Security and authentication

New features for security and authentication.

OAuth2 security configuration parameters

There are new security configuration parameters that provide more control for users created with just-in-time (JIT) provisioning:

  • OAuth2JITRolesClaimName: Identifies an IdP role claim. JIT-provisioned users are automatically assigned the claim roles as default roles. This parameter replaces OAuth2JITClient.
  • OAuth2JITGroupsClaimName: Identifies an IdP group claim. JIT-provisioned users are automatically assigned the group claim name or group claim roles as default roles.
  • OAuth2JITForbiddenRoles: Restricts the specified roles during automatic role assignment.

For details, see Security parameters

OAuth authentication parameters

Vertica provides the following OAuth authentication parameters that configure an OAuth authentication record that uses JIT provisioning:

  • groups_claim_name
  • oauth2_jit_authorized_roles
  • role_group_suffix
  • roles_claim_name

For details about each parameter, see OAuth authentication parameters.

Automatic role assignment for JWT validation

Vertica supports automatic role assignment for just-in-time provisioned (JIT) users that use authentication records with the JWT validation type.

For details, see Just-in-time user provisioning.

The LDAP Link service now supports fixed schedules with LDAPLinkCron. This acts as an alternative to LDAPLinkInterval.

LDAPLinkInterval calculates the time of the next synchronization based on the completion time of the last synchronization. For example, suppose LDAPLinkInterval is set to 24 hours. If synchronization starts at 9:00 AM and finishes in 30 minutes, the next synchronization will occur at 9:30 AM the next day.

The new LDAPLinkCron parameter lets you designate an exact time for the synchronization with a cron expression so that the completion time doesn't affect the next runtime. Value separators are not currently supported.

For details, see LDAP link parameters.

For example, to run the LDAP Link synchronization operation on the second day of every month at 7:00 PM:

=> ALTER DATABASE DEFAULT SET LDAPLinkCron='0 19 */2 * *';