Validation by Token Exchange - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™
SSO validation by toke exchange.

For external authentication, TDGSS exchanges the JWT with Central IdP, and after the exchange TDGSS validates the user. This is done by identifying if the JWT comes from Central IdP or from an external identity provider. TDGSS uses the issuer “iss” claim in the JWT payload to identify the identity provider. The client application attempts to authenticate to the database as follows:

  1. When the client authenticates, the Gateway sends the client a configuration response containing the ClientId (such as sso-dev) and the IdpUrL (such as https://sso-idp-dev.iam.teradatacloud.io/.well-known/openid-configuration). This information is defined in the TdgssUserConfigFile.xml in the <GlobalValues> section.
  2. The client then requests a JWT token from the external IdP.
  3. The client sends the JWT to the Gateway to log the session on.
  4. The Gateway validates the token:
    1. TDGSS examines the payload to get the issuer claim.
    2. TDGSS gets the Central IdP issuer claim from the TDGSS configuration.
    3. TDGSS compares the Central IdP issuer and the JWT “iss” claim.
  5. If the issuers don’t match, a token exchange is done:
    1. From the configuration, TDGSS gets the issuer of the configured external identity provider.
    2. TDGSS compares the external IdP issuer and the “iss” claim from the JWT.
    3. If they don’t match, an error is generated and the user is not authenticated.
    4. If they match, a REST API call is made to exchange the JWT from the Central IdP.
  6. After exchanging the JWT from Central IdP, TDGSS validates the JWT.
  7. The JWT is saved in the session control table to use it to authenticate to other Vantage services.

To configure the JWT mechanism for token exchanger validation, see Validation by Token Exchanger.

The following table shows the required information to get an exchange token from the central IdP:

Parameter Description
subject_issuer The alias name with which external IdP (the access token issuer), is registered with the central IdP. This parameter is required only for the central IdP.
subject_token A valid JWT access token issued by the external IdP.
client_id The client id of the target application registered with the central IdP that intends to use the exchanged token. The mappers associated with client_id decide the content of the exchanged token.
client_secret The client secret of the target application.
subject_token_type Constant value:

urn:ietf:params:oauth:token-type:access_token

grant_type Constant value:

urn:ietf:params:oauth:grant-type:token-exchange

token_endpoint The /token endpoint of the central IdP. It is usually a URL in this form:

https://<idp-host>/auth/realms/<realm name>/protocol/openid-connect/token