SSO Configuration | Identity Provider (IdP) | VantageCloud Enterprise - Configuring Single Sign-On - Teradata Vantage

Teradata® VantageCloud Enterprise

Deployment
VantageCloud
Edition
Enterprise
Product
Teradata Vantage
Release Number
2.4.4
Published
February 2024
Language
English (United States)
Last Update
2024-02-16
dita:mapPath
wec1649710665916.ditamap
dita:ditavalPath
lwe1652211139768.ditaval
dita:id
wec1649710665916
Product Category
Teradata Vantage
Prerequisite

Before using the single-sign on and role based access privileges, ensure the following prerequisites.

  • If you are a new Vantage customer, Teradata enables Single Sign-on (SSO) during provisioning.
  • If you are an existing Vantage customer, and don't yet have SSO, submit a change request to have Teradata enable it.
With SSO enabled, complete the self-service configuration steps found in Configuring Single Sign-On in Teradata Vantage™ - Analytics Database Security Administration guide.

Upon completing the self-service configuration steps, you'll receive an email from Teradata about completing SSO configuration using federated authentication. Complete the tasks described in the email.

  1. Use the link in the email to access the Identity configuration page.
  2. Use the link in the email to reset your password.
  3. Complete the multi-factor authentication (MFA) flow using the passcode sent to your email.
    This is the same email address you use to log on to the Vantage Console.
  4. Select .
    If you don't see the icon, contact your system security or cloud administrator. Only the Day0 admin with Customer Admin or Cloud Service Owner privileges can access Identity configuration.
  5. In the Settings section, enter a unique Name for the IdP configuration.
  6. Enter the Domain of the email client, for example, mycompany.com.

    You can add multiple unique email domains as comma-separated values. For example, if your organization uses the email addresses xyz@mycompany.com and xyz@abc.mycompany.in, type mycompany.com, abc.mycompany.in.

    If you are a new customer using SSO, you can use multiple domains. If you are an existing customer using SSO, submit a change request to enable it.
  7. Enter Vantage Site IDs for this IdP.
    Configure the Sites that you intend to use with this Identity provider. You can add multiple SITEIDs as comma-separated values. Note that SITEIDs are case sensitive. For example, if your organization uses one site for Dev (TDIDEV01) and another site for prod (TDIPRD01), type TDIDEV01,TDIPRD01 (with no spaces).
  8. Use the menu to select the SSO protocol.
    Protocol Option Values
    SAML

    Identifier (Entity ID): https://login.customer.teradata.com

    Reply URL: https://login.customer.teradata.com/sp/ACS.sam12

    OpenID (OIDC) When selecting the OIDC protocol, copy the redirect URL from the Vantage Console Identity page and use it in your cloud service IdP application to complete the IdP configuration with Vantage IdP.
  9. In the Claims section, enter the following attributes to establish the user mapping.
    Attribute Name Description
    Subject Subject mapped to the SSO protocol
    User_name Username associated with the Vantage user account
    This username is mapped to the database username.
    Groups

    Group ID/Name for the users pertaining to a claim.

    A maximum of 30 groups are allowed in a claim.

    Name Display name of the user
    FirstName First name of the user
    LastName Last name of the user
    Email Email of the user
  10. In the Roles Mapping section, select the following attributes. These attributes assign roles to users, using least privileges principles, to access backup as a service (BaaS) capabilities.
    Attribute Name Description
    TD-BaaS-Admin Role with privileges to create backup and restore jobs and manage their schedules.
  11. Select Save.
    If any changes are required after configuring SSO, the Day0 administrator can make those changes using the Identity page.