17.20 - User Name Mappings - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572

The UserNameMapping section of TdgssUserConfigFile.xml is used to parse out the database username. To obtain the database logon username, JWT uses the subject (sub) claim from the JWT payload as the username by default. But, the claim may be different for each identity provider or the claim may need to be parsed to select a portion of it to be used as the username.

For example, if a JWT claim has preferred_username and the value is an email address like xys@company.com, the email address must be mapped to xys because an email address cannot be used as a database username. In the example, the UserNameMapping section contains a claim for preferred_username: claim=preferred_username. The claim is matched with the regular expression pattern in Match. If it matches, DatabaseName = $1. In this example, $1 is xys according to the Match pattern. So, xys is used as the database username.

<Mechanism Name="JWT">
        <MechanismProperties
        
            JWTDynamicKey="yes|no"
            JWTokenExchange="yes|no"
            JWTClientTlsCACertDir="</opt/teradata/tdat/site/xyz/abc>"
            
        .../>

        <UserNameMapping 
               Claim="preferred_username">
               Match="(\w+)@([\w+.]+)" 
               DatabaseName="${1}" />        
               
        <UserNameMapping 
               Claim="sub">
               Match="(\w+)|(\w+)"     
               DatabaseName="Auth_${2}" />  
                
        <UserNameMapping
               Claim="sub"
               Match="(.+)"           
               DatabaseName="${1}" />      
        
        <UserNameMapping 
               Claim="qlid"
               Match="(\w{2})(\d{6})"  
               DatabaseName="${1}_${2}" />  
        
    </Mechanism>

where the Match pattern is a POSIX regular expression.