17.10 - User Name Mappings - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The UserNameMapping section of TdgssUserConfigFile.xml is used to parse out the database username. To obtain the database logon username, JWT uses the subject (sub) claim from the JWT payload as the username by default. But, the claim may be different for each identity provider or the claim may need to be parsed to select a portion of it to be used as the username.

For example, if a JWT claim has preferred_username and the value is an email address like xys@company.com, the email address must be mapped to xys because an email address cannot be used as a database username. In the example, the UserNameMapping section contains a claim for preferred_username: claim=preferred_username. The claim is matched with the regular expression pattern in Match. If it matches, DatabaseName = $1. In this example, $1 is xys according to the Match pattern. So, xys is used as the database username.

<Mechanism Name="JWT">
        <MechanismProperties
        
            JWTDynamicKey="yes|no"
            JWTokenExchange="yes|no"
            JWTClientTlsCACertDir="</opt/teradata/tdat/site/xyz/abc>"
            
        .../>

        <UserNameMapping 
               Claim="preferred_username">
               Match="(\w+)@([\w+.]+)" 
               DatabaseName="${1}" />        
               
        <UserNameMapping 
               Claim="sub">
               Match="(\w+)|(\w+)"     
               DatabaseName="Auth_${2}" />  
                
        <UserNameMapping
               Claim="sub"
               Match="(.+)"           
               DatabaseName="${1}" />      
        
        <UserNameMapping 
               Claim="qlid"
               Match="(\w{2})(\d{6})"  
               DatabaseName="${1}_${2}" />  
        
    </Mechanism>
Where the Match pattern is a POSIX regular expression.