Strategy One

Integrate Strategy with Teradata for Single Sign-On Using Azure OIDC

Strategy ONE Update 10 introduces a feature that supports connection to Teradata through OAuth authentication.

The Entra ID (formerly Azure AD) OIDC for Teradata Single Sign-On is the simplest data source connection for users because it leverages Strategy authentication and users only need to sign in once.

Before following the steps below, you must configure the OAuth integration with Entra ID to create OAuth applications. See Teradata's documentation for more information.

When you create your Teradata Azure application, add the UPN claim. Strategy uses UPN to map to user ID.

Enable Strategy Web OIDC with Entra ID

  1. Establish Trust Between the Web Server and Intelligence Server:
    1. Log in to Strategy Web.
    2. Connect to the Intelligence Server.
    3. Select your Intelligence Server and in Server Properties, click Setup.

    4. Enter your administrator account and password
  2. Select the OIDC Authentication Enabled check box and choose Default.

  3. Enter your OIDC Configuration information:
    1. Add your Strategy Redirect URI to Azure:
      1. In Entra ID, go to the Teradata Client Application and click Authentication in the left pane.
      2. Expand the Web tab and click Add URI.

      3. Enter your Strategy redirect URI.
      4. Click Save.
    2. Find the Client ID:
      1. In Entra ID, go to App registrations and click Overview in the left pane.
      2. Locate Application (client) ID.

      3. Copy and paste it into your Strategy OIDC Configuration.
    3. Find the Client Secret:
      1. In Entra ID, go to App registrations and click Certificate & secrets in the left pane.
      2. Locate your client secret or if necessary, click New client secret.

      3. Copy and paste it into your Strategy OIDC Configuration.
    4. Find Issuer:
      1. In Entra ID, go to App registrations and click Overview in the left pane.
      3. Open the URL for the OpenID Connect metadata document and copy and paste the Issuer value into your Strategy OIDC Configuration. For example:

        4. https://login.microsoftonline.com/[Directory tenant ID]/v2.0.

    5. In Native ID, paste the same value as Client ID.
    6. Leave the Redirect URI and Scope default values.
    7. In Claim Map enter the following values:
      1. Full Name: name
      2. User ID: upn
      3. Email: email
      4. Groups: groups
    8. Find Admin Groups:
      1. In Entra ID, go to App registrations > Groups > Overview.
      2. Locate the Object Id.
      3. If the Object Id is a set value, only users in that group can access mstrWebAdmin pages.
  4. Restart Tomcat.

Enable Strategy Library OIDC with Entra ID

  1. Create or modify MicroStrategyLibrary\WEB-INF\classes\auth\Oidc\OidcConfig.json:

    2. Copy 


      "iams":[{ 

        "clientId":"XXXXXXX", 

        "clientSecret":"XXXXXXX", 

        "nativeClientId": "XXXXXXX", 

        "id":"test", 

        "issuer":"https://login.microsoftonline.com/XXXXXXX/v2.0", 

        "redirectUri":"https://XXXXXXX/MicroStrategyLibrary/auth/oidc/login", 

        "blockAutoProvisioning": true, 

        "claimMap": { 

          "email": "email", 

          "fullName": "name", 

          "userId": "upn", 

         "groups": "groups" 

        }, 

        "default": true, 

        "mstrIam": true, 

        "scopes": [ 

          "openid", 

          "profile", 

          "email", 

          "offline_access" 

        ], 

        "vendor": { 

          "name": "MicroStrategy IAM", 

          "version": "Azure AD" 

        } 

      }] 

  • For clientId, clientSecret, nativeClientId, and issuer, use the same values that you entered in Enable Strategy Web OIDC with Entra ID.

  • For redirectUri, replace xxxxxx with <FQDN>:<port> and add the URL to Entra ID > Teradata > Teradata OAuth Client Application > Authentication > Web Redirect URLs.

  1. Set the OIDC authentication mode in Library Admin or Workstation:
    1. Log in to Strategy Library Admin:
      1. Connect to the Intelligence Server.
      2. Go to the Library Server tab and under Authentication Modes, select the OIDC check box.
      3. Click Create Trusted Relationship.
      4. Enter your administrator username and password.
    2. Log in to Strategy Workstation:
      1. Connect to your environment.
      2. Right click your environment and click Properties.
      3. In the left pane, click Library.
      4. Select the OIDC check box and click Create Trusted Relationship.

      5. Click Ok.
  2. Restart Tomcat.

Create a Database Role with OAuth Authentication

After you copy the ClientID, ClientSecret, Tenant ID, Authorization URL, and Token URL, you can connect to Teradata using OAuth.

Configure Authentication Service Using Enterprise Security

  1. Open the Workstation window with the Navigation pane in smart mode.
  2. In the Navigation pane, click , next to Enterprise Security.

  3. Enter a Display Name.
  4. Choose the Azure identity provider.
  5. Copy the login redirect URIs.
  6. In Entra ID, go to Authentication and click Add URI.

  7. Enter the URIs that you copied earlier.
  8. Click Save.
  9. In Workstation, enter the Client ID, Client Secret, OAuth URL, and Token URL.
  10. Click Save.

Create a Database Role Using Data Source

  1. Open the Workstation window.
  2. In the Navigation pane, click , next to Data Sources.
  3. Choose Teradata.
  4. Expand the Default Database Connection drop down and click Add a new database connection.

  5. Enter a Name and Server Name.

  6. In Authentication Mode, choose OIDC Single Sign-On.
  7. In the Authentication Service drop-down, choose the Azure authentication service you created.
  8. Enter a Scope.
  9. Click Save.

Connect to Teradata Database

  1. Open the Workstation window.
  2. Make sure the environment is using the Strategy OIDC authentication mode. In the Navigation pane, click Environments.
  3. Right-click the environment and choose Edit Environment Information.
  4. Verify that Authentication Mode is set to Strategy OIDC.
  5. Log in to your Strategy environment using your Entra ID user name and password.
  6. Test the data source in either Library or Workstation.

Test the Data Source in Library

  1. Open Strategy Library and click Log in with OIDC.

  2. In the toolbar, click and choose Dashboard.

  3. Click Blank Dashboard.

  4. Click Create.

  5. Click New Data and select the Teradata gateway.

  6. Choose Select Tables and click Next.

  7. Select the data source you created. The projects and datasets list appears.

Test the Data Source in Workstation

  1. In the Navigation pane, click , next to Datasets.
  2. Select the Teradata gateway.
  3. Select the data source you created. The dataset appears.