17.10 - Explanation of Single Sign-on Examples - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The following explains logon terms used in the Single Sign-on example.

Syntax Element Description
mech_name Required only if KRB5 is not used. Specify the SPNEGO mechanism for Kerberos authentication from a .NET client.
If no mechanism and no user credentials are specified, the system assumes a single sign-on and authenticates with Kerberos.
authorization_qualifier Required if users are authorized by a directory, that is, the KRB5 mechanism has AuthorizationSupported=yes:
  • The directory user is mapped to multiple user or profile objects (for all mechanisms).
  • LDAP uses SASL/DIGEST-MD5 binding (the default), the directory offers more than one realm, and the value of the LdapServerRealm property is to the default "" (for the LDAP mechanism only).
    The DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you use simple binding with TLS protection, and stop using DIGEST-MD5.

If the matching directory user is mapped to multiple database users:

If the directory user is mapped to more than one database user, specify the user with the database privileges needed for the session in the form:

user= database_username

The database username can be either a database user or EXTUSER.
If the matching directory user is mapped to multiple profiles:
  • If a directory user is mapped to multiple profiles, specify profile=profile_name to identify the session profile.
  • If the directory user is mapped to one or more database users, and also to a profile, the session defers to the separately mapped profile instead of the profile belonging to the mapped database user.

If the directory offers multiple realms:

Specify the realm as it appears in the directory, normally the fully qualified DNS name of the directory, for example:

realm=directory_FQDNSName

The system processes realm information as follows:

tdpid Required. The tdpid identifies the Teradata Vantage system, Unity server, or host group to which the logon, if successful, connects.
, , User credentials are not required for single sign-on.

The , , is required as a place holder for the user credentials only if an account string is specified. Otherwise commas are not needed.

"account" Optional. The account string must be enclosed in double quotation marks. For information on accounts, see Teradata Vantage™ - Database Administration, B035-1093.