OS User (-OSUser) (for STS capability)

For use with the only. Use OS User (-OSUser), with or without the Domain (-domain) (for STS capability) connection parameter, to enable a single sign-on (SSO) connection to an STS-enabled database using the OS credentials.

When authentication is done via a client and you do not specify -U/-P at connection time, the client connects to the database using the blank user id or performs an SSO connection using the OS credentials. This method of authentication does not work with an STS-enabled database; instead, use -OSUser to generate an SSO token using the OS credentials, which will then be exchanged for a login token by the STS.

There are some additional requirements and considerations to be aware of when using -OSUser:

• The domain configuration must be properly set up to allow SSO token exchange. See Configure domains for more information.
• When -OSUser is used alone (without the Domain (-domain) (for STS capability) parameter), the STS authenticates using the OS user credentials and the blank domain. Note that you must have the blank domain set up on the STS to allow the token exchange.
  CAUTION: Use of the blank domain is not a recommended practice, particularly in multi-domain environments.
• You can specify both -OSUser and -U, and if the user ID given by -U is fully qualified, the domain from that user ID is used. However, the user name specified by -U must match the OS user name exactly.
• You can use -OSUser and -domain to use the OS user credentials and a specified domain to make an SSO connection. The domain specified by -domain is used instead of the default, unless -U is also used and contains a fully qualified user ID. See the Domain (-domain) (for STS capability) parameter entry for more information.

The following table summarizes the combinations of parameters you can use for an SSO connection to an STS-enabled database: