Security and authentication
OAuth2 security configuration parameters
There are new security configuration parameters that provide more control for users created with just-in-time (JIT) provisioning:
OAuth2JITRolesClaimName
: Identifies an IdP role claim. JIT-provisioned users are automatically assigned the claim roles as default roles. This parameter replacesOAuth2JITClient
.OAuth2JITGroupsClaimName
: Identifies an IdP group claim. JIT-provisioned users are automatically assigned the group claim name or group claim roles as default roles.OAuth2JITForbiddenRoles
: Restricts the specified roles during automatic role assignment.
For details, see Security parameters
OAuth authentication parameters
Vertica provides the following OAuth authentication parameters that configure an OAuth authentication record that uses JIT provisioning:
groups_claim_name
oauth2_jit_authorized_roles
role_group_suffix
roles_claim_name
For details about each parameter, see OAuth authentication parameters.
Automatic role assignment for JWT validation
Vertica supports automatic role assignment for just-in-time provisioned (JIT) users that use authentication records with the JWT
validation type.
For details, see Just-in-time user provisioning.
Fixed schedules for LDAP Link
The LDAP Link service now supports fixed schedules with LDAPLinkCron. This acts as an alternative to LDAPLinkInterval.
LDAPLinkInterval calculates the time of the next synchronization based on the completion time of the last synchronization. For example, suppose LDAPLinkInterval is set to 24 hours. If synchronization starts at 9:00 AM and finishes in 30 minutes, the next synchronization will occur at 9:30 AM the next day.
The new LDAPLinkCron parameter lets you designate an exact time for the synchronization with a cron
expression so that the completion time doesn't affect the next runtime. Value separators are not currently supported.
For details, see LDAP link parameters.
For example, to run the LDAP Link synchronization operation on the second day of every month at 7:00 PM:
=> ALTER DATABASE DEFAULT SET LDAPLinkCron='0 19 */2 * *';