Prerequisite
Before using the single-sign on and role based access privileges, ensure the following prerequisites.
- If you are a new Vantage customer, Teradata enables Single Sign-on (SSO) during provisioning.
- If you are an existing Vantage customer, and don't yet have SSO, submit a change request to have Teradata enable it.
With SSO enabled, complete the self-service configuration steps found in Configuring Single Sign-On in Teradata Vantage™ - Analytics Database Security Administration guide.
Upon completing the self-service configuration steps, you'll receive an email from Teradata about completing SSO configuration using federated authentication. Complete the tasks described in the email.
- Use the link in the email to access the Identity configuration page.
- Use the link in the email to reset your password.
- Complete the multi-factor authentication (MFA) flow using the passcode sent to your email.This is the same email address you use to log on to the Vantage Console.
- Select .If you don't see the icon, contact your system security or cloud administrator. Only the Day0 admin with Customer Admin or Cloud Service Owner privileges can access Identity configuration.
- In the Settings section, enter a unique Name for the IdP configuration.
- Enter the Domain of the email client, for example, mycompany.com.
You can add multiple unique email domains as comma-separated values. For example, if your organization uses the email addresses xyz@mycompany.com and xyz@abc.mycompany.in, type mycompany.com, abc.mycompany.in.
If you are a new customer using SSO, you can use multiple domains. If you are an existing customer using SSO, submit a change request to enable it. - Enter Vantage Site IDs for this IdP. Configure the Sites that you intend to use with this Identity provider. You can add multiple SITEIDs as comma-separated values. Note that SITEIDs are case sensitive. For example, if your organization uses one site for Dev (TDIDEV01) and another site for prod (TDIPRD01), type TDIDEV01,TDIPRD01 (with no spaces).
- Use the menu to select the SSO protocol.
Protocol Option Values SAML Identifier (Entity ID): https://login.customer.teradata.com
Reply URL: https://login.customer.teradata.com/sp/ACS.sam12
OpenID (OIDC) When selecting the OIDC protocol, copy the redirect URL from the Vantage Console Identity page and use it in your cloud service IdP application to complete the IdP configuration with Vantage IdP. - In the Claims section, enter the following attributes to establish the user mapping.
Attribute Name Description Subject Subject mapped to the SSO protocol User_name Username associated with the Vantage user account This username is mapped to the database username.Groups Group ID/Name for the users pertaining to a claim.
A maximum of 30 groups are allowed in a claim.
Name Display name of the user FirstName First name of the user LastName Last name of the user Email Email of the user - In the Roles Mapping section, select the following attributes. These attributes assign roles to users, using least privileges principles, to access backup as a service (BaaS) capabilities.
Attribute Name Description TD-BaaS-Admin Role with privileges to create backup and restore jobs and manage their schedules. - Select Save.If any changes are required after configuring SSO, the Day0 administrator can make those changes using the Identity page.