Configuring SSO in AWS Edition

This topic describes how to configure Dremio AWS Edition for Single Sign On (SSO) Authentication with either Azure Active Directory or another Identity Provider using OpenID.

Note

This is an Enterprise Edition feature and requires upgrading to the Enterprise Edition of Dremio AWS.

Requirements

To use Azure Active Directory or OpenID, Dremio’s webserver must have web server encrpytion enabled. For more information, see Configuring Wire Encryption.

Configuring Azure Active Directory Authentication

To know more about Azure AD, see Azure Active Directory Authentication

You must do the following changes in azuread.json and dremio.conf files for configuring SSO:

  1. Add the following properties in the azuread.json file:

    {
      "oAuthConfig": {
          "clientId": "<clientId>",
          "clientSecret": "<clientSecret>",
          "redirectUrl": "https://<dremio.host>:9047/sso",
          "authorityUrl": "https://login.microsoftonline.com/<directory.id>/v2.0",
          "scope": "openid profile offline_access",
          "jwtClaims": {
            "userName": "preferred_username"
          }
        }
    }
    

    Where:

    • clientId: It appears on the Overview screen of your application. This property is also called application ID. A clientId is applicable to the context where you acquire a token using one of the OAuth flows that Azure AD supports. The application ID is same for single application object that corresponds to an application.
    • clientSecret: It is the secret that was created in the [Setting Up Azure AD]((../../../../security/sso-config/#setting-up-azure-ad) section.
    • redirectUrl: It is the redirect URI that was created in the [Setting Up Azure AD]((../../../../security/sso-config/#setting-up-azure-ad) section.
    • directory.id: It appears on the Overview screen of your application. This property is also called tenant ID.
  2. Uncomment these two lines in the dremio.conf file.

    services.coordinator.web.ssl.enabled: true
    services.coordinator.web.ssl.auto-certificate.enabled: true
    
  3. Add the following configuration in the dremio.conf file.

    services: {
      coordinator.enabled: true,
      coordinator.web.auth.type: "azuread",
      coordinator.web.auth.config: "/opt/dremio/conf/azuread.json"
    }
    

Configuring OpenID Authentication

To configure Single Sign On with an Identity Provide over OpenID, perform the following steps:

  1. Configure the dremio.conf file to include the following configuration.

    services.coordinator.web.auth.type: "oauth"
    services.coordinator.web.auth.config: "/path/to/oauth.json"
    
  2. Create an oauth.json file with the following properties.

    {
     "clientId": "clientId",
     "clientSecret": "clientSecret",
     "redirectUrl": "http://dremioHost:9047/sso",
     "authorityUrl": "authorityUrl",
     "scope": "openid profile email",
     "jwtClaims": {
       “userName": "$nameField"
     },
     "parameters": [
      {"name": "access_type", "value": "offline"},
      ...
    ]
    }
    

    The following table describes the oauth.json file properties.

    Parameter Description
    clientId It is based on the OpenID provider.
    clientSecret It is based on the OpenID provider.
    redirectUrl The URL where Dremio is hosted. The URL must match the redirect url set in the OpenID Provider.
    authorityUrl The location where Dremio can find the OpenID discovery document. For example, Google’s location is `https://accounts.google.com/.well-known/openid-configuration` and the authorityUrl therefore to use is `https://accounts.google.com`, the base location of the well-known directory.
    scope It is based on the OpenID provider.
    jwtClaims Maps fields from the JWT token to fields Dremio requires. The only field currently required is userName, which you should set to the field in JWT that contains the user’s username. For example, this can be `email` if you want the usernames in Dremio to be the user’s email address.
    parameters Optional - any additional parameters required by the OpenID providers.