Validation by Token Exchange - Advanced SQL Engine - Teradata Database

For external authentication, TDGSS exchanges the JWT with Central IdP, and after the exchange TDGSS validates the user. This is done by identifying if the JWT comes from Central IdP or from an external identity provider. TDGSS uses the issuer “iss” claim in the JWT payload to identify the identity provider. The client application attempts to authenticate to the database as follows:

1. When the client authenticates, the Gateway sends the client a configuration response containing the ClientId (such as sso-dev) and the IdpUrL (such as https://sso-idp-dev.iam.teradatacloud.io/.well-known/openid-configuration). This information is defined in the TdgssUserConfigFile.xml in the <GlobalValues> section.
2. The client then requests a JWT token from the external IdP.
3. The client sends the JWT to the Gateway to log the session on.
4. The Gateway validates the token:
   1. TDGSS peeks into the payload to get the issuer claim.
   2. TDGSS gets the Central IdP issuer claim from the TDGSS configuration.
   3. TDGSS compares the Central IdP issuer and the JWT “iss” claim.
5. Validation by Token Exchange: If the issuers don’t match, a token exchange is done:
   1. From the configuration, TDGSS gets the issuer of the configured external identity provider.
   2. TDGSS compares the external IdP issuer and the “iss” claim from the JWT.
   3. If they don’t match, an error is generated and the user is not authenticated.
   4. If they match, a REST API call is made to exchange the JWT from the Central IdP.
6. After exchanging the JWT from Central IdP, TDGSS validates the JWT.
7. The JWT is saved in the session control table to use it to authenticate to other Vantage services.

To configure the JWT mechanism for token exchanger validation, see Validation by Token Exchanger.

The following table shows the required information to get an exchange token from the central IdP: