17.10 - Validation by Token Exchange - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)
SSO validation by toke exchange.

For external authentication, TDGSS exchanges the JWT with Central IdP, and after the exchange TDGSS validates the user. This is done by identifying if the JWT comes from Central IdP or from an external identity provider. TDGSS uses the issuer “iss” claim in the JWT payload to identify the identity provider. The client application attempts to authenticate to the database as follows:

  1. When the client authenticates, the Gateway sends the client a configuration response containing the ClientId (such as sso-dev) and the IdpUrL (such as https://sso-idp-dev.iam.teradatacloud.io/.well-known/openid-configuration). This information is defined in the TdgssUserConfigFile.xml in the <GlobalValues> section.
  2. The client then requests a JWT token from the external IdP.
  3. The client sends the JWT to the Gateway to log the session on.
  4. The Gateway validates the token:
    1. TDGSS peeks into the payload to get the issuer claim.
    2. TDGSS gets the Central IdP issuer claim from the TDGSS configuration.
    3. TDGSS compares the Central IdP issuer and the JWT “iss” claim.
  5. Validation by Token Exchange: If the issuers don’t match, a token exchange is done:
    1. From the configuration, TDGSS gets the issuer of the configured external identity provider.
    2. TDGSS compares the external IdP issuer and the “iss” claim from the JWT.
    3. If they don’t match, an error is generated and the user is not authenticated.
    4. If they match, a REST API call is made to exchange the JWT from the Central IdP.
  6. After exchanging the JWT from Central IdP, TDGSS validates the JWT.
  7. The JWT is saved in the session control table to use it to authenticate to other Vantage services.

To configure the JWT mechanism for token exchanger validation, see Validation by Token Exchanger.

The following table shows the required information to get an exchange token from the central IdP:

Parameter Description
subject_issuer The alias name with which external IdP (the access token issuer), is registered with the central IdP. This parameter is required only for the central IdP.
subject_token A valid JWT access token issued by the external IdP.
client_id The client id of the target application registered with the central IdP that intends to use the exchanged token. The mappers associated with client_id decide the content of the exchanged token.
client_secret The client secret of the target application.
subject_token_type Constant value:

urn:ietf:params:oauth:token-type:access_token

grant_type Constant value:

urn:ietf:params:oauth:grant-type:token-exchange

token_endpoint The /token endpoint of the central IdP. It is usually a URL in this form:

https://<idp-host>/auth/realms/<realm name>/protocol/openid-connect/token