-generated Id returned from a data modification operation.
Batch	String	An identifier for the batch. 1 for a single operation.
Operation	String	The result of the operation in the batch: INSERTED, UPDATED, or DELETED.
Message	String	SUCCESS or an error message if the update in the batch failed.

Describes the available system information.

The following query retrieves all columns:

SELECT * FROM sys_information

Columns

Name	Type	Description
Product	String	The name of the product.
Version	String	The version number of the product.
Datasource	String	The name of the datasource the product connects to.
NodeId	String	The unique identifier of the machine where the product is installed.
HelpURL	String	The URL to the product's help documentation.
License	String	The license information for the product. (If this information is not available, the field may be left blank or marked as 'N/A'.)
Location	String	The file path location where the product's library is stored.
Environment	String	The version of the environment or rumtine the product is currently running under.
DataSyncVersion	String	The tier of CData Sync required to use this connector.
DataSyncCategory	String	The category of CData Sync functionality (e.g., Source, Destination).

The connection string properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure in the connection string for this provider. Click the links for further details.

For more information on establishing a connection, see Establishing a Connection.

Authentication

---

Property	Description
AuthScheme	The type of authentication to use when connecting to remote services.
AccessKey	The access key used to authenticate to SAS Data Sets. This value is accessible from your security credentials page.
SecretKey	Your account secret key. This value is accessible from your security credentials page.
ApiKey	The API Key used to identify the user to IBM Cloud.
User	The user account used to authenticate.
Password	The password used to authenticate the user.
SharePointEdition	The edition of SharePoint being used. Set either SharePointOnline or SharePointOnPremise.
ImpersonateUserMode	Specify the type of the user impersonation. It should be whether the User mode or the Admin mode.

Connection

---

Property	Description
ConnectionType	Specifies the file storage service, server, or file access protocol through which your SAS Data Sets files are stored and retreived.
URI	The Uniform Resource Identifier (URI) for the SAS resource location.
Region	The hosting region for your S3-like Web Services.
OracleNamespace	The Oracle Cloud Object Storage namespace to use.
StorageBaseURL	Specifies the URL of a cloud storage service provider.
UseVirtualHosting	If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.
TestConnectionBehavior	Specifies the behavior of the test connection operation.
UseLakeFormation	When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion.

AWS Authentication

---

Property	Description
AWSAccessKey	Specifies your AWS account access key. This value is accessible from your AWS security credentials page.
AWSSecretKey	Your AWS account secret key. This value is accessible from your AWS security credentials page.
AWSRoleARN	The Amazon Resource Name of the role to use when authenticating.
AWSPrincipalARN	The ARN of the SAML Identity provider in your AWS account.
AWSRegion	The hosting region for your Amazon Web Services.
AWSSessionToken	Your AWS session token.
AWSExternalId	A unique identifier that might be required when you assume a role in another account.
MFASerialNumber	The serial number of the MFA device if one is being used.
MFAToken	The temporary token available from your MFA device.
TemporaryTokenDuration	The amount of time (in seconds) a temporary token will last.
AWSWebIdentityToken	The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider.
ServerSideEncryption	When activated, file uploads into Amazon S3 buckets will be server-side encrypted.
SSEContext	A BASE64-encoded UTF-8 string holding JSON which represents a string-string (key-value) map.
SSEEnableS3BucketKeys	Configuration to use an S3 Bucket Key at the object level when encrypting data with AWS KMS. Enabling this will reduce the cost of server-side encryption by lowering calls to AWS KMS.
SSEKey	A symmetric encryption KeyManagementService key, that is used to protect the data when using ServerSideEncryption.

Azure Authentication

---

Property	Description
AzureStorageAccount	The name of your Azure storage account.
AzureAccessKey	The storage key associated with your Azure account.
AzureSharedAccessSignature	A shared access key signature that may be used for authentication.
AzureTenant	Identifies the SAS Data Sets tenant being used to access data. Accepts either the tenant's domain name (for example, contoso.onmicrosoft.com ) or its directory (tenant) ID.
AzureEnvironment	Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added.

Keycloak Authentication

---

Property	Description
KeycloakRealmURL	Specifies the full URL to the Keycloak server including the specific realm used for authentication and authorization.

SSO

---

Property	Description
SSOLoginURL	The identity provider's login URL.
SSOProperties	Additional properties required to connect to the identity provider, formatted as a semicolon-separated list.
SSOExchangeURL	The URL used for consuming the SAML response and exchanging it for service specific credentials.

JWT OAuth

---

Property	Description
OAuthJWTCert	Supplies the name of the client certificate's JWT Certificate store.
OAuthJWTCertType	Identifies the type of key store containing the JWT Certificate.
OAuthJWTCertPassword	Provides the password for the OAuth JWT certificate used to access a password-protected certificate store. If the certificate store does not require a password, leave this property blank.
OAuthJWTCertSubject	Identifies the subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate.
OAuthJWTSubject	The user subject for which the application is requesting delegated access.
OAuthJWTSubjectType	The SubType for the JWT authentication.
OAuthJWTPublicKeyId	The Id of the public key for JWT.

OAuth

---

Property	Description
OAuthClientId	Specifies the client ID (also known as the consumer key) assigned to your custom OAuth application. This ID is required to identify the application to the OAuth authorization server during authentication.
OAuthClientSecret	Specifies the client secret assigned to your custom OAuth application. This confidential value is used to authenticate the application to the OAuth authorization server. (Custom OAuth applications only.).
SubjectId	The user subject for which the application is requesting delegated access.
SubjectType	The Subject Type for the Client Credentials authentication.
Scope	Specifies the scope of the authenticating user's access to the application, to ensure they get appropriate access to data. If a custom OAuth application is needed, this is generally specified at the time the application is created.

SSL

---

Property	Description
SSLMode	The authentication mechanism to be used when connecting to the FTP or FTPS server.
SSLServerCert	Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

SSH

---

Property	Description
SSHAuthMode	The authentication method used when establishing an SSH Tunnel to the service.
SSHClientCert	A certificate to be used for authenticating the SSHUser.
SSHClientCertPassword	The password of the SSHClientCert key if it has one.
SSHClientCertSubject	The subject of the SSH client certificate.
SSHClientCertType	The type of SSHClientCert private key.
SSHUser	The SSH user.
SSHPassword	The SSH password.

Logging

---

Property	Description
Verbosity	Specifies the verbosity level of the log file, which controls the amount of detail logged. Supported values range from 1 to 5.

Schema

---

Property	Description
BrowsableSchemas	Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC .

Miscellaneous

---

Property	Description
AWSCertificate	The absolute path to the certificate file or the certificate content in PEM format encoded in base64.
AWSCertificatePassword	The password for the certificate if applicable, otherwise leave blank.
AWSCertificateType	The type of AWSCertificate .
AWSPrivateKey	The absolute path to the private key file or the private key content in PEM format encoded in base64.
AWSPrivateKeyPassword	The password for the private key if it is encrypted, otherwise leave blank.
AWSPrivateKeyType	The type of AWSPrivateKey .
AWSProfileARN	Profile to pull policies from.
AWSSessionDuration	Duration, in seconds, for the resulting session.
AWSTrustAnchorARN	Trust anchor to use for authentication.
Charset	Specifies the session character set for encoding and decoding character data transferred to and from the SAS Data Sets file. The default value is UTF-8.
ClientCulture	This property can be used to specify the format of data (e.g., currency values) that is accepted by the client application. This property can be used when the client application does not support the machine's culture settings. For example, Microsoft Access requires 'en-US'.
Culture	This setting can be used to specify culture settings that determine how the provider interprets certain data types that are passed into the provider. For example, setting Culture='de-DE' will output German formats even on an American machine.
DeleteDownloadedFiles	When set to true, the provider will delete parsed .sas7bdat files downloaded from cloud sources.
DirectoryRetrievalDepth	Limit the subfolders recursively scanned when IncludeSubdirectories is enabled.
ExcludeFiles	Comma-separated list of file extensions to exclude from the set of the files modeled as tables.
ExcludeStorageClasses	A comma seperated list of storage classes to ignore.
FolderId	The ID of a folder in Google Drive. If set, the resource location specified by the URI is relative to the Folder ID for all operations.
IncludeDropboxTeamResources	Indicates if you want to include Dropbox team files and folders.
IncludeFiles	Comma-separated list of file extensions to include into the set of the files modeled as tables.
IncludeItemsFromAllDrives	Whether Google Drive shared drive items should be included in results. If not present or set to false, then shared drive items are not returned.
IncludeSubdirectories	Whether to read files from nested folders. In the case of a name collision, table names are prefixed by the underscore-separated folder names.
MaxRows	Specifies the maximum number of rows returned for queries that do not include either aggregation or GROUP BY.
PseudoColumns	Specifies the pseudocolumns to expose as table columns, expressed as a string in the format 'TableName=ColumnName;TableName=ColumnName'.
TemporaryLocalFolder	The path, or URI, to the folder that is used to temporarily download SAS file(s).
ThrowsKeyNotFound	Specifies whether or not throws an exception if there is no rows updated.
Timeout	Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error.

This section provides a complete list of the Authentication properties you can configure in the connection string for this provider.

---

Property	Description
AuthScheme	The type of authentication to use when connecting to remote services.
AccessKey	The access key used to authenticate to SAS Data Sets. This value is accessible from your security credentials page.
SecretKey	Your account secret key. This value is accessible from your security credentials page.
ApiKey	The API Key used to identify the user to IBM Cloud.
User	The user account used to authenticate.
Password	The password used to authenticate the user.
SharePointEdition	The edition of SharePoint being used. Set either SharePointOnline or SharePointOnPremise.
ImpersonateUserMode	Specify the type of the user impersonation. It should be whether the User mode or the Admin mode.

The type of authentication to use when connecting to remote services.

Possible Values

AwsRootKeys, AwsEC2Roles, AwsIAMRoles, ADFS, Okta, PingFederate, AwsTempCredentials, AwsCredentialsFile, AzureAD, Keycloak, AzureMSI, AzureServicePrincipal, AzureServicePrincipalCert, AccessKey, AzureStorageSAS, IAMSecretKey, HMAC, OAuth, Basic, OneLogin, NTLM, SFTP, None, Negotiate, OAuthClient, OAuthJWT, OAuthPKCE, GCPInstanceAccount, Digest, OAuthPassword, NONE

Data Type

string

Default Value

"NONE"

Remarks

Amazon S3

The following options are available when ConnectionType is set to Amazon S3:

• AwsRootKeys: Set this to use the root user access key and secret. Useful for quickly testing, but production use cases are encouraged to use something with narrowed permissions.
• AwsEC2Roles: Set this to automatically use IAM Roles assigned to the EC2 machine the CData Cloud is currently running on.
• AwsIAMRoles: Set to use IAM Roles for the connection.
• ADFS: Set to use a single sign on connection with ADFS as the identify provider.
• OKTA: Set to use a single sign on connection with OKTA as the identify provider.
• PingFederate: Set to use a single sign on connection with PingFederate as the identify provider.
• AwsTempCredentials: Set this to leverage temporary security credentials alongside a session token to connect.
• AwsCredentialsFile: Set to use a credential file for authentication.
• AzureAD: Set to use a single sign on connection with AzureAD as the identify provider.
• Keycloak: Set to use a single sign on connection with Keycloak as the identify provider.

Azure Services

The following options are available when ConnectionType is set to Azure Blob Storage, Azure Data Lake Storage Gen1, Azure Data Lake Storage Gen2, Azure Data Lake Storage Gen2 SSL, or OneDrive:

• AzureAD: Set this to perform Azure Active Directory OAuth authentication.
• AzureMSI: Set this to automatically obtain Managed Service Identity credentials when running on an Azure VM.
• AzureServicePrincipal: Set this to authenticate as an Azure Service Principal.
• AzureServicePrincipalCert: Set this to authenticate as an Azure Service Principal using a Certificate.
• AccessKey: Set this to authenticate with the storage key associated with your SAS Data Sets account.
• AzureStorageSAS: Set this to authenticate with Shared Access Signature (SAS).

OneLake

The following options are available when ConnectionType is set to OneLake:

• AzureAD: Set this to perform Azure Active Directory OAuth authentication.
• AzureMSI: Set this to automatically obtain Managed Service Identity credentials when running on an Azure VM.
• AzureServicePrincipal: Set this to authenticate as an Azure Service Principal.
• AzureServicePrincipalCert: Set this to authenticate as an Azure Service Principal using a Certificate.

Azure Files

Only the following option is available when ConnectionType is set to Azure Files:

• AccessKey: Set this to authenticate with the storage key associated with your SAS Data Sets account.
• AzureStorageSAS: Set this to authenticate with Shared Access Signature (SAS).

Box

The following options are available when ConnectionType is set to Box:

• OAuth: Uses OAuth2 using a standard user account. OAuthVersion must be set to 2.0.
• OAuthClient: Uses OAuth2 with the client credentials grant type. OAuthClientId and OAuthClientSecret are the credentials. OAuthVersion must be set to 2.0.
• OAuthJWT: Uses OAuth2 with the JWT bearer grant type. OAuthJWTCertType and OAuthJWTCert determine what certificate the JWT is signed with. OAuthVersion must be set to 2.0.

Dropbox

Only the following option is available when ConnectionType is set to Dropbox:

OAuth: Uses OAuth2 with the authorization code grant type. OAuthVersion must be set to 2.0.

FTP(S)

Only the following option is available when ConnectionType is set to FTP or FTPS:

Basic: Basic user credentials (user/password).

Various Google Services

The following options are available when ConnectionType points Google Cloud Storage or Google Drive:

• OAuth: Uses OAuth2 using a standard user account. OAuthVersion must be set to 2.0.
• OAuthPKCE: Uses OAuth2 with the authorization code grant type and PKCE extension. OAuthVersion must be set to 2.0.
• OAuthJWT: Uses OAuth2 with the JWT bearer grant type. OAuthJWTCertType and OAuthJWTCert determine what certificate the JWT is signed with. OAuthVersion must be set to 2.0.
• GCPInstanceAccount: When running on a GCP virtual machine, the provider can authenticate using a service account tied to the virtual machine.

HDFS

The following options are available when ConnectionType is set to HDFS or HDFS Secure:

• None: No authentication is used.
• Negotiate: Kerberos authentication.

HTTP

The following options are available when ConnectionType is set to HTTP or HTTPS:

• None: No authentication is used.
• Basic: Basic user/password authentication.
• Digest: Uses HTTP Digest authentication with User and Password.
• OAuth: Uses either OAuth1 or OAuth2. OAuthVersion must be set to determine what version of OAuth is used.
  • Bearer Token authentication: AuthScheme=OAuth, InitiateOAuth=Off, and OAuthAccessToken=Bearer token value.
• OAuthJWT: Uses OAuth2 with the JWT bearer grant type. OAuthJWTCertType and OAuthJWTCert determine what certificate the JWT is signed with. OAuthVersion must be set to 2.0.
• OAuthPassword: Uses OAuth2 with the password grant type. User and Password are the credentials. OAuthVersion must be set to 2.0.
• OAuthClient: Uses OAuth2 with the client credentials grant type. OAuthClientId and OAuthClientSecret are the credentials. OAuthVersion must be set to 2.0.
• OAuthPKCE: Uses OAuth2 with the authorization code grant type and PKCE extension. OAuthClientId is the credential. OAuthVersion must be set to 2.0.

IBM Cloud Object Storage

The following options are also available when ConnectionType is set to IBM Object Storage Source:

• OAuth: Uses OAuth with the specific flow being determined by the InitiateOAuth. ApiKey must be set to successfully complete this flow.
• IAMSecretKey: Uses AccessKey and SecretKey to authenticate to IBM Cloud Object Storage.

Oracle Cloud Storage

Only the following option is available when ConnectionType is set to Oracle Cloud Storage:

IAMSecretKey: Uses AccessKey and SecretKey to authenticate to the Oracle Cloud Storage.

SFTP

When ConnectionType is set to SFTP, the Cloud sets AuthScheme to SFTP. When AuthScheme is set to SFTP, the precise authentication method is controlled using the SSHAuthMode property. See this property's documentation for further information.

SharePoint REST

The following options are also available when ConnectionType is set to SharePoint REST:

• AzureAD: Set this to perform Azure Active Directory OAuth authentication.
• AzureMSI: Set this to automatically obtain Managed Service Identity credentials when running on an Azure VM.
• AzureServicePrincipal: Set this to authenticate as an Azure Service Principal.
• AzureServicePrincipalCert: Set this to authenticate as an Azure Service Principal using a Certificate.

SharePoint SOAP

The following options are also available when ConnectionType is set to SharePoint SOAP:

• Basic: Use basic user/password credentials to authenticate.
• ADFS: Set to use a single sign on connection with ADFS as the identify provider.
• Okta: Set to use a single sign on connection with OKTA as the identify provider.
• OneLogin: Set to use a single sign on connection with OneLogin as the identify provider.
• NTLM: Set this to use your Windows credentials for authentication.

The access key used to authenticate to SAS Data Sets. This value is accessible from your security credentials page.

Data Type

string

Default Value

""

Remarks

User is used with AccessKey to authenticate the user against the SAS Data Sets server.

Your account secret key. This value is accessible from your security credentials page.

Data Type

string

Default Value

""

Remarks

Your account secret key. This value is accessible from your security credentials page depending on the service you are using.

The API Key used to identify the user to IBM Cloud.

Data Type

string

Default Value

""

Remarks

Access to resources in the SAS Data Sets REST API is governed by an API key in order to retrieve token. An API Key can be created by navigating to Manage --> Access (IAM) --> Users and clicking 'Create'.

The user account used to authenticate.

Data Type

string

Default Value

""

Remarks

Together with Password, this field is used to authenticate against the server.

This property will refer to different things based on the context, namely the value of ConnectionType and AuthScheme:

• ConnectionType=AmazonS3
  • AuthScheme=ADFS: This refers to your ADFS username.
  • AuthScheme=Okta: This refers to your Okta username.
  • AuthScheme=PingFederate: This refers to your PingFederate username.
• ConnectionType=FTP(S)
  • AuthScheme=Basic: This refers to your FTP(S) server username.
• ConnectionType=HDFS/HDFS Secure
  • AuthScheme=Negotiate: This refers to your HDFS intance username.
• ConnectionType=HTTP(S)
  • AuthScheme=Basic: This refers to the username associated with the HTTP stream.
  • AuthScheme=Digest: This refers to the username associated with the HTTP stream.
  • AuthScheme=OAuthPassword: This refers to the username associated with the HTTP stream.
• ConnectionType=SharePoint SOAP
  • AuthScheme=Basic: This refers to your SharePoint account username.
  • AuthScheme=ADFS: This refers to your ADFS username.
  • AuthScheme=Okta: This refers to your Okta username.
  • AuthScheme=OneLogin: This refers to your OneLogin username.

The password used to authenticate the user.

Data Type

string

Default Value

""

Remarks

The User and Password are together used to authenticate with the server.

This property will refer to different things based on the context, namely the value of ConnectionType and AuthScheme:

• ConnectionType=AmazonS3
  • AuthScheme=ADFS: This refers to your ADFS password.
  • AuthScheme=Okta: This refers to your Okta password.
  • AuthScheme=PingFederate: This refers to your PingFederate password.
• ConnectionType=FTP(S)
  • AuthScheme=Basic: This refers to your FTP(S) server password.
• ConnectionType=HDFS/HDFS Secure
  • AuthScheme=Negotiate: This refers to your HDFS intance password.
• ConnectionType=HTTP(S)
  • AuthScheme=Basic: This refers to the password associated with the HTTP stream.
  • AuthScheme=Digest: This refers to the password associated with the HTTP stream.
  • AuthScheme=OAuthPassword: This refers to the password associated with the HTTP stream.
• ConnectionType=SharePoint SOAP
  • AuthScheme=Basic: This refers to your SharePoint account password.
  • AuthScheme=ADFS: This refers to your ADFS password.
  • AuthScheme=Okta: This refers to your Okta password.
  • AuthScheme=OneLogin: This refers to your OneLogin password.

The edition of SharePoint being used. Set either SharePointOnline or SharePointOnPremise.

Possible Values

SharePointOnline, SharePointOnPremise

Data Type

string

Default Value

"SharePointOnline"

Remarks

The edition of SharePoint being used. Set either SharePointOnline or SharePointOnPremise.

Specify the type of the user impersonation. It should be whether the User mode or the Admin mode.

Possible Values

User, Admin

Data Type

string

Default Value

"User"

Remarks

Specify the type of the user impersonation. It should be whether the User mode or the Admin mode. The Admin mode is available only for Enterprise with Governance accounts and will be upon request. It will not work for any other accounts.

This section provides a complete list of the Connection properties you can configure in the connection string for this provider.

---

Property	Description
ConnectionType	Specifies the file storage service, server, or file access protocol through which your SAS Data Sets files are stored and retreived.
URI	The Uniform Resource Identifier (URI) for the SAS resource location.
Region	The hosting region for your S3-like Web Services.
OracleNamespace	The Oracle Cloud Object Storage namespace to use.
StorageBaseURL	Specifies the URL of a cloud storage service provider.
UseVirtualHosting	If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.
TestConnectionBehavior	Specifies the behavior of the test connection operation.
UseLakeFormation	When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion.

Specifies the file storage service, server, or file access protocol through which your SAS Data Sets files are stored and retreived.

Possible Values

Local, Amazon S3, Azure Blob Storage, Azure Data Lake Storage Gen2, Azure Data Lake Storage Gen2 SSL, Azure Files, Box, Dropbox, FTP, FTPS, Google Cloud Storage, Google Drive, HDFS, HDFS Secure, HTTP, HTTPS, IBM Object Storage Source, OneDrive, OneLake, Oracle Cloud Storage, SFTP, SharePoint REST, SharePoint SOAP

Data Type

string

Default Value

"Local"

Remarks

Set the ConnectionType to one of the following:

• Local: SAS Data Sets files stored on your local machine.
• Amazon S3
• Azure Blob Storage
• Azure Data Lake Storage Gen2
• Azure Data Lake Storage Gen2 SSL
• Azure Files
• Box
• Dropbox
• FTP
• FTPS
• Google Cloud Storage
• Google Drive
• HDFS
• HDFS Secure
• HTTP: Connects to SAS Data Sets files hosted on HTTP streams.
• HTTPS: Connects to SAS Data Sets files hosted on HTTPS streams.
• IBM Object Storage Source
• OneDrive
• OneLake
• Oracle Cloud Storage
• SFTP
• SharePoint REST
• SharePoint SOAP

The Uniform Resource Identifier (URI) for the SAS resource location.

Data Type

string

Default Value

""

Remarks

Set the URI property to specify a path to a file or stream.

NOTE:

• This connection property requires that you set ConnectionType.
• If specifying a directory path, it is generally recommended to end the URI with a trailing path separator character, as an example 'folder1/' instead of 'folder1'.

See for more advanced features available for parsing and merging multiple files.

Below are examples of the URI formats for the available data sources:

Service provider	URI formats
Local	Single File Path One table localPath file://localPath Directory Path (one table per file) localPath file://localPath
HTTP or HTTPS	http://remoteStream https://remoteStream
Amazon S3	Single File Path One table s3://remotePath Directory Path (one table per file) s3://remotePath
Azure Blob Storage	Single File Path One table azureblob://mycontainer/myblob/ Directory Path (one table per file) azureblob://mycontainer/myblob/
OneDrive	Single File Path One table onedrive://remotePath Directory Path (one table per file) onedrive://remotePath
Google Cloud Storage	Single File Path One table gs://bucket/remotePath Directory Path (one table per file) gs://bucket/remotePath
Google Drive	Single File Path One table gdrive://remotePath Directory Path (one table per file) gdrive://remotePath
Box	Single File Path One table box://remotePath Directory Path (one table per file) box://remotePath
FTP or FTPS	Single File Path One table ftp://server:port/remotePath Directory Path (one table per file) ftp://server:port/remotePath
SFTP	Single File Path One table sftp://server:port/remotePath Directory Path (one table per file) sftp://server:port/remotePath
Sharepoint	Single File Path One table sp://https://server/remotePath Directory Path (one table per file) sp://https://server/remotePath Use the Sharepoint URL as the remote path. Not the display name.

Example Connection Strings and Queries

Below are example connection strings to SAS files or streams.

Service provider	URI formats	Connection example
Local	Single File Path One table localPath file://localPath Directory Path (one table per file) localPath file://localPath	URI=C:\folder1
Amazon S3	Single File Path One table s3://bucket1/folder1 Directory Path (one table per file) s3://bucket1/folder1	URI=s3://bucket1/folder1; AWSAccessKey=token1; AWSSecretKey=secret1; AWSRegion=OHIO;
Azure Blob Storage	Single File Path One table azureblob://mycontainer/myblob/ Directory Path (one table per file) azureblob://mycontainer/myblob/	URI=azureblob://mycontainer/myblob/; AzureStorageAccount=myAccount; AzureAccessKey=myKey; URI=azureblob://mycontainer/myblob/; AzureStorageAccount=myAccount; AuthScheme=OAuth;
OneDrive	Single File Path One table onedrive://remotePath Directory Path (one table per file) onedrive://remotePath	URI=onedrive://folder1; AuthScheme=OAuth; URI=onedrive://SharedWithMe/folder1; AuthScheme=OAuth;
Google Cloud Storage	Single File Path One table gs://bucket/remotePath Directory Path (one table per file) gs://bucket/remotePath	URI=gs://bucket/folder1; AuthScheme=OAuth; ProjectId=test;
Google Drive	Single File Path One table gdrive://remotePath Directory Path (one table per file) gdrive://remotePath	URI=gdrive://folder1;
Box	Single File Path One table box://remotePath Directory Path (one table per file) box://remotePath	URI=box://folder1; OAuthClientId=oauthclientid1; OAuthClientSecret=oauthcliensecret1; CallbackUrl=http://localhost:12345;
FTP or FTPS	Single File Path One table ftp://server:port/remotePath Directory Path (one table per file) ftp://server:port/remotePath	URI=ftps://localhost:990/folder1; User=user1; Password=password1;
SFTP	sftp://server:port/remotePath	URI=sftp://127.0.0.1:22/remotePath; User=user1; Password=password1;
Sharepoint	sp://https://server/remotePath Use the Sharepoint URL as the remote path. Not the display name.	URI=sp://https://domain.sharepoint.com/Documents; User=user1; Password=password1;

The hosting region for your S3-like Web Services.

Data Type

string

Default Value

""

Remarks

The hosting region for your S3-like Web Services.

Oracle Cloud Object Storage Regions

Value	Region
Commercial Cloud Regions
ap-hyderabad-1	India South (Hyderabad)
ap-melbourne-1	Australia Southeast (Melbourne)
ap-mumbai-1	India West (Mumbai)
ap-osaka-1	Japan Central (Osaka)
ap-seoul-1	South Korea Central (Seoul)
ap-sydney-1	Australia East (Sydney)
ap-tokyo-1	Japan East (Tokyo)
ca-montreal-1	Canada Southeast (Montreal)
ca-toronto-1	Canada Southeast (Toronto)
eu-amsterdam-1	Netherlands Northwest (Amsterdam)
eu-frankfurt-1	Germany Central (Frankfurt)
eu-zurich-1	Switzerland North (Zurich)
me-jeddah-1	Saudi Arabia West (Jeddah)
sa-saopaulo-1	Brazil East (Sao Paulo)
uk-london-1	UK South (London)
us-ashburn-1 (default)	US East (Ashburn, VA)
us-phoenix-1	US West (Phoenix, AZ)
US Gov FedRAMP High Regions
us-langley-1	US Gov East (Ashburn, VA)
us-luke-1	US Gov West (Phoenix, AZ)
US Gov DISA IL5 Regions
us-gov-ashburn-1	US DoD East (Ashburn, VA)
us-gov-chicago-1	US DoD North (Chicago, IL)
us-gov-phoenix-1	US DoD West (Phoenix, AZ)

Wasabi Regions

Value	Region
eu-central-1	Europe (Amsterdam)
us-east-1 (Default)	US East (Ashburn, VA)
us-east-2	US East (Manassas, VA)
us-west-1	US West (Hillsboro, OR)

The Oracle Cloud Object Storage namespace to use.

Data Type

string

Default Value

""

Remarks

The Oracle Cloud Object Storage namespace to use. This setting must be set to the Oracle Cloud Object Storage namespace associated with the Oracle Cloud account before any requests can be made. Refer to the Understanding Object Storage Namespaces page of the Oracle Cloud documentation for instructions on how to find your account's Object Storage namespace.

Specifies the URL of a cloud storage service provider.

Data Type

string

Default Value

""

Remarks

This connection property is used to specify:

• The URL of a custom S3 service.
• The URL required for the SharePoint SOAP/REST cloud storage service provider.

  If the domain for this option ends in -my (for example, https://bigcorp-my.sharepoint.com) then you may need to use the onedrive:// scheme instead of the sp:// or sprest:// scheme.

When connecting to files in a non–root-level SharePoint Online site (for example, under /sites/<your site>/), set this property to the full site path. For example: StorageBaseURL=https://<your domain>.sharepoint.com/sites/<your site>/

Using the full SharePoint site URL ensures the connector can locate files stored in subsites or other non-root-level site structures.

If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.

Data Type

bool

Default Value

true

Remarks

If true (default), buckets will be referenced in the request using the hosted-style request: http://yourbucket.s3.amazonaws.com/yourobject. If set to false, the bean will use the path-style request: http://s3.amazonaws.com/yourbucket/yourobject. Note that this property will be set to false, in case of an S3 based custom service when the CustomURL is specified.

Specifies the behavior of the test connection operation.

Possible Values

LIST_AND_READ_FILES, READ_FILE, LIST_FILES, NO_OPERATION, AUTHENTICATE, LIST_OR_READ_FILES

Data Type

string

Default Value

"LIST_OR_READ_FILES"

Remarks

Change how the Cloud responds to a test connection operation based on the integration scenario.

• LIST_AND_READ_FILES: Deprecated, renamed to LIST_OR_READ_FILES. List or read files from the configured storage source until at least one is parsed. Fail if none of the files can be parsed. Note: this mode will not read files in sub-directories.
• READ_FILE: Read the file provided in the URI. Succeed if the file can be read and parsed. Use this mode if the URI points to a file, not a directory.
• LIST_FILES: List files from the provided URI.
• NO_OPERATION: Does not perform any operation on the storage source.
• AUTHENTICATE: Tests if the credentials are valid by making a metadata or list call.
• LIST_OR_READ_FILES: List or read files from the configured storage source until at least one is parsed. Fail if none of the files can be parsed. Note: this mode will not read files in sub-directories.

When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion.

Data Type

bool

Default Value

false

Remarks

When this property is set to true, AWSLakeFormation service will be used to retrieve temporary credentials, which enforce access policies against the user based on the configured IAM role. The service can be used when authenticating through OKTA, ADFS, AzureAD, PingFederate, while providing a SAML assertion.

This section provides a complete list of the AWS Authentication properties you can configure in the connection string for this provider.

---

Property	Description
AWSAccessKey	Specifies your AWS account access key. This value is accessible from your AWS security credentials page.
AWSSecretKey	Your AWS account secret key. This value is accessible from your AWS security credentials page.
AWSRoleARN	The Amazon Resource Name of the role to use when authenticating.
AWSPrincipalARN	The ARN of the SAML Identity provider in your AWS account.
AWSRegion	The hosting region for your Amazon Web Services.
AWSSessionToken	Your AWS session token.
AWSExternalId	A unique identifier that might be required when you assume a role in another account.
MFASerialNumber	The serial number of the MFA device if one is being used.
MFAToken	The temporary token available from your MFA device.
TemporaryTokenDuration	The amount of time (in seconds) a temporary token will last.
AWSWebIdentityToken	The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider.
ServerSideEncryption	When activated, file uploads into Amazon S3 buckets will be server-side encrypted.
SSEContext	A BASE64-encoded UTF-8 string holding JSON which represents a string-string (key-value) map.
SSEEnableS3BucketKeys	Configuration to use an S3 Bucket Key at the object level when encrypting data with AWS KMS. Enabling this will reduce the cost of server-side encryption by lowering calls to AWS KMS.
SSEKey	A symmetric encryption KeyManagementService key, that is used to protect the data when using ServerSideEncryption.

Specifies your AWS account access key. This value is accessible from your AWS security credentials page.

Data Type

string

Default Value

""

Remarks

To find your AWS account access key:

1. Sign into the AWS Management console with the credentials for your root account.
2. Select your account name or number.
3. Select My Security Credentials in the menu.
4. Click Continue to Security Credentials.
5. To view or manage root account access keys, expand the Access Keys section.

Your AWS account secret key. This value is accessible from your AWS security credentials page.

Data Type

string

Default Value

""

Remarks

Your AWS account secret key. This value is accessible from your AWS security credentials page:

1. Sign into the AWS Management console with the credentials for your root account.
2. Select your account name or number and select My Security Credentials in the menu that is displayed.
3. Click Continue to Security Credentials and expand the Access Keys section to manage or create root account access keys.

The Amazon Resource Name of the role to use when authenticating.

Data Type

string

Default Value

""

Remarks

When authenticating outside of AWS, it is common to use a Role for authentication instead of your direct AWS account credentials. Entering the AWSRoleARN will cause the CData Cloud to perform a role based authentication instead of using the AWSAccessKey and AWSSecretKey directly. The AWSAccessKey and AWSSecretKey must still be specified to perform this authentication. You cannot use the credentials of an AWS root user when setting RoleARN. The AWSAccessKey and AWSSecretKey must be those of an IAM user.

The ARN of the SAML Identity provider in your AWS account.

Data Type

string

Default Value

""

Remarks

The ARN of the SAML Identity provider in your AWS account.

The hosting region for your Amazon Web Services.

Possible Values

OHIO, NORTHERNVIRGINIA, NORTHERNCALIFORNIA, OREGON, CAPETOWN, HONGKONG, TAIPEI, HYDERABAD, JAKARTA, MALAYSIA, MELBOURNE, MUMBAI, OSAKA, SEOUL, SINGAPORE, SYDNEY, THAILAND, TOKYO, CENTRAL, CALGARY, BEIJING, NINGXIA, FRANKFURT, IRELAND, LONDON, MILAN, PARIS, SPAIN, STOCKHOLM, ZURICH, TELAVIV, MEXICOCENTRAL, BAHRAIN, UAE, SAOPAULO, GOVCLOUDEAST, GOVCLOUDWEST, ISOLATEDUSEAST, ISOLATEDUSEASTB, ISOLATEDUSEASTF, ISOLATEDUSSOUTHF, ISOLATEDUSWEST, ISOLATEDEUWEST

Data Type

string

Default Value

"NORTHERNVIRGINIA"

Remarks

The hosting region for your Amazon Web Services. Available values are OHIO, NORTHERNVIRGINIA, NORTHERNCALIFORNIA, OREGON, CAPETOWN, HONGKONG, TAIPEI, HYDERABAD, JAKARTA, MALAYSIA, MELBOURNE, MUMBAI, OSAKA, SEOUL, SINGAPORE, SYDNEY, THAILAND, TOKYO, CENTRAL, CALGARY, BEIJING, NINGXIA, FRANKFURT, IRELAND, LONDON, MILAN, PARIS, SPAIN, STOCKHOLM, ZURICH, TELAVIV, MEXICOCENTRAL, BAHRAIN, UAE, SAOPAULO, GOVCLOUDEAST, GOVCLOUDWEST, ISOLATEDUSEAST, ISOLATEDUSEASTB, ISOLATEDUSEASTF, ISOLATEDUSSOUTHF, ISOLATEDUSWEST and ISOLATEDEUWEST.

Your AWS session token.

Data Type

string

Default Value

""

Remarks

Your AWS session token. This value can be retrieved in different ways. See this link for more info.

A unique identifier that might be required when you assume a role in another account.

Data Type

string

Default Value

""

Remarks

A unique identifier that might be required when you assume a role in another account.

The serial number of the MFA device if one is being used.

Data Type

string

Default Value

""

Remarks

You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials. For virtual devices, this is actually an Amazon Resource Name (such as arn:aws:iam::123456789012:mfa/user).

The temporary token available from your MFA device.

Data Type

string

Default Value

""

Remarks

If MFA is required, this value will be used along with the MFASerialNumber to retrieve temporary credentials to login. The temporary credentials available from AWS will only last up to 1 hour by default (see TemporaryTokenDuration). Once the time is up, the connection must be updated to specify a new MFA token so that new credentials may be obtained. %AWSpSecurityToken; %AWSpTemporaryTokenDuration;

The amount of time (in seconds) a temporary token will last.

Data Type

string

Default Value

"3600"

Remarks

Temporary tokens are used with both MFA and Role based authentication. Temporary tokens will eventually time out, at which time a new temporary token must be obtained. For situations where MFA is not used, this is not a big deal. The CData Cloud will internally request a new temporary token once the temporary token has expired.

However, for MFA required connection, a new MFAToken must be specified in the connection to retrieve a new temporary token. This is a more intrusive issue since it requires an update to the connection by the user. The maximum and minimum that can be specified will depend largely on the connection being used.

For Role based authentication, the minimum duration is 900 seconds (15 minutes) while the maximum if 3600 (1 hour). Even if MFA is used with role based authentication, 3600 is still the maximum.

For MFA authentication by itself (using an IAM User or root user), the minimum is 900 seconds (15 minutes), the maximum is 129600 (36 hours).

The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider.

Data Type

string

Default Value

""

Remarks

The OAuth 2.0 access token or OpenID Connect ID token that is provided by an identity provider. An application can get this token by authenticating a user with a web identity provider. If not specified, the value for this connection property is automatically obtained from the value of the 'AWS_WEB_IDENTITY_TOKEN_FILE' environment variable.

When activated, file uploads into Amazon S3 buckets will be server-side encrypted.

Possible Values

OFF, S3-Managed Keys, Key Management Service Keys

Data Type

string

Default Value

"OFF"

Remarks

Server-side encryption is the encryption of data at its destination by the application or service that receives it. Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. Learn more: https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

A BASE64-encoded UTF-8 string holding JSON which represents a string-string (key-value) map.

Data Type

string

Default Value

""

Remarks

Example of what the JSON may look decoded: {"aws:s3:arn": "arn:aws:s3:::_bucket_/_object_"}.

Configuration to use an S3 Bucket Key at the object level when encrypting data with AWS KMS. Enabling this will reduce the cost of server-side encryption by lowering calls to AWS KMS.

Data Type

bool

Default Value

false

Remarks

Configuration to use an S3 Bucket Key at the object level when encrypting data with AWS KMS. Enabling this will reduce the cost of server-side encryption by lowering calls to AWS KMS.

A symmetric encryption KeyManagementService key, that is used to protect the data when using ServerSideEncryption.

Data Type

string

Default Value

""

Remarks

A symmetric encryption KeyManagementService key, that is used to protect the data when using ServerSideEncryption.

This section provides a complete list of the Azure Authentication properties you can configure in the connection string for this provider.

---

Property	Description
AzureStorageAccount	The name of your Azure storage account.
AzureAccessKey	The storage key associated with your Azure account.
AzureSharedAccessSignature	A shared access key signature that may be used for authentication.
AzureTenant	Identifies the SAS Data Sets tenant being used to access data. Accepts either the tenant's domain name (for example, contoso.onmicrosoft.com ) or its directory (tenant) ID.
AzureEnvironment	Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added.

The name of your Azure storage account.

Data Type

string

Default Value

""

Remarks

The name of your Azure storage account.

The storage key associated with your Azure account.

Data Type

string

Default Value

""

Remarks

The storage key associated with your SAS Data Sets account. You can retrieve it as follows:

1. Sign into the azure portal with the credentials for your root account. (https://portal.azure.com/)
2. Click on storage accounts and select the storage account you want to use.
3. Under settings, click Access keys.
4. Your storage account name and key will be displayed on that page.

A shared access key signature that may be used for authentication.

Data Type

string

Default Value

""

Remarks

A shared access signature. You can create one by following these steps:

1. Sign into the azure portal with the credentials for your root account. (https://portal.azure.com/)
2. Click on storage accounts and select the storage account you want to use.
3. Under settings, click Shared Access Signature.
4. Set the permissions and when the token will expire
5. Click Generate SAS can copy the token.

Identifies the SAS Data Sets tenant being used to access data. Accepts either the tenant's domain name (for example, contoso.onmicrosoft.com ) or its directory (tenant) ID.

Data Type

string

Default Value

""

Remarks

A tenant is a digital container for your organization's users and resources, managed through Microsoft Entra ID (formerly Azure AD). Each tenant is associated with a unique directory ID, and often with a custom domain (for example, microsoft.com or contoso.onmicrosoft.com).

To find the directory (tenant) ID in the Microsoft Entra Admin Center, navigate to Microsoft Entra ID > Properties and copy the value labeled "Directory (tenant) ID".

This property is required in the following cases:

• When AuthScheme is set to AzureServicePrincipal or AzureServicePrincipalCert
• When AuthScheme is AzureAD and the user account belongs to multiple tenants

You can provide the tenant value in one of two formats:

• A domain name (for example, contoso.onmicrosoft.com)
• A directory (tenant) ID in GUID format (for example, c9d7b8e4-1234-4f90-bc1a-2a28e0f9e9e0)

Specifying the tenant explicitly ensures that the authentication request is routed to the correct directory, which is especially important when a user belongs to multiple tenants or when using service principal–based authentication.

If this value is omitted when required, authentication may fail or connect to the wrong tenant. This can result in errors such as unauthorized or resource not found.

Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added.

Possible Values

GLOBAL, CHINA, USGOVT, USGOVTDOD

Data Type

string

Default Value

"GLOBAL"

Remarks

Required if your Azure account is part of a different network than the Global network, such as China, USGOVT, or USGOVTDOD.

This section provides a complete list of the Keycloak Authentication properties you can configure in the connection string for this provider.

---

Property	Description
KeycloakRealmURL	Specifies the full URL to the Keycloak server including the specific realm used for authentication and authorization.

Specifies the full URL to the Keycloak server including the specific realm used for authentication and authorization.

Data Type

string

Default Value

""

Remarks

The URL must be in the format: http(s)://{server-url}:{port}/realms/{realm-name}.

A realm in Keycloak is a logical namespace that manages a set of users, roles, clients, and configurations. It isolates authentication and authorization for different applications or services, allowing each realm to have its own user base and security settings. Multiple realms can exist within a single Keycloak instance, providing separation between different environments or groups.

Specifying KeycloakRealmURL is required when AuthScheme = Keycloak.

This section provides a complete list of the SSO properties you can configure in the connection string for this provider.

---

Property	Description
SSOLoginURL	The identity provider's login URL.
SSOProperties	Additional properties required to connect to the identity provider, formatted as a semicolon-separated list.
SSOExchangeURL	The URL used for consuming the SAML response and exchanging it for service specific credentials.

The identity provider's login URL.

Data Type

string

Default Value

""

Remarks

The identity provider's login URL.

Additional properties required to connect to the identity provider, formatted as a semicolon-separated list.

Data Type

string

Default Value

""

Remarks

Additional properties required to connect to the identity provider in a semicolon-separated list.

Additional properties required to connect to the identity provider, formatted as a semicolon-separated list.

This is used with the SSOLoginURL.

SSO configuration is discussed further in .

The URL used for consuming the SAML response and exchanging it for service specific credentials.

Data Type

string

Default Value

""

Remarks

The CData Cloud will use the URL specified here to consume a SAML response and exchange it for service specific credentials. The retrieved credentials are the final piece during the SSO connection that are used to communicate with SAS Data Sets.

This section provides a complete list of the JWT OAuth properties you can configure in the connection string for this provider.

---

Property	Description
OAuthJWTCert	Supplies the name of the client certificate's JWT Certificate store.
OAuthJWTCertType	Identifies the type of key store containing the JWT Certificate.
OAuthJWTCertPassword	Provides the password for the OAuth JWT certificate used to access a password-protected certificate store. If the certificate store does not require a password, leave this property blank.
OAuthJWTCertSubject	Identifies the subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate.
OAuthJWTSubject	The user subject for which the application is requesting delegated access.
OAuthJWTSubjectType	The SubType for the JWT authentication.
OAuthJWTPublicKeyId	The Id of the public key for JWT.

Supplies the name of the client certificate's JWT Certificate store.

Data Type

string

Default Value

""

Remarks

The OAuthJWTCertType field specifies the type of the certificate store specified in OAuthJWTCert. If the store is password-protected, use OAuthJWTCertPassword to supply the password..

OAuthJWTCert is used in conjunction with the OAuthJWTCertSubject field in order to specify client certificates. If OAuthJWTCert has a value, and OAuthJWTCertSubject is set, the CData Cloud initiates a search for a certificate. For further information, see OAuthJWTCertSubject.

Designations of certificate stores are platform-dependent.

Notes

• The most common User and Machine certificate stores in Windows include:
  • MY: A certificate store holding personal certificates with their associated private keys.
  • CA: Certifying authority certificates.
  • ROOT: Root certificates.
  • SPC: Software publisher certificates.
• In Java, the certificate store normally is a file containing certificates and optional private keys.
• When the certificate store type is PFXFile, this property must be set to the name of the file.
• When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

Identifies the type of key store containing the JWT Certificate.

Possible Values

PFXBLOB, JKSBLOB, PEMKEY_BLOB, PUBLIC_KEY_BLOB, SSHPUBLIC_KEY_BLOB, XMLBLOB, BCFKSBLOB, GOOGLEJSONBLOB, BOXJSONBLOB

Data Type

string

Default Value

"PEMKEY_BLOB"

Remarks

Value	Description	Notes
USER	A certificate store owned by the current user.	Only available in Windows.
MACHINE	A machine store.	Not available in Java or other non-Windows environments.
PFXFILE	A PFX (PKCS12) file containing certificates.
PFXBLOB	A string (base-64-encoded) representing a certificate store in PFX (PKCS12) format.
JKSFILE	A Java key store (JKS) file containing certificates.	Only available in Java.
JKSBLOB	A string (base-64-encoded) representing a certificate store in Java key store (JKS) format.	Only available in Java.
PEMKEY_FILE	A PEM-encoded file that contains a private key and an optional certificate.
PEMKEY_BLOB	A string (base64-encoded) that contains a private key and an optional certificate.
PUBLIC_KEY_FILE	A file that contains a PEM- or DER-encoded public key certificate.
PUBLIC_KEY_BLOB	A string (base-64-encoded) that contains a PEM- or DER-encoded public key certificate.
SSHPUBLIC_KEY_FILE	A file that contains an SSH-style public key.
SSHPUBLIC_KEY_BLOB	A string (base-64-encoded) that contains an SSH-style public key.
P7BFILE	A PKCS7 file containing certificates.
PPKFILE	A file that contains a PPK (PuTTY Private Key).
XMLFILE	A file that contains a certificate in XML format.
XMLBLOB	Astring that contains a certificate in XML format.
BCFKSFILE	A file that contains an Bouncy Castle keystore.
BCFKSBLOB	A string (base-64-encoded) that contains a Bouncy Castle keystore.
GOOGLEJSON	A JSON file containing the service account information.	Only valid when connecting to a Google service.
GOOGLEJSONBLOB	A string that contains the service account JSON.	Only valid when connecting to a Google service.
BOXJSON	A JSON file containing the service account credentials.	Only valid when connecting to Box.
BOXJSONBLOB	The certificate store is a string that contains the service account JSON.	Only valid when connecting to Box.

Provides the password for the OAuth JWT certificate used to access a password-protected certificate store. If the certificate store does not require a password, leave this property blank.

Data Type

string

Default Value

""

Remarks

This property specifies the password needed to open a password-protected certificate store. To determine if a password is necessary, refer to the documentation or configuration for your specific certificate store.

This is not required when using the GOOGLEJSON OAuthJWTCertType. Google JSON keys are not encrypted.

Identifies the subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate.

Data Type

string

Default Value

"*"

Remarks

The value of this property is used to locate a matching certificate in the store. The search process works as follows:

• If an exact match for the subject is found, the corresponding certificate is selected.
• If no exact match is found, the store is searched for certificates whose subjects contain the property value.
• If no match is found, no certificate is selected.

You can set the value to '*' to automatically select the first certificate in the store. The certificate subject is a comma-separated list of distinguished name fields and values. For example: CN=www.server.com, OU=test, C=US, [email protected].

Common fields include:

Field	Meaning
CN	Common Name. This is commonly a host name like www.server.com.
O	Organization
OU	Organizational Unit
L	Locality
S	State
C	Country
E	Email Address

If a field value contains a comma, enclose it in quotes. For example: "O=ACME, Inc.".

The user subject for which the application is requesting delegated access.

Data Type

string

Default Value

""

Remarks

The user subject for which the application is requesting delegated access. Typically, the user account name or email address.

The SubType for the JWT authentication.

Possible Values

enterprise, user

Data Type

string

Default Value

"enterprise"

Remarks

The SubType for the JWT authentication. Set this to "enterprise" or "user" depending on the type of token being requested.

The Id of the public key for JWT.

Data Type

string

Default Value

""

Remarks

The Id of the public key for JWT. Set this to the value of your Public Key Id in your app settings.

This section provides a complete list of the OAuth properties you can configure in the connection string for this provider.

---

Property	Description
OAuthClientId	Specifies the client ID (also known as the consumer key) assigned to your custom OAuth application. This ID is required to identify the application to the OAuth authorization server during authentication.
OAuthClientSecret	Specifies the client secret assigned to your custom OAuth application. This confidential value is used to authenticate the application to the OAuth authorization server. (Custom OAuth applications only.).
SubjectId	The user subject for which the application is requesting delegated access.
SubjectType	The Subject Type for the Client Credentials authentication.
Scope	Specifies the scope of the authenticating user's access to the application, to ensure they get appropriate access to data. If a custom OAuth application is needed, this is generally specified at the time the application is created.

Specifies the client ID (also known as the consumer key) assigned to your custom OAuth application. This ID is required to identify the application to the OAuth authorization server during authentication.

Data Type

string

Default Value

""

Remarks

This property is required in two cases:

• When using a custom OAuth application, such as in web-based authentication flows, service-based authentication, or certificate-based flows that require application registration.
• If the driver does not provide embedded OAuth credentials.

(When the driver provides embedded OAuth credentials, this value may already be provided by the Cloud and thus not require manual entry.)

OAuthClientId is generally used alongside other OAuth-related properties such as OAuthClientSecret and OAuthSettingsLocation when configuring an authenticated connection.

OAuthClientId is one of the key connection parameters that need to be set before users can authenticate via OAuth. You can usually find this value in your identity provider’s application registration settings. Look for a field labeled Client ID, Application ID, or Consumer Key.

While the client ID is not considered a confidential value like a client secret, it is still part of your application's identity and should be handled carefully. Avoid exposing it in public repositories or shared configuration files.

For more information on how this property is used when configuring a connection, see Establishing a Connection.

Specifies the client secret assigned to your custom OAuth application. This confidential value is used to authenticate the application to the OAuth authorization server. (Custom OAuth applications only.).

Data Type

string

Default Value

""

Remarks

This property (sometimes called the application secret or consumer secret) is required when using a custom OAuth application in any flow that requires secure client authentication, such as web-based OAuth, service-based connections, or certificate-based authorization flows. It is not required when using an embedded OAuth application.

The client secret is used during the token exchange step of the OAuth flow, when the driver requests an access token from the authorization server. If this value is missing or incorrect, authentication fails with either an invalid_client or an unauthorized_client error.

OAuthClientSecret is one of the key connection parameters that need to be set before users can authenticate via OAuth. You can obtain this value from your identity provider when registering the OAuth application.

Notes:

• This value should be stored securely and never exposed in public repositories, scripts, or unsecured environments.
• Client secrets may also expire after a set period. Be sure to monitor expiration dates and rotate secrets as needed to maintain uninterrupted access.

For more information on how this property is used when configuring a connection, see Establishing a Connection

The user subject for which the application is requesting delegated access.

Data Type

string

Default Value

""

Remarks

Id of the user or enterprise, based on the configuration set in SubjectType.

The Subject Type for the Client Credentials authentication.

Possible Values

enterprise, user

Data Type

string

Default Value

"enterprise"

Remarks

The Subject Type for the Client Credentials authentication. Set this to "enterprise" or "user" depending on the type of token being requested.

Specifies the scope of the authenticating user's access to the application, to ensure they get appropriate access to data. If a custom OAuth application is needed, this is generally specified at the time the application is created.

Data Type

string

Default Value

""

Remarks

Scopes are set to define what kind of access the authenticating user will have; for example, read, read and write, restricted access to sensitive information. System administrators can use scopes to selectively enable access by functionality or security clearance.

When InitiateOAuth is set to GETANDREFRESH, you must use this property if you want to change which scopes are requested.

When InitiateOAuth is set to either REFRESH or OFF, you can change which scopes are requested using either this property or the Scope input.

This section provides a complete list of the SSL properties you can configure in the connection string for this provider.

---

Property	Description
SSLMode	The authentication mechanism to be used when connecting to the FTP or FTPS server.
SSLServerCert	Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

The authentication mechanism to be used when connecting to the FTP or FTPS server.

Possible Values

AUTOMATIC, NONE, IMPLICIT, EXPLICIT

Data Type

string

Default Value

"AUTOMATIC"

Remarks

If SSLMode is set to NONE, default plaintext authentication is used to log in to the server. If SSLMode is set to IMPLICIT, the SSL negotiation will start immediately after the connection is established. If SSLMode is set to EXPLICIT, the Cloud will first connect in plaintext, and then explicitly start SSL negotiation through a protocol command such as STARTTLS. If SSLMode is set to AUTOMATIC, if the remote port is set to the standard plaintext port of the protocol (where applicable), the component will behave the same as if SSLMode is set to EXPLICIT. In all other cases, SSL negotiation will be IMPLICIT.

• AUTOMATIC
• NONE
• IMPLICIT
• EXPLICIT

Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

Data Type

string

Default Value

""

Remarks

If you are using a TLS/SSL connection, use this property to specify the TLS/SSL certificate to be accepted from the server. If you specify a value for this property, all other certificates that are not trusted by the machine are rejected.

This property can take the following forms:

Description	Example
A full PEM Certificate (example shortened for brevity)	-----BEGIN CERTIFICATE----- MIIChTCCAe4CAQAwDQYJKoZIhv......Qw== -----END CERTIFICATE-----
A path to a local file containing the certificate	C:\cert.cer
The public key (example shortened for brevity)	-----BEGIN RSA PUBLIC KEY----- MIGfMA0GCSq......AQAB -----END RSA PUBLIC KEY-----
The MD5 Thumbprint (hex values can also be either space- or colon-separated)	ecadbdda5a1529c58a1e9e09828d70e4
The SHA1 Thumbprint (hex values can also be either space- or colon-separated)	34a929226ae0819f2ec14b4a3d904f801cbb150d

Note: It is possible to use '*' to signify that all certificates should be accepted, but due to security concerns this is not recommended.

This section provides a complete list of the SSH properties you can configure in the connection string for this provider.

---

Property	Description
SSHAuthMode	The authentication method used when establishing an SSH Tunnel to the service.
SSHClientCert	A certificate to be used for authenticating the SSHUser.
SSHClientCertPassword	The password of the SSHClientCert key if it has one.
SSHClientCertSubject	The subject of the SSH client certificate.
SSHClientCertType	The type of SSHClientCert private key.
SSHUser	The SSH user.
SSHPassword	The SSH password.

The authentication method used when establishing an SSH Tunnel to the service.

Possible Values

None, Password, Public_Key

Data Type

string

Default Value

"Password"

Remarks

• None: No authentication is performed. The current SSHUser value is ignored, and the connection is logged in as anonymous.
• Password: The Cloud uses the values of SSHUser and SSHPassword to authenticate the user.
• Public_Key: The Cloud uses the values of SSHUser and SSHClientCert to authenticate the user. SSHClientCert must have a private key available for this authentication method to succeed.

A certificate to be used for authenticating the SSHUser.

Data Type

string

Default Value

""

Remarks

SSHClientCert must contain a valid private key in order to use public key authentication. A public key is optional, if one is not included then the Cloud generates it from the private key. The Cloud sends the public key to the server and the connection is allowed if the user has authorized the public key.

The SSHClientCertType field specifies the type of the key store specified by SSHClientCert. If the store is password protected, specify the password in SSHClientCertPassword.

Some types of key stores are containers which may include multiple keys. By default the Cloud will select the first key in the store, but you can specify a specific key using SSHClientCertSubject.