17.10 - Local Validation - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
Release Date
July 2021
Content Type
Publication ID
English (United States)
SSO local validation

For local validation, the client application attempts to authenticate to the database as follows:

  1. When the client authenticates, the Gateway sends the client a configuration response containing the ClientId (such as sso-dev) and the IdpUrL (such as https://sso-idp-dev.iam.teradatacloud.io/.well-known/openid-configuration). This information is defined in the TdgssUserConfigFile.xml in the <GlobalValues> section.
  2. The client then requests a JWT token from the external IdP.
  3. The client sends the JWT to the Gateway to log the session on.
  4. The Gateway validates the token:
    1. TDGSS peeks into the payload to get the issuer claim.
    2. TDGSS gets the External IdP issuer claim from the TDGSS configuration.
    3. TDGSS compares the External IdP issuer and the JWT “iss” claim.
  5. Local Validation: If the two issuers match, TDGSS validates the connection locally. Gateway validates with a key that corresponds to the token. The key is retrieved from the JWK URI, which is published by IdP as OpenId Connect configuration (https://<External IdP url>/.well-known/openid-configuration).

To configure the JWT mechanism for local validation, see Local Validation.