CREATE EXTERNAL AUTHENTICATION

Configures a Yellowbrick Instance to authenticate with an external IDP. The information supplied in this command tells the instance how to validate a supplied JWT token, and how to map the named claim to a database username.

Authentication properties are stored in the system view sys.external_authentication.

CREATE EXTERNAL AUTHENTICATION name
ISSUER ‘string’
USER_MAPPING_CLAIM ‘string’
GRANT (role_name [, role_name] …)
GRANT_CLAIM 'grant_claim'
[ AUDIENCE ('string', [, 'string'] ...) ]
[ AZP 'string' ]
[ ALLOWED_ROLES (role_name [, role_name] …) ]
[ DISALLOWED_ROLES (role_name [, role_name] …) ]
[ KEY 'public_key' ]
[ AUTO_CREATE true | false ]
[ ENABLED true | false ]

ISSUER: The issuer identifier established in the IDP integration, created in Yellowbrick Manager or through Kubernetes CRDs. Typically this is the URL of the authorization server that issues the JWT. Required.
USER_MAPPING_CLAIM: A property-name in the payload of the JWT whose value is to map to a Yellowbrick database user. For example, email or preferred_username. Required.
GRANT: The names of Yellowbrick database roles that this database user should be a member of when auto-creating a role. Optional as long as there is a GRANT_CLAIM. The database roles need not be present when issuing this command.
GRANT_CLAIM: The name of a claim in the JWT that holds a list of database role names that the auto-created user is made a member of. Optional as long there is a GRANT.
AUDIENCE: A list of strings, any of which that must match the aud claim of the JWT. Optional. During JWT validation, one of the strings supplied in here must match. Note that if the aud claim in the JWT is a list of strings, then any of those strings must match the ones supplied here.
AZP: Name of the authorized party that must be present in the azp claim of the JWT. Optional.
ALLOWED_ROLES: List of primary login roles that will pass authentication. Optional. This check is skipped if the list is empty.
DISALLOWED_ROLES: List of primary login roles that will fail authentication. Optional. Can be used to selectively disallow named login roles.
AUTO_CREATE: If true, then automatically create the database user if it does not exist. Optional. If not specified, defaults to false.
ENABLED: If true, then this authentication is active. Optional. If not specified, defaults to false.
PUBLIC_KEY: The public key of the issuer for verification of JWTs. Optional. Normally the public key is fetched from the issuer on demand when validating JWTs; specifying a key here disables this behavior.

Configuring SSL/TLS for Tools and Drivers

Secure Connections for ODBC/JDBC Clients and ybsql

sys.lock

Bulk Load Examples

Running a Bulk Load

Loading Tables from Parquet Files

ybload Command

Loading from Amazon S3

Loading from Azure Blob Storage

Setting up and Running a Spark Job

Setting Up the ybrelay Service

LDAP Authentication

Synchronizing Users and Groups

Appliance: Disk Encryption

Setting Up Encrypted Drives

Remote Diagnostics

System Alerts

Creating an Alert Endpoint

Using the System Management Console

ybcli Reference

ybcli: config

AWS Marketplace

Create Stack

Docker

Cloud: Configuration

Vanity DNS

Yellowbrick Manager

Cloud: Enterprise Edition Getting Started

SQL-Based Loads from External Storage

Cloud: Installation

CLI Install Instructions

Permissions

Private Install Instructions

Public Install Instructions

Cloud: Kubernetes Guides

CREATE EXTERNAL FORMAT

CREATE EXTERNAL TABLE

CREATE TABLE

GRANT

Plan Hinting

SELECT

GROUP BY Clause

Subqueries

Data Type Casting

DECIMAL

JSON

JSONB

SQL String Constants

Aggregate Functions

Conditional Expressions

Datetime Functions

Formatting Functions

Geospatial functions

Mathematical Functions

Network Address Functions

Pattern Matching

Regular Expression Details

SQL Operators and Pattern Matching Functions

SQL Conditions

SQL User Defined Function (UDF)

SQL UDF Create Function

String Functions

ENCRYPT_KS

System Functions

Type-Safe Casting Functions

Window Functions

Creating WLM Resource Pools

Creating WLM Rules

Rule Examples

CREATE EXTERNAL AUTHENTICATION ​

CREATE EXTERNAL AUTHENTICATION